Enterprises that depend on the Google App Engine (GAE) environment may need to come up with a new solution to keep their computers safe. According the firm Security Explorations, the Java section of this platform is riddled with more than 30 different security problems, which could allow a user to break out of the "Java sandbox." This is distinct from the Oracle Java environment, and once free of it the infiltrator could run their own code.
Google has been alerted to the flaws and is reportedly considering what to do next. The security firm had their GAE account suspended while they were researching the vulnerabilities, and said that they hope to continue testing the Engine's limits once they are reinstated. Out of more than 20 possible sandbox escapes, the company was able to exploit 17 successfully. Java is just one of the languages supported within the GAE, which include Python and Go.
Speaking to eWeek, Security Explorations' CEO, Adam Gowdiak described the way these findings were received by Google. Right now, it's unclear whether or not this research will be appreciated by Google in the long run, because the security firm may have violated the rules of the Google Vulnerability Reward Program.
"Google is currently looking into the material we delivered to the company," he said. "We don't know of any other status regarding the reported issues." In addition, a Google spokesperson has said that there is so far no evidence of threats against user data or applications.
While more observation may be needed to tell for sure how threatening this is, businesses can take this as another reason to access their legacy applications through a more secure environment that doesn't require Java and is therefore less prone to potentially dangerous vulnerabilities.