• Home
  • |
  • Blog
  • |
  • Fix Critical Vulnerabilities Found In Pentaho Business Analytics Software
Fix Critical Vulnerabilities Found in Pentaho Business Analytics Software

Researchers disclosed Six critical vulnerabilities on Pentaho Business Analytics software whose CVSS score has been calculated from 2.7 to 9.9. According to the report, threat actors can leverage these vulnerabilities to carry out serious attacks like arbitrary data upload, arbitrary code execution, remote code execution through Report Bundles, authentication bypass, and Unauthenticated SQL Injection. Let’s see how to fix these critical vulnerabilities found in Pentaho Business Analytics software.

About Pentaho Business Analytics Software:

Pentaho is now part of the Lumada DataOps Suite. The suite of products is open and modular to deliver AI-driven automation and collaboration and includes: Lumada Analytics, Lumada Data Integration, Lumada Data Catalog, Lumada Data Optimizer for Hadoop, and Lumada Edge Intelligence. Lumada is built with Pentaho technology that includes Pentaho Business Analytics and Pentaho Data Integration.

Pentaho is a suite, which is made up of multiple application components. Pentaho Data Integration and Business Analytics are the prominent ones among the other components. It enables organizations to access, prepare, and analyze all data from any source. Pentaho Data Integration (PDI) is made to extract data from complex and heterogeneous sources and normalize it to a relational database to store and correlate with existing data. Pentaho Business Analytics is software that provides a modern, highly interactive, and intuitive web-based interface to discover, explore, analyze the data in multiple dimensions.

Summary Of Critical Vulnerabilities Found In Pentaho Business Analytics Software:

CVE IDsCVSS ScoresDescription
CVE-2021-31599CVSS score: 9.9Remote Code Execution through Pentaho Report Bundles
CVE-2021-34684CVSS score: 9.8Unauthenticated SQL Injection
CVE-2021-31601CVSS score: 7.1Insufficient Access Control of Data Source Management
CVE-2021-31602CVSS score: 5.3Authentication Bypass of Spring APIs
CVE-2021-31600CVSS score: 4.3Jackrabbit User Enumeration
CVE-2021-34685CVSS score: 2.7Bypass of Filename Extension Restrictions

Versions Affected With These Vulnerabilities:

According to researchers Alberto Favero from Hawsec and Altion Malka from Census Labs, these vulnerabilities affect Pentaho Business Analytics versions 9.1 and lower. 

Negative Implications Of These Vulnerabilities: 

These vulnerabilities allow authenticated users to run malicious code on the host server and exfiltrate sensitive data by uploading and running Pentaho Report Bundles. In addition to these, these vulnerabilities will also help adversaries to circumvent filename extension restrictions and upload files of any type.

Moreover, these vulnerabilities would also let low-privilege authenticated attackers harvest credentials and connection details of all the data sources and let unauthenticated users retrieve data from the backend database by successful SQL injection attacks.

How To Fix Critical Vulnerabilities Found In Pentaho Business Analytics?

In response to these vulnerabilities, The Vendor has patched these vulnerabilities in version 9.2. Update your Pentaho Business Analytics to the latest version

We hope this post will help you in fixing critical vulnerabilities found in Pentaho Business Analytics Software. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.