Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Security Firm Releases Details of Unpatched Google App Engine Flaws

Security Explorations has published details and proof-of-concept (PoC) code for several unconfirmed and unpatched vulnerabilities impacting Google App Engine for Java.

Security Explorations has published details and proof-of-concept (PoC) code for several unconfirmed and unpatched vulnerabilities impacting Google App Engine for Java.

Leveraged by companies such as Rovio, Best Buy and Feedly, Google App Engine is a platform-as-a-service (PaaS) offering that allows developers to host, manage and run their apps on Google’s infrastructure.

Poland-based Security Explorations started analyzing Google App Engine for Java back in October 2012, but had to postpone the project several times. In October 2014, the company resumed the project and in December it announced uncovering more than 30 vulnerabilities, including ones that could be exploited for a complete sandbox bypass.

The security firm now says it has identified and reported a total of 41 issues, but if unverified bugs and ones fixed internally by Google are taken into consideration the count would reach over 50.

“That does not speak well about Google GAE engineers and their Java security skills in particular,” Security Explorations founder and CEO Adam Gowdiak told SecurityWeek.

So far Google has confirmed a total of 36 vulnerabilities. The search giant told Security Explorations in March that 31 of the issues were addressed. However, the security firm determined that a few of them were actually left unpatched.

In mid-March, Security Explorations published details and PoC code for 31 of the bugs Google said it had fixed. On May 6, the security company released the details for an additional three flaws. Today, May 15, the details and PoCs for seven additional issues (three complete GAE Java sandbox escapes) have been made available, despite the fact that some of them are still unconfirmed or unpatched.

Some of the vulnerabilities detailed by Security Explorations could be exploited alone to achieve a complete security escape. Others, including the ones detailed today, need to be properly combined together to achieve this goal.

Advertisement. Scroll to continue reading.

The company has pointed out that while the flaws cannot be exploited to compromise Google App Engine users’ data and applications, they can be leveraged to bypass security restrictions, including whitelisting of JRE classes and the Java VM security sandbox.

In a post on Full Disclosure, Gowdiak noted that they haven’t received any confirmation from Google regarding the status of the remaining vulnerabilities in three weeks, and at least two of the issue have been fixed silently.

“It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and/or consult the source code. This especially concerns the vendor that claims its ‘Security Team has hundreds of security engineers from all over the world’ and that expects other vendors to react promptly to the reports of its own security people,” Gowdiak wrote.

Google has decided to award Security Explorations a total of $70,000 for responsibly disclosing the vulnerabilities. Of this sum, $50,000 were paid to the security firm’s account on March 20, almost three months after the reward was announced and four days after a comprehensive 71-page report detailing 31 of the issues was released.

Security Explorations says it’s aware that publishing the details and PoC code for unpatched and unconfirmed vulnerabilities might make Google decide not to pay out the remaining $20,000, but the company believes that “rewards cannot influence the way a vulnerability handling/disclosure of a security research is made.”

“We need to treat all vendors equal. In the past, unconfirmed, denied or silently fixed issues were the subject to an immediate release by us,” Gowdiak said.

Google could not immediately be reached for comment.

Up until February, Google had a strict vulnerability disclosure policy that gave vendors 90 days to patch security issues reported to them by the search giant. After being criticized for disclosing three vulnerabilities in Microsoft products, including one that was patched shortly after the public disclosure, Google decided to make some changes to its policy.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.