Skip to main content

Hitachi
Contact UsContact Us

hitachi-sec-2021-603 : Multiple Vulnerabilities in Hitachi Vantara Pentaho Business Analytics Server

Last Update: November 10, 2021

1. Overview

Multiple vulnerabilities have been found in Hitachi Vantara Pentaho Business Analytics Server.

CVE-2021-31599: Remote Code Execution through Pentaho Report Bundles
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code on the host.

CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:C/A:C [9.0]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8]
CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

CVE-2021-34684: Unauthenticated SQL Injection
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. It allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.

CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8]
CWE-89: SQL Injection

CVE-2021-31601: Insufficient Access Control of Data Source Management
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all databases connection details and credentials in clear text.

CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:P/A:N [7.5]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N [7.1]
CWE-319: Cleartext Transmission of Sensitive Information

CVE-2021-31602: Authentication Bypass of Spring APIs
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.

CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N [5.0]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3]
CWE-285: Improper Authorization

Jackrabbit User Enumeration
CVE-2021-31600 describes to be an issue in Hitachi Vantara Pentaho Business Analytics Server. This is a feature of products, and not a vulnerability.

Hitachi Vantara Pentaho Business Analytics Server implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user can list all valid usernames. This is fundamental permissions service to allow a particular authenticated user access content generated by another authenticated user. The focus here should be authenticated user. It does not provide the information to any user. This is a feature within Pentaho product and the customer do take advantage of this feature.

CVE-2021-34685: Bypass of Filename Extension Restrictions
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.2 and 8.3.0.25. UploadService does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).

CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N [3.5]
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N [2.7]
CWE-434: Unrestricted Upload of File with Dangerous Type

2. Affected Systems

CVE-2021-31599, CVE-2021-34684, CVE-2021-31601 and CVE-2021-31602

  • Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23
    { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:9.2.0.0" }}}
    { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:9.1.0.8" }}}
    { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:8.3.0.23" }}}

CVE-2021-34685

  • Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.2 and 8.3.0.25
    { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:9.2.0.2" }}}
    { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_pentaho:8.3.0.25" }}}

3. Impact

These vulnerabilities allow a remote users to execute arbitrary code or to expose the credentials.

4. Solution

Users and administrators are encouraged to upgrade to fixed version.

6. Update history

November 10, 2021
  • This webpage was newly created and published.

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)