Pentaho Business Analytics Software Has Critical Flaws

Pentaho Business Analytics Software Has Critical Flaws

Malicious actors might exploit various flaws in Hitachi Vantara’s Pentaho Business Analytics software to upload arbitrary data files and potentially enforce arbitrary code on the application’s underlying host system.

Researchers Altion Malka of Census Labs and Alberto Favero of German cybersecurity firm Hawsec discovered the security flaws earlier this year, causing the corporation to release fixes to address the concerns.

Pentaho is a business intelligence platform based on Java. It includes data integration, online analytical processing (OLAP), and mining features. Its clients include significant organizations and companies like Bell, CERN, Cipal, Nasdaq, Logitech, Teradata, Telefonica, and the National September 11 Memorial and Museum.

The following is a list of issues that impact Pentaho Business Analytics versions 9.1:

  • CVE-2021-31599 (CVSS score: 9.9) – Remote Code Execution via Pentaho Report Bundles
  • CVE-2021-31600 (CVSS score: 4.3) – Jackrabbit User Enumeration
  • CVE-2021-31601 (CVSS score: 7.1) – Data Source Management’s Insufficient Access Control 
  • CVE-2021-31602 (CVSS score: 5.3) – Authentication Bypass of Spring APIs
  • CVE-2021-34684 (CVSS score: 9.8) – Unauthenticated SQL Injection
  • CVE-2021-34685 (CVSS score: 2.7) – Bypass of Filename Extension Restrictions

Successfully exploiting the issues might allow authorized users with adequate role rights to upload and execute Pentaho Report Bundles on the host server, allowing malicious code to run and sensitive application data to be exfiltrated, and upload files of any sort by getting around the application’s filename extension limits.

Furthermore, a low-privilege authenticated attacker could use them to retrieve credentials and connection details for all Pentaho data sources, allowing the party to harvest and transmit data. And allow an unauthenticated user to run arbitrary SQL queries on the backend database and retrieve data.

Users of the program are strongly advised to upgrade to the most recent version due to the significant severity of the issues and the danger they represent to the underlying system.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.