Apache Unomi log injection

Vulnerability

Apache Unomi versions prior to 1.5.5 contain a CRLF log injection vulnerability because the software does not properly escape user-controlled input before writing it to log files [1][2]. This allows an attacker to inject carriage return (%0D) and line feed (%0A) characters into log entries, potentially manipulating log structures or forging log entries.

Exploitation

An attacker can exploit this vulnerability by crafting a request that includes CRLF sequences (e.g., %0D%0A) in fields that are subsequently logged [1]. No authentication is required if the vulnerable endpoint is exposed; the attacker simply sends a malicious HTTP request to the Unomi server. The injected characters are written verbatim into the log file, interpreting the CRLF as a new log line.

Impact

Successful exploitation allows an attacker to inject arbitrary content into log files, which can corrupt logging data, obscure malicious activities, or inject fake log entries [2]. While this does not directly lead to remote code execution or data breach, it undermines the integrity of audit logs and can aid in covering up further attacks.

Mitigation

Apache Unomi users should upgrade to version 1.5.5 or later, which contains the fix [2]. The fix was committed in revision 1c088702511ef44a056244cb968682daf8f21946 [2]. No workarounds are provided for earlier versions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date.