Multiple vulnerabilities found in Google App Engine

[UPDATED] Researchers find many security holes in the Java parts of Google's Platform as a Service offering, but get kicked off the service before finishing.

Researchers from Security Explorations report that they have found multiple serious vulnerabilities in the Java environment of the Google App Engine, part of the Google Cloud Platform.

Update on December 8: We received this statement from a Google spokesperson: "We take reports of vulnerabilities in our products very seriously and we are investigating Security Explorations' posting to the Full Disclosure mailing list. We have no reason to believe that customer data and applications are at risk."

Google App Engine is the company's PaaS (Platform as a Service) offering for running custom-built programs using a wide variety of popular languages and frameworks. Many of these are built on the Java environment.

Security Explorations says that the vulnerabilities allow for a complete Java VM security sandbox escape as well as arbitrary code execution. In all, the researchers believe that the number of issues is "30+ in total." They have been unable to finish their research because Google suspended their test Google App Engine account.

Google's actions are not unreasonable and Security Explorations admits as much:

Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox / issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc.).

They hope, they say, that Google will allow them to complete their work, as Google has generally been supportive of and helpful to the security research community.

The Google App Engine allows access only to a subset, called the JRE Class White List, of JRE Standard Edition classes. The researchers were able to break out of this whitelist and gain access to the full JRE. They found 22 full sandbox escape issues and were able to exploit 17 of them. They were able to execute native code, specifically to issue arbitrary library/system calls and to gain access to the files comprising the JRE sandbox.

Update on December 8: After further analysis it is clear that Google's take-down of the account is proof that they have other security measures in place. It's reasonable to assume that some of Google's other measures would mitigate some of the attacks, at least in some circumstances. The Security Explorations satement that Google has a good relationship with the security research community is undoubtedly true, as evidenced by a great deal of prior cooperation and a good-sized bug bounty program.