A Poland based web Vulnerability research firm has unearthed several critical vulnerabilities in Google App Engine (GAE) which could be exploited to allow malicious execution of Java codes and enable complete Sandbox escapes.
Google App Engine (GAE) is marred by over 30 vulnerabilities, some of which could be exploited by malicious hackers to circumvent Sandbox defense mechanism according to vulnerability researchers at Security Exploration.
“We discovered multiple security issues in Google App Engine that allow for a complete Java VM security sandbox escape. There are more issues pending verification – we estimate them to be in the range of 30+ in total. ” states the security advisory.
Google App Engine is a platform as a service cloud based computing platform that allows users to develop and host web Application in Google Data centers. Applications in GAE are sand-boxed and run across multiple Google servers. The Platform is similar to Amazon’s EC2 platform which allows users to write scalable applications.
The Poland research firm says that the vulnerabilities allows for arbitrary code execution and sandbox escapes. In a Full Discloser statement, Adam Gowdiak, Security Exploration CEO said his team was able to proof 17 out of the 22 sandbox escapes adding the vulnerabilities could be more than 30.
Researchers managed to bypass GAE whitelisting of JRE classes, execute binary code and issue arbitrary system calls, access JRE sandbox files, extract information from JRE classes, among other exploits listed in the full disclosure statement.
Apparently, the researchers poked their fingers too deep into Google’s systems resulting in suspension of their GAE account. Gowdiak says he liaised with google on the matter and hopes the Google will reactive Security Exploration’s GAE account to enable his team finish the sandbox tests and proof the remaining vulnerabilities.
“Taking into account an educational nature of the security issues found in GAE Java security sandbox and what seems to be an appreciation Google has for arbitrary security research / all sorts of sandbox escapes, we hope the company makes it possible for us to complete our work and re-enables our GAE account,” Gowdiak added.
Google has acknowledged reports from Security Exploration and promised to take necessary measures.
“We take reports of vulnerabilities in our products very seriously and we are investigating Security Explorations’ posting to the Full Disclosure mailing list. We have no reason to believe that customer data and applications are at risk.” Said Google’s Spokesman in a Statement.
Earlier this year, Security Exploration uncovered similar vulnerabilities in Java virtual Machine(JVM) used in Oracle database allowing hackers to execute arbitrary java codes in a compromised Oracle Database. Oracle later released a Critical Patch Update (UCP) to patch up the security flaws.