Overview 

The product has a dependency on a third-party component that contains one or more known vulnerabilities. (CWE-1395)

Products Affected 

All versions of Pentaho Data Integration & Analytics prior to 10.2.0.7 and 11.0.0.0

Description 

All versions of Pentaho Data Integration & Analytics prior to 10.2.0.7 and 11.0.0.0 contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.

Impact 

An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.

Immediate Action  

We recommend you upgrade to the latest Pentaho Business Analytics Server release or Service Pack where this vulnerability is addressed. To address this issue, Pentaho 10.2.0.7 and 11.0.0.0 and later no longer ship with the H2 JDBC driver.

Please review the Pentaho End-of-Life policy to ensure you are up to date.

If it is not possible to upgrade to 10.2.0.7 or 11.0 or later, we recommend you remove all occurrences of the driver at the following locations and then restart the affected component(s).

Client Tools: 
PDI Client (Spoon) - ..\data-integration\lib\h2-2.2.224.jar
Metadata Editor - ..\metadata-editor\libext\JDBC\h2-2.2.224.jar
Report Designer - ..\report-designer\lib\jdbc\h2-2.2.224.jar

Pentaho Server: 
..\pentaho-server\tomcat\lib\h2-2.2.224.jar
..\pentaho-server\tomcat\webapps\pentaho\WEB-INF\lib\h2-2.2.224.jar

Notes

• Following the removal, any transformation which requires connection to H2 will fail. Also, several of the Pentaho samples which rely on H2 will no longer run.
• If connections using the H2 database driver are needed, it can be added back to the above locations at the user's own risk