Apache Unomi MVEL RCE (CVE-2020-13942)
Description
Apache Unomi versions prior to 1.5.2 contain a critical vulnerability in the context.json endpoint that allows unauthenticated attackers to inject malicious MVEL (MVFLEX Expression Language) and OGNL (Object-Graph Navigation Language) expressions. These expression languages are evaluated server-side without proper input validation, enabling attackers to execute arbitrary Java code with the privileges of the Apache Unomi process.
Remediation
Apply the following remediation steps immediately:
1. Upgrade Apache Unomi
Update to Apache Unomi version 1.5.2 or later, which includes patches that properly validate and sanitize input to prevent expression injection attacks.
2. Implement Network-Level Controls (Temporary Mitigation)
If immediate patching is not possible, restrict access to the context.json endpoint using firewall rules or web application firewall (WAF) policies to allow only trusted IP addresses.
3. Verify Remediation
After upgrading, test that the vulnerability has been resolved by verifying that malicious expression payloads are rejected by the application.
4. Review Logs
Examine application and system logs for any suspicious activity or indicators of compromise prior to patching, including unusual DNS queries or unexpected outbound connections.