Google App Engine vulnerable to Java VM sandbox bypass: report

Google is investigating reports that its App Engine cloud development and application hosting platform may be vulnerable to multiple attacks that bypass the Oracle Java security sandbox meant to prevent users from having access beyond their virtual machines.

According to a post to the Full Disclosure information security mailing list, reseach firm Security Explorations found Google App Engine may have over 30 flaws that allow attackers to, among other things, issue arbitrary system and library calls.

The Google App Engine Platform-as-a-Service uses Oracle's Java 7 as the development environment to build web applications. Over the past few years, hundreds of exploitable flaws have been found in Java, to the point that the Australian Signals Directorate security agency named the development platform a growing threat for the country.

Security Explorations principal researcher Adam Gowdiak told iTnews a Google App Engine account was required to exploit the vulnerabilities, but once the Java security sandbox is bypassed, an attacker could learn a great deal about Google internals and start playing with the operating system sandbox as well.

Gowdiak said it was difficult to judge how serious the Java sandbox bypass vulnerabilities were.

"We broke out of GAE Java security sandbox and gained native code execution in the environment. We didn't go beyond another sandbox layer (OS sandbox), we didn't get access to other GAE users' data," Gowdiak said.

However, before the researchers were able to complete their testing, Google detected what they were doing and kicked them out of their App Engine account.

"Upon logging into our "test" App Engine account we received information that the account was suspended due to "the perceived violation of either Google terms of service or product-specific terms of service"."

Gowdiak said he hoped Google would reinstate his App Engine account to allow his team to continue the work started to verify the vulnerabilities found.

A Google spokesperson said the company was looking into the potential Java security issues.

"We take reports of vulnerabilities in our products very seriously and we are investigating Security Explorations’ posting to the Full Disclosure mailing list. We have no reason to believe that customer data and applications are at risk,” the spokesperson told iTnews.