CVE-2020-13936 Overview
CVE-2020-13936 is a Server-Side Template Injection (SSTI) vulnerability in Apache Velocity Engine that allows attackers to execute arbitrary Java code or run arbitrary system commands. This vulnerability affects applications that permit untrusted users to upload or modify Velocity templates, enabling attackers to gain code execution with the same privileges as the account running the Servlet container.
Apache Velocity is a widely-used Java-based template engine that allows web designers to reference methods defined in Java code. When applications expose template modification capabilities to untrusted users without proper security controls, attackers can craft malicious templates that escape the sandbox and execute arbitrary code on the underlying server.
Critical Impact
Successful exploitation allows attackers to execute arbitrary Java code or system commands with Servlet container privileges, potentially leading to complete server compromise, data exfiltration, and lateral movement within enterprise networks.
Affected Products
- Apache Velocity Engine versions up to 2.2
- Apache WSS4J 2.3.1
- Debian Linux 9.0
- Oracle Banking Deposits and Lines of Credit Servicing 2.12.0
- Oracle Banking Enterprise Default Management (multiple versions including 2.6.2, 2.7.1, 2.10.0, 2.12.0)
- Oracle Banking Loans Servicing 2.12.0
- Oracle Banking Party Management 2.7.0
- Oracle Banking Platform (multiple versions including 2.6.2, 2.7.1)
- Oracle Communications Cloud Native Core Policy 1.14.0
- Oracle Communications Network Integrity 7.3.6
- Oracle Hospitality Token Proxy Service 19.2
- Oracle Retail Integration Bus 19.0.1
- Oracle Retail Order Broker 16.0
- Oracle Retail Service Backbone 19.0.1
- Oracle Retail Xstore Office Cloud Service (versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1)
- Oracle Utilities Testing Accelerator (versions 6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1)
Discovery Timeline
- March 10, 2021 - CVE-2020-13936 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-13936
Vulnerability Analysis
This vulnerability stems from insufficient access controls in Apache Velocity Engine's template processing mechanism. Velocity templates are designed to generate dynamic content by allowing Java method invocations and variable references within template syntax. When applications allow untrusted users to create or modify these templates, attackers can leverage Velocity's introspection capabilities to access Java runtime methods and execute arbitrary code.
The attack surface is particularly concerning because Velocity templates have access to Java's reflection API by default, allowing template authors to instantiate objects, invoke methods, and access system resources. An attacker with template modification privileges can craft payloads that break out of the intended template scope and interact directly with the Java Virtual Machine.
Root Cause
The root cause lies in the permissive default configuration of Velocity Engine, which does not adequately restrict access to dangerous Java classes and methods from within templates. The engine's introspection system allows templates to access virtually any Java object passed into the context, including system classes that can be leveraged for code execution.
Applications that fail to implement strict access controls over template content, combined with Velocity's powerful but unrestricted reflection capabilities, create conditions where Server-Side Template Injection attacks become feasible.
Attack Vector
The attack requires network access and low-level privileges (authenticated access to template modification functionality). The exploitation flow typically involves:
- An attacker identifies an application using Apache Velocity Engine that allows user-controlled template content
- The attacker crafts a malicious Velocity template containing Java reflection calls
- When the template is processed by the Velocity Engine, the malicious code executes with the privileges of the Servlet container
- The attacker can then execute system commands, access sensitive data, or establish persistent access
Malicious Velocity templates can leverage Java's Runtime.getRuntime().exec() method or similar techniques to execute operating system commands. The template syntax allows for method chaining and object instantiation, making it possible to construct complex attack payloads that bypass basic input filters.
Detection Methods for CVE-2020-13936
Indicators of Compromise
- Unexpected template files containing Java class references such as java.lang.Runtime, java.lang.ProcessBuilder, or java.io.File
- Template content with suspicious method calls like .getClass(), .forName(), or .getRuntime()
- Unusual process spawning from Java/Servlet container processes
- Web server logs showing requests to template upload or modification endpoints with encoded payloads
Detection Strategies
- Implement file integrity monitoring on directories containing Velocity templates to detect unauthorized modifications
- Deploy web application firewalls (WAF) with rules to detect SSTI payloads in template content
- Monitor application logs for template compilation errors that may indicate exploitation attempts
- Use SentinelOne's behavioral AI to detect suspicious child processes spawned by Java applications
Monitoring Recommendations
- Enable detailed logging for template upload and modification operations in your applications
- Monitor outbound network connections from Servlet containers for unexpected command-and-control traffic
- Configure alerts for Java processes executing shell commands or accessing sensitive system resources
- Implement centralized log aggregation to correlate template modification events with suspicious system activity
How to Mitigate CVE-2020-13936
Immediate Actions Required
- Upgrade Apache Velocity Engine to version 2.3 or later, which includes security fixes for this vulnerability
- Audit applications to identify where Velocity templates can be modified by users and restrict this capability to trusted administrators only
- Review existing Velocity templates for signs of tampering or malicious content
- Implement strict input validation and sandboxing for any user-controlled template content
Patch Information
Apache has released Velocity Engine version 2.3 which addresses this vulnerability by implementing stricter access controls on template introspection capabilities. Organizations should prioritize upgrading to this version or later.
For Oracle products, refer to the Oracle Critical Patch Update January 2022 and Oracle Critical Patch Update April 2022 for specific patch guidance. Debian users should consult the Debian LTS Announcement for package updates.
Additional security information is available through the Apache Velocity User Mailing List and Openwall Security Mailing List.
Workarounds
- If upgrading is not immediately possible, remove or restrict user access to template modification functionality
- Implement a custom Uberspector to restrict access to dangerous Java classes and methods from within templates
- Deploy application-level controls to sanitize and validate all template content before processing
- Use Velocity's SecureUberspector or configure strict class whitelisting to limit template capabilities
# Configuration example: Enable SecureUberspector in velocity.properties
# Add the following to your velocity.properties file to restrict template access
runtime.introspector.uberspect=org.apache.velocity.util.introspection.SecureUberspector
introspector.restrict.packages=java.lang.reflect,java.lang.Runtime
introspector.restrict.classes=java.lang.Class,java.lang.ClassLoader,java.lang.Compiler,java.lang.InheritableThreadLocal
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
