LUMADA

Customer Portal

Introducing Lumada DataOps Suite

Innovate with Data: Lumada simplifies data management with automation and collaboration.

With Lumada, you can: Gain 360-degree views of your customers, products and assets.

Streamline your business operations and take out cost, and meet stringent compliance demands.

(Resolved) Pentaho BA Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')  – Versions before 9.4.0.1 and 9.3.0.2, including 8.3.x Impacted (CVE-2022-43938)

Overview 

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template. (CWE-96)

 

Products Affected 

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x impacted.

 

Description 

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager. 

 

Impact 

An authenticated user with sufficient publishing privileges can embed scripts and run arbitrary code on the host. By default, there is no option to prevent the script manager from executing the included scripts. 

 

Action  

We recommend you upgrade to Hitachi Vantara Pentaho Business Analytics Server version 9.3 (Long Term Support Release) with 9.3.0.2 or newer applied, or the latest 9.4 release with 9.4.0.1 or newer.

Please review the Pentaho End-of-Life policy to ensure you are up to date.

 


Internal Notes: (Non Customer View-able - Non Confidential)

This issue is logged under JIRA PPP-4793

Comments