12/09/2014

java is the low hanging (rotten) fruit of the Google App engine

"According to the security firm, the flaws can be exploited by attackers to achieve a complete Java VM security sandbox escape, as well as to execute an arbitrary code. The researchers estimate that the number of issues is "30+ in total."

 

By exploiting the vulnerabilities, security researchers were able to bypass Google App Engine whitelisting of JRE Classes and gain access to full JRE (Java Runtime Environment). They discovered 22 full Java VM security sandbox escape issues and were able to exploit 17 of them successfully.

 

Moreover, the researchers were able to execute native code, specifically to issue arbitrary library/system calls and to gain access to the files (binary/classes) comprising the JRE sandbox. They even siphoned off DWARF information from binary files, PROTOBUF definitions from Java classes and PROTOBUF definition from binary files among others.

 

However, the researchers have been unable to finish their research because Google suspended their test Google App Engine account.

http://thehackernews.com/2014/12/google-app-engine-hostin...

it is a bit cloudy with heavy storms expecting in some programming and security departments while it will be icy in the managmentsdepartments of Google App Engine 

sunshine is expected later this week when the securityresearchers and Google exchange their results and start working on solutions 

I never liked Java because I think it is too open and too insecure and maybe I will like it when they change course the way Microsoft did one day and become more closed, better monitored and with a huge security infrastructure and a set of clear procedures and frequent updates 

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.