More Java holes found in Google App Engine

A Polish security firm has discovered more vulnerabilities in the Java coding platform used on Google's App Engine (GAE) cloud computing service, which could allow users to get access beyond their own virtual machines.

The Security Explorations team, which has made a name for itself by unearthing large numbers of security holes in Oracle's Java framework over the past few years, said it had reported seven vulnerabilities to Google, along with proof of concept code.

Three of the flaws allow complete bypass of the GAE Java security sandbox. Such a bypass could be used by attackers to glean information about the Java Runtime Environment as well as Google's internal services and protocols to spawn further attacks on the GAE platform itself.

Head of Security Explorations Adam Gowdiak said his company had not heard from Google three weeks after reporting the vulnerabilites.

He criticised the technology giant for taking more than one to two business days to run the proof of concept code provided by Security Explorations and read its report.

Gowdiak expressed surprise at Google's inertia given its aggressive approach to publishing vulnerabilities through its Project X security team.

"This especially concerns the vendor that claims its 'security team has hundreds of security engineers from all over the world' and that expects other vendors to react promptly to the reports of its own security people," Gowdiak wrote.

Gowdiak said he believed at least two of the vulnerabilities discovered by Security Explorations had been fixed quietly without acknowledgement.

"This is the third time we experience this 'silent fix' approach from [Google]," Gowdiak wrote.

Security Explorations won the largest ever bug bounty, US$50,000, from Google's vulnerability reporting program (VRP) in December last year, after finding 30 flaws in App Engine.

Gowdiak said his company was aware that the publication of the new flaws could jeopardise and even cancel additional VRP rewards from Google, including a US$20,000 bounty to be handed over for the discovery of five vulnerabilities discovered prior to the latest set of bugs.

Nevertheless, Gowdiak said the prospect of earning bug bounties shold not influence security researchers, and claimed he was prepared to forgo the money.

“A researcher recently reported a known issue affecting a preliminary layer of security in Google App Engine," a Google spokesperson told iTnews.

"We’re working with him to mitigate it; users don’t need to take any action.”

Update: Gowdiak told iTnews Google had fixes to be rolled out for two of the vulnerabilities, with six others being tested currently. One is not being remedied at this stage as it is of low security concern.

Google has also proposed to improve the handling of vulnerability reports from Security Explorations, Gowdiak said.