Details of unpatched vulnerabilities in Google App Engine revealed

Google is known for playing hardball when it comes to firms fixing security problems -- and now the company itself is being held under the same standard. [UPDATED]
Written by Charlie Osborne, Contributing Writer

Security researchers have publicly disclosed the existence of unpatched vulnerabilities within Google App Engine for Java.

On Friday, Security Explorations revealed the flaws on Full Disclosure. According to the firm's research, a number of vulnerabilities within the Google App Engine for Java allow complete Java VM security sandbox escapes. If escape is achieved, cyberattackers could execute code on underlying systems and processes, including the execution of arbitrary code.

Last year, Security Explorations received a reward of $50,000 from Google for disclosing the existence of multiple security flaws in the Google App Engine for Java. While the research could not be completed -- pending action from the company and due to the suspension of the test GAE account used by the researchers -- it seems the tech giant wasn't so forthright in fixing all of the issues. The security firm said the decision to reveal the vulnerabilities was taken after Google fixed a number of Google App Engine for Java security sandbox bypasses first submitted in December last year, but failed to patch others.

Posted on Friday by Adam Gowdiak, Security Explorations' analysis of security issues in the platform-as-a-service (PaaS) product notes that approximately 30 security vulnerabilities were originally discovered by Security Explorations and later resolved by the tech giant. However, at least five vulnerabilities remain, and Google's radio silence over the past three weeks has led the firm to publicly disclose details of the unpatched issues. The security firm said:

"We need to treat all vendors equal [..] it's been 3 weeks and we haven't heard any official confirmation [or] denial from Google with respect to Issues 37-41. It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code.

This especially concerns the vendor that claims its "Security Team has hundreds of security engineers from all over the world" and that expects other vendors to react promptly to the reports of its own security people."

The research only relates to the platform's Java base, although the cloud-based Google App Engine also supports Python, Go and PHP. The platform is used by corporations for building and running applications.

A lack of communication appears to be a major complaint from the security researchers. In respect to two reported flaws, the company said proof-of-concept examples have ceased working, but Google has not been forthright with patch notifications. Instead, "silent fixes" have been issued three times without informing the disclosing party.

Security Explorations also posted three complete GAE Java sandbox escapes as proof-of-concept examples for the remaining vulnerabilities. In relation to two reported flaws, Security Explorations says exploits only gain access to the GAE Java environment, so will most likely not be deemed critical issues as it is the first layer of defense and Google considers the remaining, lower sandboxing layers -- such as the OS sandbox -- "sufficiently robust."

"The irony is that all of the bugs reported to Google so far were specific to the "extra security" layer implemented on top of JRE that aimed to protect GAE against...security vulnerabilities in Java," the team noted, adding:

"At the end, it's worth to note that we are completely aware that this publication may lead to the canceling of additional VRP rewards from Google."

The situation is somewhat ironic. Google's Project Zero security team is known for imposing 90-day deadlines when they discover vulnerabilities in the software of other vendors before going public -- one classic example being the reveal of a Microsoft Windows 8.1 security vulnerability two days before the Redmond giant was due to issue a fix.

Update 18.47 GMT: A Google spokesperson told ZDNet:

"A researcher recently reported a known issue affecting a preliminary layer of security in Google App Engine. We're working with him to mitigate it; users don't need to take any action."

Read on: In the world of security

Editorial standards