Apache Unomi EL Injection Remote Code Execution (CVE-2020-13942)
Apache Unomi is a Java Open Source customer data platform, a Java server designed to manage customers, leads and visitors. In 2019 it became an Apache Top Level Project, meaning it has graduated from the Apache Incubator and is supported by a sufficiently large community of developers.
On November the 17th it was publicly disclosed that all version of Apache Unomi prior to 1.5.2 are vulnerable to remote code execution vulnerability caused by MVEL and OGNL expressions language injection. The vulnerability was given a score of CVSS 10 since it requires no authentication, and the vulnerable endpoint is publicly accessible.
CVE-2020-13942 is a bypass of CVE-2020-11975 that was disclosed in June earlier this year. The original vulnerability was caused due to lack of sanitization of the OGNL and MVEL expressions, allowing the attacker to call any Java class from the JDK and execute arbitrary code on the system. It was patched by adding a class that overrides the original ClassLoader class with a class that defines the allowed classes to be loaded by the expression languages.
Figure 1: CVE-2020-11975 patch
This patch assumes that any class loading will be done by the loadClass() method in the ClassLoader class. Checkmarx researcher Eugene Rojavski found that this assumption is false and was able to load classes without using the loadClass() method, thus bypassing the security controls of the application.
In the first variant of the exploit, it was found that under some conditions MVEL expressions uses already initiated classes such as Runtime or System, without the need of initiate a new class. In the following example, anything after the“script::” code is evaluated as a MVEL expression with access to an initiated Runtime class.
Figure 2: Variant 1 of the vulnerability - HTTP request containing a MVEL expression payload
In the second variant of the exploit, the researcher was able to bypass the security controls by loading a class using a Java reflections API inside an OGNL syntax and avoid the loadClass() method.
Figure 3: Variant 2 of the vulnerability - HTTP request containing an OGNL expression payload
A patch was released by the Apache Unomi developers containing several mitigations, mainly disabling OGNL by default and improving its sandbox, sanitizing MVEL expressions and modifying its imports preventing system-level classes.
Mitigating the vulnerability with BIG-IP Advanced WAF
A new attack signature was released to provide a more accurate detection and mitigation of the vulnerability: "Apache Unomi context.json RCE" (ID 200104626) in the "Server Side Code Injection" signature set.
BIG-IP Advanced WAF customers under any supported BIG-IP version are already protected against this vulnerability. While exploiting this vulnerability attacker will try to send specially crafted HTTP requests containing Java code and OS commands.
The exploitation attempt will be detected by existing attack signatures. Signatures which can be found in signature sets that include "Server Side Code Injection" attack types or "Java" system.
Figure 4: Exploit blocked with Attack Signature (200104084)
Figure 5: Exploit blocked with Attack Signature (200003437)