Customers who have installed Pentaho 18.104.22.168 through 22.214.171.124 and are using virtual file system (VFS) connections with Google Cloud Storage, Snowflake Staging, HCP, and Amazon S3 should immediately change their credentials with those storage systems.
The Pentaho versions affected are 126.96.36.199 through 188.8.131.52.
We have identified a product defect in Pentaho 184.108.40.206 through 220.127.116.11 that has the potential to display encrypted VFS credentials in job (KJB) and transformation (KTR) files. Because KJB and KTR files can be emailed or sent in other ways to recipients who are not part of the customer organization, this defect may cause the inadvertent distribution of VFS credentials.
Although passwords are encrypted in Pentaho, customers should not rely only on this encryption to protect their VFS credentials.
This defect is being addressed in a future Service Pack update, and customers requiring assistance now may contact Support for a JAR update hot fix. In addition, we are prototyping a tool that can sanitize KJB and KTR files that may have been affected by this issue.
The defect is related to named VFS connections, and may be mitigated now by changing credentials with the VFS storage systems.
- Change your credentials with your VFS storage system.
- In addition, we recommend using AES encryption for passwords. Customers who have not already implemented AES encryption can find instructions in the Pentaho documentation at AES security.
If you need assistance or have questions, please contact Support through the Support Portal.