Posted on 05/18/2015 10:20:07 PM PDT by Utilizer
Google slow to respond.
A Polish security firm has discovered more vulnerabilities in the Java coding platform used on Google's App Engine (GAE) cloud computing service, which could allow users to get access beyond their own virtual machines.
The Security Explorations team, which has made a name for itself by unearthing large numbers of security holes in Oracle's Java framework over the past few years, said it had reported seven vulnerabilities to Google, along with proof of concept code.
Three of the flaws allow complete bypass of the GAE Java security sandbox. Such a bypass could be used by attackers to glean information about the Java Runtime Environment as well as Google's internal services and protocols to spawn further attacks on the GAE platform itself.
Head of Security Explorations Adam Gowdiak said his company had not heard from Google three weeks after reporting the vulnerabilites.
He criticised the technology giant for taking more than one to two business days to run the proof of concept code provided by Security Explorations and read its report.
Gowdiak expressed surprise at Google's inertia given its aggressive approach to publishing vulnerabilities through its Project X security team.
(Excerpt) Read more at itnews.com.au ...
"The irony is that all of the bugs reported to Google so far were specific to the "extra security" layer implemented on top of JRE that aimed to protect GAE against...security vulnerabilities in Java," the team noted, adding:Ouch."At the end, it's worth to note that we are completely aware that this publication may lead to the canceling of additional VRP rewards from Google."
Just to kick the tires, some years ago, I put up an App Engine app. I used Python, Java being way too big of a PITA.
One of my endpoints is /ipAddress. It's kinda handy. Wherever I am, I can hit it, and it echoes back my WAN address (for those of you in Rio Linda, that's your IP address, as seen by the internet, as opposed to your local network).
I still use it. E.g., here's an example:
iploc $(wget -o /dev/null -O - "http://[some name].appspot.com/ipAddress")
What does that do?
Well, it obtains my address via some name, my Google App Engine app, and feeds it to iploc, another little hack I have, which looks it up in the latest version of Maxmind.com's internet location database and tells me where Maxmind thinks I am.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.