The Proof of Concept code for the unpatched Issues allows to gain access to the GAE Java environment only (it does not break the OS sandbox). Google App Engine Java VM is the first layer of defense and Google “considers the remaining, lower sandboxing layers sufficiently robust”
Read the security advisory here – http://seclists.org/fulldisclosure/2015/May/61