Pentaho

Customer Portal

Get a grip on your data

With battle-tested solutions and a focus on foundational strength,

Pentaho+ helps you meet the challenges of an AI-driven world.

"Critical Flaws Uncovered in Pentaho" article - Known issues explained

To all of our customers, for all of Hitachi Vantara's software products, we always recommend staying on a supported version and updating to the latest service pack. This practice ensures the latest fixes to known issues are applied and reduces the potential impact of any vulnerability that may be present in the software.  

Recently, an article was published by a third-party urging customers of Pentaho software to upgrade to the latest version of the software to mitigate vulnerabilities that could impact them.

Following the subtext and links within the article, it is revealed that every reported issue has a fix publicly available for review on Github.

Please be assured, we are aware of the issues reported in the article and with the exception of one, the latest versions of our currently supported releases (v8.3.x and v9.2.x) contain packaged fixes to each.

To clarify, here is a list of the issues raised in the published article, and the status of each:

CVE

Description

Resolution

CVE-2021-31599 (CVSS score: 9.9) 

Remote Code Execution through Pentaho Report Bundles



Released in June Service Packs 6/29/2021 – v8.3.0.23 & v9.1.0.8

CVE-2021-31601 (CVSS score: 7.1) 

Insufficient Access Control of Data Source Management

CVE-2021-31602 (CVSS score: 5.3)

Authentication Bypass of Spring APIs

CVE-2021-34684 (CVSS score: 9.8)

Unauthenticated SQL Injection

CVE-2021-31600 (CVSS score: 4.3) 

Jackrabbit User Enumeration

Product feature: There is no impact to users who are not authenticated

CVE-2021-34685 (CVSS score: 2.7)

Bypass of Filename Extension Restrictions

Addressed in November Service Pack for Pentaho v8.3 & 9.2
Targeted release date 11/26/2021

If you need more information or have any questions or concerns – Please feel free to open a support ticket, email Support or contact me directly.

Paul

Paul Cohen - Head of Customer Success & Support
paul.cohen at hitachivantara.com

 

Comments