Patch Released for Critical Apache Unomi RCE Vulnerability

December 5, 2020
min read
Advisory Vulnerability Intelligence
Vendor Apache
CVSS  10 (Critical)
CVE 2020-13942  
Target Apache Unomi <=1.5.1
Outcome RCE
Patch Availability Yes Patched version 1.5.2

[/vc_column_text][vc_column_text]Apache Unomi is a Java Open Source customer data platform designed to provide personalized customer experience. It can be integrated with CRMs, Applications, CMSs etc. And because of its efficient integration with other critical services, compromising Unomi is an ideal entry point into protected corporate networks.

Modus operandi

Attackers can craft malicious HTTP requests to Unomi servers, specifically to the /context.js\json endpoint of the server, containing arbitrary commands using Java-specific Expression Language (EL) like MVEL and OGNL. Due to insecure handling of classes (loading arbitrary classes and invoking methods) commands will get executed on the target server’s operating system within the security context of the Unomi application.


Technical Impact

Threat actors can initiate attacks, using compromised Unomi servers, to target associated critical services.
Carry out the lateral movement to compromise customer data.
Launch attacks against segmented networks thus compromising the entire network domain.

Business Impact

Compromise sensitive customer/client data.
Data breaches tarnish an organization’s reputation and branding.
Threat actors could abuse vulnerabilities to launch ransomware attacks against the target.


Update Apache Unomi to version 1.5.2 or above.

No items found.