Number: IRCNE2014122393
Date: 2014/12/09
According to “zdnet”, researchers from Security Explorations report that they have found multiple serious vulnerabilities in the Java environment of the Google App Engine, part of the Google Cloud Platform.
Google App Engine is the company's PaaS (Platform as a Service) offering for running custom-built programs using a wide variety of popular languages and frameworks. Many of these are built on the Java environment.
Security Explorations says that the vulnerabilities allow for a complete Java VM security sandbox escape as well as arbitrary code execution. They have been unable to finish their research because Google suspended their test Google App Engine account.
The Google App Engine allows access only to a subset, called the JRE Class White List, of JRE Standard Edition classes. The researchers were able to break out of this whitelist and gain access to the full JRE. They found 22 full sandbox escape issues and were able to exploit 17 of them. They were able to execute native code, specifically to issue arbitrary library/system calls and to gain access to the files comprising the JRE sandbox.
- 3