Security Firm Discloses Vulnerabilities in Google App Engine for Java

Researchers at Security Explorations Inc. say there are seven unpatched vulnerabilities within the Google App Engine (GAE) for Java, including three complete JVM sandbox escapes, which could allow an attacker to execute malicious code on underlying systems or retrieve sensitive information from Google servers. The firm published the technical details and Proof of Concept (PoC) codes for these security issues today; Google had neither confirmed nor denied the existence of the flaws at press time.

The Polish security and vulnerability research firm decided to publish its findings, even though some of the vulnerabilities are still unconfirmed or unpatched, after Google failed to respond to an earlier, private report, said Adam Godiak, the firm's CEO and founder.

"It should not take more than 1-2 business days for a major software vendor to run the received PoC, read our report and/or consult the source code," Godiak wrote in a blog post. "This especially concerns the vendor that claims its 'Security Team has hundreds of security engineers from all over the world,' and that expects other vendors to react promptly to the reports of its own security people."

GAE for Java allows developers to build Web applications using standard Java and run them on Google's cloud platform. The cloud platform runs the Java Web apps using a Java 7 JVM in a secure, sandboxed environment.

The Security Explorations researchers found 30 vulnerabilities in GAE for Java in December, many of which Google did fix. But the firm discovered seven unpatched flaws and reported them to Google three weeks ago, Godiak said. The firm has published the details and PoCs of the flaws, including those sandbox escapes, on the Web.

Google has been rewarding security researchers for finding exploitable flaws in its cloud platform and reporting them responsibly through its Vulnerability Reward Program, and gave $50,000 to Security Explorations for uncovering those 30 flaws last December. Godiak acknowledged that his firm's announcement today could threaten additional rewards from Google, including an additional $20,000 his firm was to be paid.

"We need to treat all vendors equal," Godiak wrote. "In the past, unconfirmed, denied or silently fixed issues were the subject to an immediate release by us .... Google rewards cannot influence the way a vulnerability handling/disclosure of a security research is made. They cannot be a hostage of any vulnerability reward, bug bounty, etc."

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].