To all of our customers, for all of Hitachi Vantara's software products, we always recommend staying on a supported version and updating to the latest service pack. This practice ensures the latest fixes to known issues are applied and reduces the potential impact of any vulnerability that may be present in the software.
Recently, an article was published by a third-party urging customers of Pentaho software to upgrade to the latest version of the software to mitigate vulnerabilities that could impact them.
Following the subtext and links within the article, it is revealed that every reported issue has a fix publicly available for review on Github.
Please be assured, we are aware of the issues reported in the article and with the exception of one, the latest versions of our currently supported releases (v8.3.x and v9.2.x) contain packaged fixes to each.
To clarify, here is a list of the issues raised in the published article, and the status of each:
CVE |
Description |
Resolution |
CVE-2021-31599 (CVSS score: 9.9) |
Remote Code Execution through Pentaho Report Bundles |
Released in June Service Packs 6/29/2021 – v8.3.0.23 & v9.1.0.8 |
CVE-2021-31601 (CVSS score: 7.1) |
Insufficient Access Control of Data Source Management |
|
CVE-2021-31602 (CVSS score: 5.3) |
Authentication Bypass of Spring APIs |
|
CVE-2021-34684 (CVSS score: 9.8) |
Unauthenticated SQL Injection |
|
CVE-2021-31600 (CVSS score: 4.3) |
Jackrabbit User Enumeration |
Product feature: There is no impact to users who are not authenticated |
CVE-2021-34685 (CVSS score: 2.7) |
Bypass of Filename Extension Restrictions |
Addressed in November Service Pack for Pentaho v8.3 & 9.2 |
If you need more information or have any questions or concerns – Please feel free to open a support ticket, email Support or contact me directly.
Paul
Paul Cohen - Head of Customer Success & Support
paul.cohen at hitachivantara.com
Comments