Hello All, We would like to provide a status update to the initial announcement [1] made a week ago regarding our SE-2014-02 security research project targeting Google App Engine for Java. Information regarding vulnerabilities and associated PoC codes (Issues 1-22 / unconfirmed Issues 23-35) was sent to Google on Dec 07, 2014. Google has been able to reproduce the issues locally, but when tried in production some of them didn't seem to work (27 unexploitable issues with barely 7 candidates to work). The reason was that our custom local GAE environment didn't properly emulate Google App Engine production environment (we did check availability of selected classes, but in this particular class loader case, not all classpath JAR files were immediately available to user code in production GAE). At the same time, Google said that it would be OK for the company that we continue the research as long as it is done within the Java VM and not moved on to the next sandboxing layer (OS sandbox). We agreed and 5 days ago started playing with GAE again. We used those extra days to discover new issues in GAE Java sandbox, rewrite old / develop new POC codes and gather the necessary data for a planned publication on the topic. We ended up with 21 Issues "confirmed in production" (and pending Google confirmation) with some quite interesting findings among them (i.e. in core GAE Java security layer). Being back on track, we can now refer you to the official SE-2014-02 project pages that present a summary of our communication process with the vendors and a project FAQ: http://www.security-explorations.com/en/SE-2014-02-status.html http://www.security-explorations.com/en/SE-2014-02-faq.html We take this opportunity to thank Google for reenabling our GAE account and making it possible to complete our project. We really appreciate it. Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] [SE-2014-02] Google App Engine Java security sandbox bypasses (project pending completion / action from Google) http://seclists.org/fulldisclosure/2014/Dec/26
