Skip to Main Content

Hitachi Logo
earth icon
    mail icon Contact Us
    Hitachi Global
    Hitachi Global

    hitachi-sec-2021-603 : Multiple Vulnerabilities in Hitachi Vantara Pentaho Business Analytics Server

    Last Update: November 10, 2021

      Japanese

      1. Overview

      Multiple vulnerabilities have been found in Hitachi Vantara Pentaho Business Analytics Server.

       

      CVE-2021-31599: Remote Code Execution through Pentaho Report Bundles
      An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code on the host.

       

      CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:C/A:C [9.0]
      CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8]
      CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

       

      CVE-2021-34684: Unauthenticated SQL Injection
      An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. It allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.

       

      CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0]
      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8]
      CWE-89: SQL Injection

       

      CVE-2021-31601: Insufficient Access Control of Data Source Management
      An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all databases connection details and credentials in clear text.

      CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:P/A:N [7.5]
      CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N [7.1]
      CWE-319: Cleartext Transmission of Sensitive Information

       

      CVE-2021-31602: Authentication Bypass of Spring APIs
      An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.

       

      CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N [5.0]
      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3]
      CWE-285: Improper Authorization

       

      Jackrabbit User Enumeration
      CVE-2021-31600 describes to be an issue in Hitachi Vantara Pentaho Business Analytics Server. This is a feature of products, and not a vulnerability.

      Hitachi Vantara Pentaho Business Analytics Server implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user can list all valid usernames. This is fundamental permissions service to allow a particular authenticated user access content generated by another authenticated user. The focus here should be authenticated user. It does not provide the information to any user. This is a feature within Pentaho product and the customer do take advantage of this feature.

       

      CVE-2021-34685: Bypass of Filename Extension Restrictions
      An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.2 and 8.3.0.25. UploadService does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).

       

      CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N [3.5]
      CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N [2.7]
      CWE-434: Unrestricted Upload of File with Dangerous Type

      2. Affected Systems

      CVE-2021-31599, CVE-2021-34684, CVE-2021-31601 and CVE-2021-31602

       

      • Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23
        { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:9.2.0.0" }}}
        { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:9.1.0.8" }}}
        { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:8.3.0.23" }}}

       

      CVE-2021-34685

       

      • Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.2 and 8.3.0.25
        { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:9.2.0.2" }}}
        { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:8.3.0.25" }}}

      3. Impact

      These vulnerabilities allow a remote users to execute arbitrary code or to expose the credentials.

      4. Solution

      Users and administrators are encouraged to upgrade to fixed version.

       

      Data Management and Analytics
      https://www.hitachivantara.com/en-us/products/data-management-analytics.html

       

      Critical Flaws Uncovered in Pentaho article - Known issues explained (November 03, 2021)
      https://support.pentaho.com/hc/en-us/articles/4412571688077--Critical-Flaws-Uncovered-in-Pentaho-article-Known-issues-explained

      5. References

      5.1 Vulnerability Enumeration

      CVE-2021-31599
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31599

      CVE-2021-34684
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34684

      CVE-2021-31601
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31601

      CVE-2021-31602
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31602

      CVE-2021-34685
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34685

      5.2 Related

      Pentaho Business Analytics / Pentaho Business Server 9.1 Remote Code Execution
      https://packetstormsecurity.com/files/164772/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Remote-Code-Execution.html

      Pentaho Business Analytics / Pentaho Business Server 9.1 SQL Injection
      http://packetstormsecurity.com/files/164791/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-SQL-Injection.html

      Pentaho Business Analytics / Pentaho Business Server 9.1 Insufficient Access Control
      http://packetstormsecurity.com/files/164779/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Insufficient-Access-Control.html

      Pentaho Business Analytics / Pentaho Business Server 9.1 Authentication Bypass
      http://packetstormsecurity.com/files/164784/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Authentication-Bypass.html

      Pentaho Business Analytics / Pentaho Business Server 9.1 Filename Bypass
      http://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Filename-Bypass.html

      6. Update history

      November 10, 2021

      • This webpage was newly created and published.

      Masato Terada (HIRT) and Naoko Ohnishi (HIRT)