A Polish research group claims there are still several outstanding vulnerabilities in Google App Engines for Java, including three complete Java sandbox escapes. After three weeks of radio silence from Google, it decided to disclose on Friday the vulnerabilities, along with proof of concept code.
The code doesn’t break the sandbox, but does result in partial GAE bypass and could allow an attacker to gain access to GAE’s Java environment.
Security Explorations, the company that found the issues, said the bugs largely stem from the incorrect implementation of several methods and missing security checks in the App Engine.
Adam Gowdiak, Security Explorations’ founder and CEO, made several digs at Google, calling out the company’s delay in response time, in a post to Full Disclosure and other sites Friday morning.
“It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and/or consult the source code,” Gowdiak wrote, “This especially concerns the vendor that claims its ‘Security Team has hundreds of security engineers from all over the world.'”
Gowdiak adds that several proof of concept codes that he sent to Google stopped working in a production version of GAE, but that Google hasn’t actually confirmed that it fixed the issues. If the issues were fixed, he claims it would be the third time Google silently fixed vulnerabilities his company has brought to its attention.
Ironically, Security Explorations claims that all of the bugs its reported to Google have pertained to the “extra security” layer implemented on top of JRE which is supposed to protect GAE against Java vulnerabilities.
Google previously addressed a crop of more than 30 issues in App Engine that Gowdiak and company highlighted last year. The company had to petition to have its test account restored after it was suspended by Google while its researchers were looking into the issues. Security Explorations’ account was eventually reinstated and the company was rewarded with $50,000 for 23 of the 30 vulnerabilities it filed. Google admitted that these vulnerabilities took advantage of “insufficient” auditing of the privileged Java classes.
An email request for comment to Google regarding the latest GAE vulnerabilities was not immediately returned on Friday.
The platform is mainly used by customers to run their own apps, including those built in Python and Java, on Google’s cloud.