Critical bugs have been unearthed in Hitachi Vantara’s Pentaho Business Analytics software, a report has warned.
A penetration test report, finalized on April 4 and cleared for public release on October 10, revealed a number of security issues in version 9.1.00 of the software on the Windows 64-bit operating system.
Pentaho Business Analytics (BA) is an analytics platform for Big Data management. The enterprise solution is designed to discover, analyze, and visualize data across channels including databases, social media, cloud repositories, and NoSQL systems. BA can be deployed either on-premesis or in the cloud.
The pen test was performed by Hawsec. The company says the security assessment was focused on the examination of “functional as well as source code aspects (where such code could be obtained, e.g, through decompilation), and [to] identify potential vulnerabilities that could compromise the security of the application and its underlying system”.
The report (PDF), authored by Hawsec CEO Alberto Favero and cybersecurity researcher Altion Malka, outlines a total of six vulnerabilities, two of which are deemed critical and managed to achieve incredibly high CVSS scores of 9.9 and 9.8, respectively.
Findings
The first and most serious vulnerability of note is a remote code execution (RCE) flaw. Tracked as CVE-2021-31599 (with a CVSS score of 9.9), the bug allows low-privilege users to execute arbitrary code on a vulnerable system by deploying a crafted, malicious Pentaho Report Bundle.
The second critical bug, CVE-2021-34684 (CVSS 9.8), is an unauthenticated SQL injection issue found in BA’s query functionality. Unauthenticated users could exploit the flaw by executing arbitrary SQL queries on Pentaho data sources, thereby retrieving information from related databases without permission.
In addition, Hawsec’s report documents four other vulnerabilities. The most notable is CVE-2021-31601, issued a CVSS score of 7.1 (high), which allows low-privilege attackers to extract configuration data from the application due to insufficient access controls.
Hawsec also reported CVE-2021-31602 (CVSS 5.3) and CVE-2021-34685 (CVSS 2.7), an authentication bypass related to Spring API endpoints and a filename restriction bypass, respectively.
Mitigations
The researcher also found another bug – which has not been issued a CVE tracker – that could allow low-privilege users to extract lists of application users from the platform’s Jackrabbit User Repository.
Hawsec has provided the vendor with remediation options which can be found in the document.
The Daily Swig has reached out to Hawsec and Hitachi Vantara and we will update as and when we hear back.
Source: https://portswigger.net/daily-swig/remote-code-execution-sql-injection-bugs-uncovered-in-pentaho-business-analytics-software