Security Experts:

Security Firm Releases Details of Unpatched Google App Engine Flaws

Security Explorations has published details and proof-of-concept (PoC) code for several unconfirmed and unpatched vulnerabilities impacting Google App Engine for Java.

Leveraged by companies such as Rovio, Best Buy and Feedly, Google App Engine is a platform-as-a-service (PaaS) offering that allows developers to host, manage and run their apps on Google’s infrastructure.

Poland-based Security Explorations started analyzing Google App Engine for Java back in October 2012, but had to postpone the project several times. In October 2014, the company resumed the project and in December it announced uncovering more than 30 vulnerabilities, including ones that could be exploited for a complete sandbox bypass.

The security firm now says it has identified and reported a total of 41 issues, but if unverified bugs and ones fixed internally by Google are taken into consideration the count would reach over 50.

“That does not speak well about Google GAE engineers and their Java security skills in particular,” Security Explorations founder and CEO Adam Gowdiak told SecurityWeek.

So far Google has confirmed a total of 36 vulnerabilities. The search giant told Security Explorations in March that 31 of the issues were addressed. However, the security firm determined that a few of them were actually left unpatched.

In mid-March, Security Explorations published details and PoC code for 31 of the bugs Google said it had fixed. On May 6, the security company released the details for an additional three flaws. Today, May 15, the details and PoCs for seven additional issues (three complete GAE Java sandbox escapes) have been made available, despite the fact that some of them are still unconfirmed or unpatched.

Some of the vulnerabilities detailed by Security Explorations could be exploited alone to achieve a complete security escape. Others, including the ones detailed today, need to be properly combined together to achieve this goal.

The company has pointed out that while the flaws cannot be exploited to compromise Google App Engine users’ data and applications, they can be leveraged to bypass security restrictions, including whitelisting of JRE classes and the Java VM security sandbox.

In a post on Full Disclosure, Gowdiak noted that they haven’t received any confirmation from Google regarding the status of the remaining vulnerabilities in three weeks, and at least two of the issue have been fixed silently.

“It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and/or consult the source code. This especially concerns the vendor that claims its ‘Security Team has hundreds of security engineers from all over the world’ and that expects other vendors to react promptly to the reports of its own security people,” Gowdiak wrote.

Google has decided to award Security Explorations a total of $70,000 for responsibly disclosing the vulnerabilities. Of this sum, $50,000 were paid to the security firm’s account on March 20, almost three months after the reward was announced and four days after a comprehensive 71-page report detailing 31 of the issues was released.

Security Explorations says it’s aware that publishing the details and PoC code for unpatched and unconfirmed vulnerabilities might make Google decide not to pay out the remaining $20,000, but the company believes that “rewards cannot influence the way a vulnerability handling/disclosure of a security research is made.”

“We need to treat all vendors equal. In the past, unconfirmed, denied or silently fixed issues were the subject to an immediate release by us,” Gowdiak said.

Google could not immediately be reached for comment.

Up until February, Google had a strict vulnerability disclosure policy that gave vendors 90 days to patch security issues reported to them by the search giant. After being criticized for disclosing three vulnerabilities in Microsoft products, including one that was patched shortly after the public disclosure, Google decided to make some changes to its policy.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.