Hitachi Vantara Pentaho Business Analytics Server - Incorrect Permission Assignment for Critical Resource

Vulnerability

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including the 8.3.x series, are installed with a sample HSQLDB data source that has stored procedures enabled and incorrect permission assignments [1]. This configuration allows the data source to be accessed by unintended actors, creating a security-critical resource exposure (CWE-732) [1].

Exploitation

An attacker with network access to the Pentaho BA Server can interact with the sample HSQLDB data source (which is enabled by default) to create a malicious stored procedure [1]. The stored procedure is crafted to write executable JSP files into the application context [1]. Once the JSP file is written, the attacker can access it via a web request to achieve remote code execution [1].

Impact

Successful exploitation grants the attacker remote code execution in the context of the Pentaho BA Server application [1]. This can lead to full compromise of the server, including data exfiltration, lateral movement, and further attacks on the underlying infrastructure [1].

Mitigation

The vulnerability is resolved in Pentaho BA Server versions 9.3.0.2 (Long Term Support Release) and 9.4.0.1 [1]. As a workaround, administrators can delete the sample HSQLDB database and its driver from the product installation [1]. Upgrading to a fixed version is strongly recommended [1].