Remote Code Execution in Apache Unomi

Vulnerability

Overview

CVE-2020-13942 is a critical remote code execution vulnerability in Apache Unomi, a Java-based customer data platform. The vulnerability resides in the /context.json public endpoint, which processes user-supplied OGNL (Object-Graph Navigation Language) and MVEL (MVFLEX Expression Language) scripts without adequate sanitization. Prior to version 1.5.1, an initial fix was attempted but was incomplete, allowing attackers to bypass the filter using alternative injection vectors. The flaw was fully mitigated in version 1.5.2 by completely filtering all script expressions from the input [1][2][3].

Attack

Vector and Exploitation

The /context.json endpoint accepts JSON payloads containing conditions that may reference OGNL or MVEL scripting. By crafting malicious payloads, an unauthenticated attacker can inject arbitrary script expressions that are evaluated server-side. No authentication is required, and the endpoint is publicly accessible, making the attack surface broad. The vulnerability was discovered and reported by Eugene Rojavski of Checkmarx [3][4].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the permissions of the Java process running Apache Unomi. This can lead to full compromise of the affected system, including data exfiltration, installation of malware, or lateral movement within the network [1][3].

Mitigation

All versions of Apache Unomi prior to 1.5.2 are vulnerable. Users must upgrade to version 1.5.2 or later, which completely filters OGNL and MVEL expressions from the input. No workarounds are available; the only effective remediation is upgrading [2][3].