Detecting and mitigating Apache Unomi's CVE-2020-13942 – Remote Code Execution (RCE)

CVE-2020-13942 is a critical vulnerability affecting the Apache Unomi open-source application, allowing remote code execution (RCE) by exploiting MVEL and OGNL expression language vulnerabilities in versions prior to 1.5.2. The vulnerability arises due to improper handling of class loading, enabling attackers to execute arbitrary code with the application's privileges through crafted HTTP requests. Apache Unomi, a REST server for managing user profiles, is susceptible to this flaw, echoing past security issues in Apache Struts. The vulnerability is rated as critically severe due to its ease of exploitation and significant impact on confidentiality, integrity, and availability. To mitigate the risk, users are advised to update to version 1.5.2, which includes a patch to disable OGNL by default, improve sandboxing, and sanitize MVEL expressions. Detection and prevention strategies involve using image scanners at various stages of the application lifecycle, such as during builds and deployments, and employing runtime detection tools like Falco to identify and respond to exploitation attempts. Sysdig Secure offers solutions to scan container images and enforce security policies via its Admission Controller and Falco detection engine, providing comprehensive protection against this vulnerability.