1 min read

Over 30 Vulnerabilities Exposed in Google App Engine

Bianca STANESCU

December 08, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Over 30 Vulnerabilities Exposed in Google App Engine

Over 30 vulnerabilities that allow hackers to bypass critical security sandbox defenses were discovered in Google App Engine (GAE), according to The Hacker News. Security Explorations researchers identified the series of flaws in the Java environment of Google`s Platform as a Service.

Attackers can exploit the vulnerabilities to achieve a complete Java VM security sandbox escape, as well as to execute arbitrary code, the security experts discovered.

Over 30 Vulnerabilities Exposed in Google App EngineThe research team was able to bypass GAE`s whitelisting of JRE Classes, gaining access to full Java Runtime Environment. From the 22 Java VM security sandbox escape vulnerabilities, 17 were successfully exploited.

The security experts were also able to execute native code, issue arbitrary library/system calls and gain access to the files (binary/classes) comprising the JRE sandbox. They were also able to get DWARF information from binary files, PROTOBUF definitions from Java classes, and PROTOBUF definitions from binary files.

The company didn`t finish its research, as Google suspended the test GAE account.

“Unfortunately, we cannot complete our work due to the suspension of the Ëœtest` GAE account that took place today,” Security Explorations CEO Adam Gowdiak. “Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox / issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc.).”

GAE offers to run custom-built programs using a wide variety of popular languages and frameworks, including many built on the Java environment.

Security Explorations has already carried out Java research in the past. As Google is usually supportive with the research community, the company believes the tech giant will re-enable their GAE account and allow them to complete the research.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Some Phone Manufacturers Didn't Implement Vital Security Patch for ARM Mali GPU, Google Researchers Find Some Phone Manufacturers Didn't Implement Vital Security Patch for ARM Mali GPU, Google Researchers Find
Silviu STAHIE

November 29, 2022

1 min read
Apple Users Report Seeing Other People's Photos When Using iCloud for Windows Apple Users Report Seeing Other People's Photos When Using iCloud for Windows
Silviu STAHIE

November 25, 2022

1 min read
How SIM Swapping Attacks Work and How to Protect Yourself How SIM Swapping Attacks Work and How to Protect Yourself
Filip TRUȚĂ

November 25, 2022

3 min read