News

Security Vulnerabilities Found in Java Version of Google App Engine

• By John K. Waters
• December 16, 2014

Multiple serious vulnerabilities in the Java environment of Google's App Engine (GAE) showed up recently on the radar of researchers at Security Explorations. The flaws in the search giant's platform-as-a-service (PaaS) offering could "allow for a complete Java VM security sandbox escape," the researchers reported on the Full Disclosure mailing list. Escaping the sandbox would allow an attacker to execute code on the underlying system.

Google's App Engine is a cloud platform on which developers can build and run applications. It supports development with Java, Python, Go, PHP and several development frameworks. The Security Explorations investigation focused on the platform's Java implementation.

Using a test account, the researchers managed to bypass GAE's whitelisting of Java Runtime Environment (JRE) classes and achieved complete Java VM security sandbox escape. They were able to issue arbitrary library/system calls, gain access to the binary/class files that comprise the JRE sandbox, which includes the libjavaruntime.so binary, extract DWARF information from binary files, extract PROTOBUF definitions from Java classes extract PROTOBUF definition from binary, and just generally learn a lot about the GAE environment for Java sandbox.

The firm's Adam Gowdiak, who posted the discovery, noted that there are still more issues pending verification -- potentially bringing the number of flaws discovered to more than 30. However, on December 6, the test GAE account used by the firm was suspended by Google, Gowdiak wrote, making it impossible to complete their research on this group of flaws.

"[W]e hope the company makes it possible for us to complete our work and re-enables our GAE account, so that we could in particular: verify the remaining potential vulnerabilities spotted; verify some attack ideas; prepare short report containing the description of the issues found (the results of the evaluation) and deliver it to Google; and share the results of our research with the security community."

In a statement sent to reporters, Google acknowledged the firm's discovery: "We take reports of vulnerabilities in our products very seriously and we are investigating Security Explorations' posting to the Full Disclosure mailing list. We have no reason to believe that customer data and applications are at risk."

Security Explorations acknowledged that Google generally supports the work of security researchers, and did not blame the company for closing the account: "Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox / issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc.).

These aren't the first Java sandbox vulnerabilities reported this year by the Poland-based security firm. In January 2013, the firm's researchers found 28 multiple vulnerabilities in Oracle's Java Cloud Service, including 16 flaws that would allow an attacker to break the Java security sandbox of a target WebLogic server. An attacker breaking the security sandbox would have access to application deployments and database schemas of other users of the Java cloud service in the same regional data center, and could execute arbitrary Java code on the users' systems.

"The nature of the weaknesses identified in Oracle's service indicates that it was not a subject of a thorough security review and penetration testing prior to the public offering," the firm said at the time. "They illustrate known and widely discussed security risks related to Java. They also expose weak understanding of Java security model and its attack techniques by Oracle engineers."