Remote code execution, SQL injection bugs uncovered in Pentaho Business Analytics software

0

Get real time updates directly on you device, subscribe now.


Related Posts

Penetration test reveals severe issues in Hitachi Vantara’s business solution

Critical bugs have been unearthed in Hitachi Vantara’s Pentaho Business Analytics software, a report has warned.

A penetration test report, finalized on April 4 and cleared for public release on October 10, revealed a number of security issues in version 9.1.00 of the software on the Windows 64-bit operating system.

Pentaho Business Analytics (BA) is an analytics platform for Big Data management. The enterprise solution is designed to discover, analyze, and visualize data across channels including databases, social media, cloud repositories, and NoSQL systems. BA can be deployed either on-premesis or in the cloud.

Read more of the latest news about security vulnerabilities

The pen test was performed by Hawsec. The company says the security assessment was focused on the examination of “functional as well as source code aspects (where such code could be obtained, e.g, through decompilation), and [to] identify potential vulnerabilities that could compromise the security of the application and its underlying system”.

The report (PDF), authored by Hawsec CEO Alberto Favero and cybersecurity researcher Altion Malka, outlines a total of six vulnerabilities, two of which are deemed critical and managed to achieve incredibly high CVSS scores of 9.9 and 9.8, respectively.

Findings

The first and most serious vulnerability of note is a remote code execution (RCE) flaw. Tracked as CVE-2021-31599 (with a CVSS score of 9.9), the bug allows low-privilege users to execute arbitrary code on a vulnerable system by deploying a crafted, malicious Pentaho Report Bundle.

The second critical bug, CVE-2021-34684 (CVSS 9.8), is an unauthenticated SQL injection issue found in BA’s query functionality. Unauthenticated users could exploit the flaw by executing arbitrary SQL queries on Pentaho data sources, thereby retrieving information from related databases without permission.

In addition, Hawsec’s report documents four other vulnerabilities. The most notable is CVE-2021-31601, issued a CVSS score of 7.1 (high), which allows low-privilege attackers to extract configuration data from the application due to insufficient access controls.

Hawsec also reported CVE-2021-31602 (CVSS 5.3) and CVE-2021-34685 (CVSS 2.7), an authentication bypass related to Spring API endpoints and a filename restriction bypass, respectively.

Mitigations

The researcher also found another bug – which has not been issued a CVE tracker – that could allow low-privilege users to extract lists of application users from the platform’s Jackrabbit User Repository.

Hawsec has provided the vendor with remediation options which can be found in the document.

The Daily Swig has reached out to Hawsec and Hitachi Vantara and we will update as and when we hear back.

YOU MAY LIKE Mozilla debuts Site Isolation technology with Firefox update



Source link

Get real time updates directly on you device, subscribe now.

You might also like
Leave A Reply

Your email address will not be published.