Google App Engine Contains Serious Flaws, Researchers Warn
The Google App Engine, the development platform that enables customers to run web applications on the company’s massive cloud infrastructure, contains critical vulnerabilities, including weaknesses that enable attackers to bypass the Java sandbox, a serious security lapse.
Researchers at Security Explorations identified at least two dozen vulnerabilities in the platform, which enable apps built in Python and Java to run on the cloud infrastructure. Adam Gowdiak, who heads the research firm, posted an advisory this past weekend on the Full Disclosure mailing list, warning that his team identified and developed proof-of-concept code that can exploit 17 vulnerabilities, enabling the complete bypass of the Java Virtual Machine security sandbox. Other weaknesses enable code execution, the bypassing of white-listing restrictions, and the ability to alter objects and manipulate application functionality.
In the company’s advisory, Gowdiak said Google yanked the company’s test account set up to identify the weaknesses after his team ramped up its aggressive testing of the sandbox environment. More issues are ’pending verification,’ he said. ’We hope the company makes it possible for us to complete our work and re-enables our GAE account.’
Google App Engine customers do not need to take any action and the reported vulnerability is believed to be only in a top layer of the company's security.
A Google spokesperson said the company's engineers were continuing to investigate Security Explorations’ posting to the Full Disclosure mailing list. "We have no reason to believe that customer data and applications are at risk," the Google spokesperson said.
The Mountain View, Calif.-based computing giant has been bolstering its cloud services in recent months to aggressively go after enterprise customers. The company has been investing in more functionality and reducing prices to appeal to cash-strapped organizations that would rather pay a recurring monthly fee. Gowdiak said his team hopes to verify the validity of other issues, test several other attack ideas and prepare a short report containing a thorough description of the issues.
The findings uncovered by Security Explorations come as no surprise to those helping organizations adopt cloud services or deploy web applications. Google, Microsoft and Amazon know that vigilance in securing these platforms is a part of being in the business, said Pete Zarras, president and CEO of CloudStrategies LLC. Organizations are still better off trusting in cloud infrastructure providers that have the resources to address serious vulnerabilities and can expedite the process of investigating and fixing them, Zarras said.
"The industry has overwhelmingly come to the consensus that most vulnerabilities exist from within, anyway, and there is nothing worse than having data in an unpatched environment," Zarras said. "The larger providers are in a better position to secure their environments than a small business with limited resources."
The Java Virtual Machine has had vulnerabilities and weaknesses that can be introduced into widely used web applications, said Marshall Butler, vice president of sales at DMD Data Systems in Louisville, Ken. Many of the vulnerabilities get introduced from within the browser components on the client’s machine, Butler said, adding that Java’s ongoing weaknesses have forced organizations to turn to alternative development platforms.
"A lot of our customers don't want to use it anymore for their app development,’ Butler said. "We do feel like customers that have their business out there in the cloud have to be aware of these vulnerabilities."
PUBLISHED DEC. 9, 2014