Researchers at Poland-based vulnerability research company Security Explorations have identified several flaws in Google App Engine for Java, including ones that can be leveraged for a complete sandbox escape.
The Google App Engine, which is part of the Google Cloud Platform, is a platform-as-a-service (PaaS) offering that allows developers to host, manage and run their applications on Google’s scalable infrastructure. The platform is utilized by companies such as Rovio, Best Buy and Feedly. In the case of App Engine for Java, Google says Java Web application are executed using a Java 7 Virtual Machine (JVM) in a safe “sandboxed” environment.
While some of the issues are yet to be verified, Security Explorations believes there are more than 30 vulnerabilities. Researchers say they’ve bypassed Google App Engine whitelisting of Java Runtime Environment (JRE) classes and achieved a complete JVM security sandbox escape.
Adam Gowdiak, CEO of Security Explorations, revealed in a post on the Full Disclosure mailing list that they have developed a total of 17 proof-of-concept exploits for full sandbox bypass by leveraging a total of 22 bugs.
Gowdiak says they have also managed to issue arbitrary library and system calls (native code execution). During their research, the experts gained access to files comprising the JRE sandbox, including the libjavaruntime.so binary, and they extracted various pieces of valuable information from Java classes and binary files.
Google has suspended the researchers’ test account, but Gowdiak hopes the company will allow them to complete their tests in order to verify attack ideas and some potential security issues that have been spotted.
“Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox / issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc.),” Gowdiak explained in his brief report.
Gowdiak told SecurityWeek that Google contacted his firm on Saturday. On Sunday evening, Security Explorations provided the results of its research to Google, which confirmed receiving the information. The search engine company informed researchers today that it has started analyzing the issues.
In June, Security Explorations reported uncovering a total of 22 vulnerabilities in the custom JVM implementation used in Oracle Database. Oracle addressed the security holes with the release of the company’s October Critical Patch Update (CPU).