Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Google App Engine Plagued by Tens of Vulnerabilities: Researchers

Researchers at Poland-based vulnerability research company Security Explorations have identified several flaws in Google App Engine for Java, including ones that can be leveraged for a complete sandbox escape.

Researchers at Poland-based vulnerability research company Security Explorations have identified several flaws in Google App Engine for Java, including ones that can be leveraged for a complete sandbox escape.

The Google App Engine, which is part of the Google Cloud Platform, is a platform-as-a-service (PaaS) offering that allows developers to host, manage and run their applications on Google’s scalable infrastructure. The platform is utilized by companies such as Rovio, Best Buy and Feedly. In the case of App Engine for Java, Google says Java Web application are executed using a Java 7 Virtual Machine (JVM) in a safe “sandboxed” environment.

While some of the issues are yet to be verified, Security Explorations believes there are more than 30 vulnerabilities. Researchers say they’ve bypassed Google App Engine whitelisting of Java Runtime Environment (JRE) classes and achieved a complete JVM security sandbox escape.

Adam Gowdiak, CEO of Security Explorations, revealed in a post on the Full Disclosure mailing list that they have developed a total of 17 proof-of-concept exploits for full sandbox bypass by leveraging a total of 22 bugs.

Gowdiak says they have also managed to issue arbitrary library and system calls (native code execution). During their research, the experts gained access to files comprising the JRE sandbox, including the binary, and they extracted various pieces of valuable information from Java classes and binary files.

Google has suspended the researchers’ test account, but Gowdiak hopes the company will allow them to complete their tests in order to verify attack ideas and some potential security issues that have been spotted.

“Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox / issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc.),” Gowdiak explained in his brief report.

Gowdiak told SecurityWeek that Google contacted his firm on Saturday. On Sunday evening, Security Explorations provided the results of its research to Google, which confirmed receiving the information. The search engine company informed researchers today that it has started analyzing the issues.

In June, Security Explorations reported uncovering a total of 22 vulnerabilities in the custom JVM implementation used in Oracle Database. Oracle addressed the security holes with the release of the company’s October Critical Patch Update (CPU).


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.