Pentaho

Customer Portal

Get a grip on your data

With battle-tested solutions and a focus on foundational strength,

Pentaho+ helps you meet the challenges of an AI-driven world.

VFS Connections Vulnerability - Pentaho 9.0.0.0 – 9.0.0.6 Impacted

Summary

Customers who have installed Pentaho 9.0.0.0 through 9.0.0.6 and are using virtual file system (VFS) connections with Google Cloud Storage, Snowflake Staging, HCP, and Amazon S3 should immediately change their credentials with those storage systems.

The Pentaho versions affected are 9.0.0.0 through 9.0.0.6.

Issue Description

We have identified a product defect in Pentaho 9.0.0.0 through 9.0.0.6 that has the potential to display encrypted VFS credentials in job (KJB) and transformation (KTR) files. Because KJB and KTR files can be emailed or sent in other ways to recipients who are not part of the customer organization, this defect may cause the inadvertent distribution of VFS credentials.

Although passwords are encrypted in Pentaho, customers should not rely only on this encryption to protect their VFS credentials.

This defect is being addressed in a future Service Pack update, and customers requiring assistance now may contact Support for a JAR update hot fix. In addition, we are prototyping a tool that can sanitize KJB and KTR files that may have been affected by this issue.

The defect is related to named VFS connections, and may be mitigated now by changing credentials with the VFS storage systems.

Action

  • Change your credentials with your VFS storage system. 
  • In addition, we recommend using AES encryption for passwords. Customers who have not already implemented AES encryption can find instructions in the Pentaho documentation at AES security.

 

lil_light_bulb.png

If you need assistance or have questions, please contact Support through the Support Portal.

Comments