Researchers disclosed Six critical vulnerabilities on Pentaho Business Analytics software whose CVSS score has been calculated from 2.7 to 9.9. According to the report, threat actors can leverage these vulnerabilities to carry out serious attacks like arbitrary data upload, arbitrary code execution, remote code execution through Report Bundles, authentication bypass, and Unauthenticated SQL Injection. Let’s see how to fix these critical vulnerabilities found in Pentaho Business Analytics software.
About Pentaho Business Analytics Software:
Pentaho is now part of the Lumada DataOps Suite. The suite of products is open and modular to deliver AI-driven automation and collaboration and includes: Lumada Analytics, Lumada Data Integration, Lumada Data Catalog, Lumada Data Optimizer for Hadoop, and Lumada Edge Intelligence. Lumada is built with Pentaho technology that includes Pentaho Business Analytics and Pentaho Data Integration.
Pentaho is a suite, which is made up of multiple application components. Pentaho Data Integration and Business Analytics are the prominent ones among the other components. It enables organizations to access, prepare, and analyze all data from any source. Pentaho Data Integration (PDI) is made to extract data from complex and heterogeneous sources and normalize it to a relational database to store and correlate with existing data. Pentaho Business Analytics is software that provides a modern, highly interactive, and intuitive web-based interface to discover, explore, analyze the data in multiple dimensions.
Summary Of Critical Vulnerabilities Found In Pentaho Business Analytics Software:
|CVE IDs||CVSS Scores||Description|
|CVE-2021-31599||CVSS score: 9.9||Remote Code Execution through Pentaho Report Bundles|
|CVE-2021-34684||CVSS score: 9.8||Unauthenticated SQL Injection|
|CVE-2021-31601||CVSS score: 7.1||Insufficient Access Control of Data Source Management|
|CVE-2021-31602||CVSS score: 5.3||Authentication Bypass of Spring APIs|
|CVE-2021-31600||CVSS score: 4.3||Jackrabbit User Enumeration|
|CVE-2021-34685||CVSS score: 2.7||Bypass of Filename Extension Restrictions|
Versions Affected With These Vulnerabilities:
According to researchers Alberto Favero from Hawsec and Altion Malka from Census Labs, these vulnerabilities affect Pentaho Business Analytics versions 9.1 and lower.
Negative Implications Of These Vulnerabilities:
These vulnerabilities allow authenticated users to run malicious code on the host server and exfiltrate sensitive data by uploading and running Pentaho Report Bundles. In addition to these, these vulnerabilities will also help adversaries to circumvent filename extension restrictions and upload files of any type.
Moreover, these vulnerabilities would also let low-privilege authenticated attackers harvest credentials and connection details of all the data sources and let unauthenticated users retrieve data from the backend database by successful SQL injection attacks.
How To Fix Critical Vulnerabilities Found In Pentaho Business Analytics?
In response to these vulnerabilities, The Vendor has patched these vulnerabilities in version 9.2. Update your Pentaho Business Analytics to the latest version.
We hope this post would help you in fixing critical vulnerabilities found in Pentaho Business Analytics Software. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.