The Google App Engine, the development platform that enables customers to run web applications on the company’s massive cloud infrastructure, contains critical vulnerabilities, including weaknesses that enable attackers to bypass the Java sandbox - a serious security lapse.
Researchers at Security Explorations identified at least two dozen vulnerabilities in the platform, which enable apps built in Python and Java to run on the cloud infrastructure.
Adam Gowdiak, who heads the research firm, posted an advisory this past weekend on the Full Disclosure mailing list, warning that his team identified and developed proof-of-concept code that can exploit 17 vulnerabilities, enabling the complete bypass of the Java Virtual Machine security sandbox. Other weaknesses enable code execution, the bypassing of white-listing restrictions, and the ability to alter objects and manipulate application functionality.
In the company’s advisory, Gowdiak said Google yanked the company’s test account set up to identify the weaknesses after his team ramped up its aggressive testing of the sandbox environment. More issues are “pending verification”, he said. “We hope the company makes it possible for us to complete our work and re-enables our GAE account.”
Google did not respond to a CRN request for comment. The computing giant has been bolstering its cloud services in recent months to aggressively go after enterprise customers. The company has been investing in more functionality and reducing prices to appeal to cash-strapped organisations that would rather pay a recurring monthly fee. Gowdiak said his team hopes to verify the validity of other issues, test several other attack ideas and prepare a short report containing a thorough description of the issues.
The findings uncovered by Security Explorations come as no surprise to those helping organisations adopt cloud services or deploy web applications. Google, Microsoft and Amazon know that vigilance in securing these platforms is a part of being in the business, said Pete Zarras, chief executive of CloudStrategies.
Organisations are still better off trusting in cloud infrastructure providers that have the resources to address serious vulnerabilities and can expedite the process of investigating and fixing them, Zarras said.
"The industry has overwhelmingly come to the consensus that most vulnerabilities exist from within, anyway, and there is nothing worse than having data in an unpatched environment," Zarras said. "The larger providers are in a better position to secure their environments than a small business with limited resources."
This article originally appeared at crn.com