Last year’s top-level Apache Product for its easy integration and high scalability, Unomi is now under the threat of critical vulnerabilities. Recent reports tell that 2 critical bugs have been reported in Unomi by researchers. The researchers have warned that these vulnerabilities if exploited could lead to Remote Code Execution (RCE) on sensitive servers. These findings were reported by the Security Research Team of Checkmarx, who analyzed the platform to look for possible vulnerabilities. 

Apache Unomi is an Open Source customer data platform in Java. It was designed with an aim to easily personalize customer experiences, manage leads, customers, visitors’ data and more. It can be integrated with various systems like Content Management Systems, Customer Relationship Management systems, native mobile applications, etc.  

The vulnerabilities could cause complete takeover

The detected vulnerabilities have the maximum CVS score of 10.0 as they can lead to the complete compromise of the confidentiality, integrity, and accessibility of Apache Unomi services. Besides this, it could even allow the attackers’ access to the underlying OS. 

How these vulnerabilities work is that they allow the attackers to send malicious requests containing arbitrary classes with MVEL and OGNL. This results in the complete Remote Code execution along with the privileges of the Unomi application. These vulnerabilities can be exploited using a public point without authentication or any prior knowledge, making them more severe.

Since the MVEL & OGNL expressions are evaluated in different internal packages by different classes, they are considered two separate vulnerabilities. Essentially both the vulnerabilities are quite similar & are hence both designated as CVE-2020-13942. By exploiting these vulnerabilities, the attackers get a backdoor into the internal network of the enterprise. They can use this to increase their lateral movement or steal user data that is collected via the Unomi application. 

The previous patch was insufficient!

Previous to the current vulnerabilities, Unomi had faced another RCE bug named CVE-2020-11975, which was patched soon. But the patch wasn’t sufficient enough to secure the Unomi system. This patch focused on fixing the vulnerability on the surface, rather than the root. 

Complex conditions in requests to endpoints are allowed by Unomi. These conditions rely on languages like OGNL & MVEL allowing users to create complex & granular queries. Now, these languages were not restricted in Unomi versions 1.5.1 and prior. This left Unomi vulnerable to RCE via Expression Language Injection. Any attacker could execute arbitrary code & OS commands on the server with a single request. 

Latest news,

The patch for the vulnerability was introduced for SecureFilteringClassLoader, which worked on the assumption that all classes in MVEL & OGNL expressions. These were loaded using the loadClass() method and the SecureFilteringClassLoader overrides the ClassLoader loadClass method allowing the allowlist & blocklist to be checked. This assumption later proved to be incorrect, meaning that the patch could be bypassed in many ways leading to Unomi remaining open to RCE. 

Apache Unomi has an update

After the Unomi team was made aware of the vulnerabilities in their system, they collaborated with the Checkmarx research team to fix the vulnerabilities at the root cause, which as the arbitrary expression language statements. The company has patched the vulnerabilities and released an update for their application. They have also urged all their users to update to the latest version of the application to stay safe of the threat by these vulnerabilities

The Apache Unomi vulnerabilities are extremely trivial to exploit. All that potential attackers require to exploit them is to find a vulnerable endpoint that is public by-design which makes it easier to find. It is hence important for Unomi users to update their applications at the earliest to escape the threat of these vulnerabilities. But at the same time, the responsibility lies on the shoulders of the Apache team too, to ensure a safe and secure environment for their users.