Table of Contents
  • Home
  • /
  • Blog
  • /
  • Fix Critical Vulnerabilities Found In Pentaho Business Analytics Software
November 2, 2021

Fix Critical Vulnerabilities Found In Pentaho Business Analytics Software

Fix Critical Vulnerabilities Found In Pentaho Business Analytics Software

Researchers disclosed Six critical vulnerabilities on Pentaho Business Analytics software whose CVSS score has been calculated from 2.7 to 9.9. According to the report, threat actors can leverage these vulnerabilities to carry out serious attacks like arbitrary data upload, arbitrary code execution, remote code execution through Report Bundles, authentication bypass, and Unauthenticated SQL Injection. Lets see how to fix these critical vulnerabilities found in Pentaho Business Analytics software.

About Pentaho Business Analytics Software:

Pentaho is now part of the Lumada DataOps Suite. The suite of products is open and modular to deliver AI-driven automation and collaboration and includes: Lumada Analytics, Lumada Data Integration, Lumada Data Catalog, Lumada Data Optimizer for Hadoop, and Lumada Edge Intelligence. Lumada is built with Pentaho technology that includes Pentaho Business Analytics and Pentaho Data Integration.

 is a suite, which is made up of multiple application components. Pentaho Data Integration and Business Analytics are the prominent ones among the other components. It enables organizations to access, prepare, and analyze all data from any source. Pentaho Data Integration (PDI) is made to extract data from complex and heterogeneous sources and normalize it to a relational database to store and correlate with existing data. Pentaho Business Analytics is software that provides a modern, highly interactive, and intuitive web-based interface to discover, explore, analyze the data in multiple dimensions.

Summary Of Critical Vulnerabilities Found In Pentaho Business Analytics Software:

CVE IDsCVSS ScoresDescription
CVE-2021-31599CVSS score: 9.9Remote Code Execution through Pentaho Report Bundles
CVE-2021-34684CVSS score: 9.8Unauthenticated SQL Injection
CVE-2021-31601CVSS score: 7.1Insufficient Access Control of Data Source Management
CVE-2021-31602CVSS score: 5.3Authentication Bypass of Spring APIs
CVE-2021-31600CVSS score: 4.3Jackrabbit User Enumeration
CVE-2021-34685CVSS score: 2.7Bypass of Filename Extension Restrictions

Versions Affected With These Vulnerabilities:

According to researchers Alberto Favero from Hawsec and Altion Malka from Census Labs, these vulnerabilities affect Pentaho Business Analytics versions 9.1 and lower. 

Negative Implications Of These Vulnerabilities:

These vulnerabilities allow authenticated users to run malicious code on the host server and exfiltrate sensitive data by uploading and running Pentaho Report Bundles. In addition to these, these vulnerabilities will also help adversaries to circumvent filename extension restrictions and upload files of any type.

Moreover, these vulnerabilities would also let low-privilege authenticated attackers harvest credentials and connection details of all the data sources and let unauthenticated users retrieve data from the backend database by successful SQL injection attacks.

How To Fix Critical Vulnerabilities Found In Pentaho Business Analytics?

In response to these vulnerabilities, The Vendor has patched these vulnerabilities in version 9.2. Update your Pentaho Business Analytics to the latest version. 

We hope this post would help you in fixing critical vulnerabilities found in Pentaho Business Analytics Software. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription