Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Security Firm Releases Details of Unpatched Google App Engine Flaws

Security Explorations has published details and proof-of-concept (PoC) code for several unconfirmed and unpatched vulnerabilities impacting Google App Engine for Java.

Security Explorations has published details and proof-of-concept (PoC) code for several unconfirmed and unpatched vulnerabilities impacting Google App Engine for Java.

Leveraged by companies such as Rovio, Best Buy and Feedly, Google App Engine is a platform-as-a-service (PaaS) offering that allows developers to host, manage and run their apps on Google’s infrastructure.

Poland-based Security Explorations started analyzing Google App Engine for Java back in October 2012, but had to postpone the project several times. In October 2014, the company resumed the project and in December it announced uncovering more than 30 vulnerabilities, including ones that could be exploited for a complete sandbox bypass.

The security firm now says it has identified and reported a total of 41 issues, but if unverified bugs and ones fixed internally by Google are taken into consideration the count would reach over 50.

“That does not speak well about Google GAE engineers and their Java security skills in particular,” Security Explorations founder and CEO Adam Gowdiak told SecurityWeek.

So far Google has confirmed a total of 36 vulnerabilities. The search giant told Security Explorations in March that 31 of the issues were addressed. However, the security firm determined that a few of them were actually left unpatched.

In mid-March, Security Explorations published details and PoC code for 31 of the bugs Google said it had fixed. On May 6, the security company released the details for an additional three flaws. Today, May 15, the details and PoCs for seven additional issues (three complete GAE Java sandbox escapes) have been made available, despite the fact that some of them are still unconfirmed or unpatched.

Some of the vulnerabilities detailed by Security Explorations could be exploited alone to achieve a complete security escape. Others, including the ones detailed today, need to be properly combined together to achieve this goal.

The company has pointed out that while the flaws cannot be exploited to compromise Google App Engine users’ data and applications, they can be leveraged to bypass security restrictions, including whitelisting of JRE classes and the Java VM security sandbox.

In a post on Full Disclosure, Gowdiak noted that they haven’t received any confirmation from Google regarding the status of the remaining vulnerabilities in three weeks, and at least two of the issue have been fixed silently.

“It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and/or consult the source code. This especially concerns the vendor that claims its ‘Security Team has hundreds of security engineers from all over the world’ and that expects other vendors to react promptly to the reports of its own security people,” Gowdiak wrote.

Google has decided to award Security Explorations a total of $70,000 for responsibly disclosing the vulnerabilities. Of this sum, $50,000 were paid to the security firm’s account on March 20, almost three months after the reward was announced and four days after a comprehensive 71-page report detailing 31 of the issues was released.

Security Explorations says it’s aware that publishing the details and PoC code for unpatched and unconfirmed vulnerabilities might make Google decide not to pay out the remaining $20,000, but the company believes that “rewards cannot influence the way a vulnerability handling/disclosure of a security research is made.”

“We need to treat all vendors equal. In the past, unconfirmed, denied or silently fixed issues were the subject to an immediate release by us,” Gowdiak said.

Google could not immediately be reached for comment.

Up until February, Google had a strict vulnerability disclosure policy that gave vendors 90 days to patch security issues reported to them by the search giant. After being criticized for disclosing three vulnerabilities in Microsoft products, including one that was patched shortly after the public disclosure, Google decided to make some changes to its policy.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet