Remote code execution, SQL injection bugs uncovered in Pentaho Business Analytics software

Table of Contents


Charlie Osborne

04 November 2021 at 14:14 UTC

Updated: 05 November 2021 at 09:32 UTC

Penetration test reveals severe issues in Hitachi Vantara’s business solution

ritical bugs have been unearthed in Hitachi Vantara's Pentaho Business Analytics software

UPDATED Critical bugs have been unearthed in Hitachi Vantara’s Pentaho Business Analytics software, a report has warned.

A penetration test report, finalized on April 4 and cleared for public release on October 10, revealed a number of security issues in version 9.1.00 of the software on the Windows 64-bit operating system.

Pentaho Business Analytics (BA) is an analytics platform for Big Data management. The enterprise solution is designed to discover, analyze, and visualize data across channels including databases, social media, cloud repositories, and NoSQL systems. BA can be deployed either on-premesis or in the cloud.

Read more of the latest news about security vulnerabilities

The pen test was performed by Hawsec. The company says the security assessment was focused on the examination of “functional as well as source code aspects (where such code could be obtained, e.g, through decompilation), and [to] identify potential vulnerabilities that could compromise the security of the application and its underlying system”.

The report (PDF), authored by Hawsec CEO Alberto Favero and cybersecurity researcher Altion Malka, outlines a total of six vulnerabilities, two of which are deemed critical and managed to achieve incredibly high CVSS scores of 9.9 and 9.8, respectively.

Findings

The first and most serious vulnerability of note is a remote code execution (RCE) flaw. Tracked as CVE-2021-31599 (with a CVSS score of 9.9), the bug allows low-privilege users to execute arbitrary code on a vulnerable system by deploying a crafted, malicious Pentaho Report Bundle.

The second critical bug, CVE-2021-34684 (CVSS 9.8), is an unauthenticated SQL injection issue found in BA’s query functionality. Unauthenticated users could exploit the flaw by executing arbitrary SQL queries on Pentaho data sources, thereby retrieving information from related databases without permission.

In addition, Hawsec’s report documents four other vulnerabilities. The most notable is CVE-2021-31601, issued a CVSS score of 7.1 (high), which allows low-privilege attackers to extract configuration data from the application due to insufficient access controls.

Hawsec also reported CVE-2021-31602 (CVSS 5.3) and CVE-2021-34685 (CVSS 2.7), an authentication bypass related to Spring API endpoints and a filename restriction bypass, respectively.

Mitigations

The researcher also found another bug – which has not been issued a CVE tracker – that could allow low-privilege users to extract lists of application users from the platform’s Jackrabbit User Repository.

Hawsec has provided the vendor with remediation options which can be found in the document.

A spokesperson for Hitachi Vantara told The Daily Swig: “I can confirm we worked closely with the researchers mentioned, and addressed in the June 2021 release of Pentaho 9.2 five critical and medium vulnerabilities they highlighted.

“The remaining low Severity (CVSS 2.7) issue (CVE-2021-34685) will also be addressed in the next release of Pentaho, which we expect to make available this month. We encourage all customers under license to update their software to Pentaho 9.2.”

The Daily Swig has reached out to Hawsec will update as and when we hear back.

This article has been updated to include comment.

YOU MAY LIKE Mozilla debuts Site Isolation technology with Firefox update