14 DAY TRIAL // A security company disclosed to the public on Friday code for exploiting several vulnerabilities in Google App Engine (GAE) for Java that would allow an attacker complete Java VM security sandbox escape.
GAE is used for hosting and running web applications of a user on a server infrastructure from Google. Since apps from multiple users are executed on the same infrastructure, security is enforced by running them in isolated environments.
Among the companies that rely on the App Engine cloud platform is Feedly, the online feed reader service, which employs the infrastructure as a dynamic content delivery network for all static content.
Some of the flaws have not been confirmed
Security Explorations, a company from Poland, investigated GAE on and off since 2012 and in December 2014 informed Google of multiple vulnerabilities.
The investigation continued, though, and more security issues were uncovered and reported to the search giant. However, some of them have not been confirmed by the vendor, and some remained unpatched.
Today, Security Explorations published three proof-of-concept (PoC) codes for GAE Java security sandbox bypasses. Exploiting the flaws does not provide access outside the operating system sandbox, a second layer of security on the cloud platform.
The reason for this reaction is lack of response from Google regarding the vulnerability reports from the security company, as well as patching some of the issues without any notification.
Silent patching and lack of communication
Adam Gowdiak, Security Explorations CEO, said that three weeks had passed without hearing a thing from Google about the responsible disclosure.
“It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code. This especially concerns the vendor that claims its ‘Security Team has hundreds of security engineers from all over the world’,” he said in an advisory.
More than this, he noticed that some of the PoCs no longer worked in a production GAE, which suggests that the problems had been fixed.
CEO thinks previous reward may be invalidated
Security Explorations authored a 71-page report with the flaws they found, including exploit codes for a number of glitches, intended for educational purposes only.
For a previous disclosure of multiple vulnerabilities in GAE, part of the same investigation, the company has already received a $50,000 / €44,000 bug bounty. An additional $20,000 / €17,500 has also been awarded, but Google did not release the funds yet.
Gowdiak expects that this reward would be cancelled following today’s disclosure of the vulnerabilities and the PoC code.