A Polish research group claims there are still several outstanding vulnerabilities in Google App Engines for Java, including three complete Java sandbox escapes. After three weeks of radio silence from Google, it decided to disclose on Friday the vulnerabilities, along with proof of concept code.
The code doesn’t break the sandbox, but does result in partial GAE bypass and could allow an attacker to gain access to GAE’s Java environment.
