Malicious actors might exploit multiple vulnerabilities in Hitachi Vantara’s Pentaho Business Analytics software to upload arbitrary data files and potentially execute arbitrary code on the application’s underlying host system.
Researchers Alberto Favero of German cybersecurity firm Hawsec and Altion Malka of Census Labs discovered the security flaws earlier this year, causing the corporation to release fixes to address the concerns.
Pentaho is a Java-based business intelligence platform that supports data integration, analytics, online analytical processing (OLAP), and mining. Customers include Bell, CERN, Cipal, Logitech, Nasdaq, Telefonica, Teradata, and the National September 11 Memorial and Museum.
The following is a list of issues that impact Pentaho Business Analytics versions 9.1 and lower:
CVE-2021-31599 is a vulnerability that affects computers (CVSS score: 9.9) – Pentaho Report Bundles for remote code execution
CVE-2021-31600 CVE-2021-31600 CVE-2021-31600 (CVSS score: 4.3) – CVE-2021-31601 Jackrabbit User Enumeration (CVSS score: 7.1) – Inadequate Data Source Management Access Control
CVE-2021-31602 CVE-2021-31602 CVE-2021-31602 (CVSS score: 5.3) – Spring API Authentication Bypass
CVE-2021-34684 is a vulnerability that affects computers (CVSS score: 9.8) – SQL Injection Without Authentication CVE-2021-34685 (CVSS score: 2.7) – Filename Extension Restrictions are Obsolete
If the flaws are successfully exploited, authenticated users with sufficient role permissions could upload and run Pentaho Report Bundles to run malicious code on the host server and exfiltrate sensitive application data, as well as bypass the application’s filename extension restrictions and upload files of any type.
Furthermore, a low-privilege authenticated attacker could use them to retrieve credentials and connection details for all Pentaho data sources, allowing the party to harvest and transmit data, as well as allowing an unauthenticated user to run arbitrary SQL queries on the backend database and retrieve data.
Users of the application are strongly advised to update to the most recent version due to the significant severity of the issues and the risk they pose to the underlying system.