OpenOLAT Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A server-side template injection vulnerability has been identified in OpenOLAT, an open-source e-learning platform. This issue affects versions prior to 19.1.31, 20.1.18, and 20.2.5. The vulnerability allows an authenticated user with the Author role to inject Velocity directives into a reminder email template. When the reminder is processed, either manually or via a daily cron job, the injected directives are evaluated on the server. By exploiting this feature, an attacker can use Velocity's #set directive in conjunction with Java reflection to execute arbitrary operating system commands. The commands are executed with the privileges of the Tomcat process, which is typically root in containerized deployments.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server running OpenOLAT. In standard Docker or Kubernetes deployments, the Tomcat process operates as root, giving the attacker complete control over the host system. This access includes the ability to read and exfiltrate sensitive data such as user credentials and personal information, modify or delete data, and potentially access other internal systems.

Reproduction

The vulnerability can be reproduced by an authenticated user with the Author role. The user can inject Velocity directives into a reminder email template through the course reminder REST API or the web UI. Once the reminder is processed, the injected directives are evaluated server-side, allowing for the execution of arbitrary commands via Java reflection.

Remediation

Users are advised to upgrade to OpenOLAT versions 19.1.31, 20.1.18, or 20.2.5. If an immediate upgrade is not possible, the Author role should be restricted to trusted users only, and the course reminder feature can be disabled via system configuration.