Hitachi Vantara Pentaho Customer Portal

Security Vulnerability Announcement Feb 2015

ID: PPP-3381

Project: Core Platform

Version: 

4.3.x GA PDI - Suite

4.4.x GA PDI - Suite

4.5.x GA BA Suite

4.8.x GA BA Suite

5.0.x GA BA Suite and PDI - Suite

5.1.x GA BA Suite and PDI - Suite

5.2.x GA BA Suite and PDI - Suite

Date: 02/15/2015

Risk: CRITICAL

Vulnerability

The GetResource servlet, a vestige of the old platform UI, allows unauthenticated access to resources in the pentaho-solutions/system folder. Specifically vulnerable are properties files that may reveal passwords.

The servelet allows access to files with the following extensions:

  • .xsl
  • .mondrian.xml
  • .jpg
  • .jpeg
  • .gif
  • .bmp
  • .properties
  • .jar

The vulnerability allows unauthenticated access to properties files in the system solution which include properties files containing passwords. The offending code was heavily used in our previous version of our web UI but has since then been deprecated and is only being used in an old deprecated plugin (JPivot).

For example, unauthenticated access to the defaultUser.spring.properties is allowed with the following URL: http://localhost:8080/pentaho/GetResource?resource=system/defaultUser.spring.properties

Versions Effected

4.3.x GA PDI - Suite

4.4.x GA PDI - Suite

4.5.x GA BA Suite

4.8.x GA BA Suite

5.0.x - 5.2.x GA BA Suite and PDI Suite

CVE-ID

CVE-2015-6940

Solution

Apply the patches listed below to your Server at the following location.

  • Download the appropriate .jar file for your version of the DI and BI Platform.
  • Copy the .jar file to the WEB-INF/lib folder of each of your DI and BI Servers.
  • Restart each of your servers

Please note:

SPA9-xxxx-4.5.0.11.jar works for both 4.3.x GA PDI - Suite and 4.5.x GA BI - Suite

SPA9_xxxx-4.8.3.4-patch.jar works for both 4.4.x GA PDI - Suite and 4.8.x. GA BI - Suite

SPA9_xxxx-5.x-patch.jar works for all 5.x Versions

Acknowledgements

Pentaho thanks security researcher Gregory Draperi for bringing this to our attention.

Have more questions? Submit a request

Comments

Powered by Zendesk