Oracle confirmed the 30 vulnerabilities on Feb. 12, but failed to provide Security Explorations with a monthly report on their status in March, as it had been agreed, Gowdiak said.
The nature of the issues identified indicates that the service was not subjected to a thorough security review and penetration test prior to being publicly launched, Gowdiak said. The vulnerabilities also expose a weak understanding of the Java security model and attack techniques by Oracle engineers, he said.
In an email sent to the Full Disclosure security mailing list Tuesday, the Security Explorations researchers encouraged Oracle Java Cloud customers with accounts in the US1 or EMEA1 centers to request refunds based on unsatisfactory security levels.
Oracle did not immediately respond to a request for comment Wednesday.
Sign up for CIO Asia eNewsletters.