Hitachi Vantara Pentaho Customer Portal

Security Vulnerability Announcement Feb 2015

ID: PPP-3381

Project: Core Platform


4.3.x GA PDI - Suite

4.4.x GA PDI - Suite

4.5.x GA BA Suite

4.8.x GA BA Suite

5.0.x GA BA Suite and PDI - Suite

5.1.x GA BA Suite and PDI - Suite

5.2.x GA BA Suite and PDI - Suite

Date: 02/15/2015



The GetResource servlet, a vestige of the old platform UI, allows unauthenticated access to resources in the pentaho-solutions/system folder. Specifically vulnerable are properties files that may reveal passwords.

The servelet allows access to files with the following extensions:

  • .xsl
  • .mondrian.xml
  • .jpg
  • .jpeg
  • .gif
  • .bmp
  • .properties
  • .jar

The vulnerability allows unauthenticated access to properties files in the system solution which include properties files containing passwords. The offending code was heavily used in our previous version of our web UI but has since then been deprecated and is only being used in an old deprecated plugin (JPivot).

For example, unauthenticated access to the is allowed with the following URL: http://localhost:8080/pentaho/GetResource?resource=system/

Versions Effected

4.3.x GA PDI - Suite

4.4.x GA PDI - Suite

4.5.x GA BA Suite

4.8.x GA BA Suite

5.0.x - 5.2.x GA BA Suite and PDI Suite




Apply the patches listed below to your Server at the following location.

  • Download the appropriate .jar file for your version of the DI and BI Platform.
  • Copy the .jar file to the WEB-INF/lib folder of each of your DI and BI Servers.
  • Restart each of your servers

Please note:

SPA9-xxxx- works for both 4.3.x GA PDI - Suite and 4.5.x GA BI - Suite

SPA9_xxxx- works for both 4.4.x GA PDI - Suite and 4.8.x. GA BI - Suite

SPA9_xxxx-5.x-patch.jar works for all 5.x Versions


Pentaho thanks security researcher Gregory Draperi for bringing this to our attention.

Have more questions? Submit a request


Powered by Zendesk