An adjustment in the Google App Engine (GAE) for Java carried out by Google is still prompting security concerns. The latest vulnerability in Java SE was patched this week by Oracle.
The flaw was also found to be living in Google's platform-as-a-service entry after being privately discovered by Java bug hunters from Security Explorations, a Polish security consultancy.
The vulnerability is another sandbox escape, having its origin in Oracle code in the Java HotSpot Virtual Machine. Oracle says HotSpot VM is crux to Java and puts the Java VM specification into action.
Due to a customisation by Google, the vulnerability can be exploited in a simple way in Google App Engine according to Security Explorations founder and CEO, Adam Gowdiak. The simple exploit is due to the changes to Java security model that Google agreed to enforce in its environment.
“They are not allowed by standard Java security model due to huge security risks associated with them,” Gowdiak said. “Many of the issues we discovered in GAE over the recent year were exploiting this ‘feature' of Google App Engine.”
The vulnerability is an “improper initialisation of non-public interface method slots” that leads to a partial security sidestep in Java SE 7 and a complete sandbox bypass in Google App Engine. It affects GAE for Java and its first sandboxing layer (the sandbox Google built on top of JRE to prevent malevolent Java apps from exploiting Java flaws), Gowdiak said.
An attacker needs a specially designed and malicious Java applet in order to exploit the vulnerability and escape the two sandboxes.
The attacker can gain plenty of information about the JRE sandbox, Google internal services and protocols as a result. Gowdiak also explained that the vulnerability seems to be a good origin to carry out attacks against the OS sandbox and RPC services apparent to the sandboxed Java atmosphere.
The Hotspot Virtual Machine flaw was one of two dozen that Oracle patching in Java SE. Seven of the patches are rated critical by Oracle as they van lead to full compromise.
Gowdiak said in a post, “Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox/issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself).”