Customer Portal

Pentaho for the data driven.

Data fit companies are fast, accurate and efficient.

Data fit companies innovate and win.

Your data and success is mission critical. Pentaho is for mission critical.

VFS Connections Vulnerability - Pentaho – Impacted


Customers who have installed Pentaho through and are using virtual file system (VFS) connections with Google Cloud Storage, Snowflake Staging, HCP, and Amazon S3 should immediately change their credentials with those storage systems.

The Pentaho versions affected are through

Issue Description

We have identified a product defect in Pentaho through that has the potential to display encrypted VFS credentials in job (KJB) and transformation (KTR) files. Because KJB and KTR files can be emailed or sent in other ways to recipients who are not part of the customer organization, this defect may cause the inadvertent distribution of VFS credentials.

Although passwords are encrypted in Pentaho, customers should not rely only on this encryption to protect their VFS credentials.

This defect is being addressed in a future Service Pack update, and customers requiring assistance now may contact Support for a JAR update hot fix. In addition, we are prototyping a tool that can sanitize KJB and KTR files that may have been affected by this issue.

The defect is related to named VFS connections, and may be mitigated now by changing credentials with the VFS storage systems.


  • Change your credentials with your VFS storage system.
  • In addition, we recommend using AES encryption for passwords. Customers who have not already implemented AES encryption can find instructions in the Pentaho documentation at AES security.



If you need assistance or have questions, please contact Support through the Support Portal.