Rewterz Threat Advisory – ICS: Multiple Hitachi Vantara Pentaho Business Analytics Server Vulnerabilities

Severity

High

Analysis Summary

CVE-2022-43769 CVSS:8.8

Hitachi Vantara Pentaho Business Analytics Server could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper filtering of user-controlled input for special elements with control implications. By sending a specially-crafted request using Spring templates, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2022-43771 CVSS:6.5

Hitachi Vantara Pentaho Business Analytics Server could allow a remote authenticated attacker to traverse directories on the system, caused by an out-of-bounds read in the service endpoint for CSV import in the Pentaho Data Access plugin. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system.

CVE-2022-43772 CVSS:3.8

Hitachi Vantara Pentaho Business Analytics Server could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of user credentials in plain-text in the log files by the Big Data Plugin. By gaining access to the log files, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2022-43773 CVSS:8.8

Hitachi Vantara Pentaho Business Analytics Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission assignments in a sample HSQLDB data source configured with stored procedures enabled. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization and obtain administrative access.

CVE-2022-43938 CVSS:8.8

Hitachi Vantara Pentaho Business Analytics Server could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper neutralization of user-supplied input by the JVM script manager. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2022-43939 CVSS:8.6

Hitachi Vantara Pentaho Business Analytics Server could allow a remote attacker to bypass security restrictions, caused by the use of using non-canonical URLs in the authorization filters in the security configuration. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization and obtain access.

CVE-2022-43940 CVSS:8.8

Hitachi Vantara Pentaho Business Analytics Server could allow a remote authenticated attacker to bypass security restrictions, caused by a lack of authorization in the data source management service. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization and obtain administrative access.

CVE-2022-43941 CVSS:7.1

Hitachi Vantara Pentaho Business Analytics Server is vulnerable to an XML external entity injection (XXE) attack when processing XML data, caused by a weakly configured XML parser. By using specially-crafted XML content in the Document Type Definition parameter, a remote attacker could exploit this vulnerability to read arbitrary files, cause a denial of service, conduct an SSRF attack, or achieve other system impacts.

Impact

• Code Execution
• Security Bypass
• Information Disclosure
• Command Execution
• Gain Access

Indicators Of Compromise

CVE

• CVE-2022-43769
• CVE-2022-43771
• CVE-2022-43772
• CVE-2022-43773
• CVE-2022-43938
• CVE-2022-43939
• CVE-2022-43940
• CVE-2022-43941

Affected Vendors

Hitachi

Affected Products

• Pentaho Business Analytics Server Hitachi Vantara 8.3
• Pentaho Business Analytics Server Hitachi Vantara 9.3.0.1
• Pentaho Business Analytics Server Hitachi Vantara 9.4.0.0

Remediation

Refer to Pentaho Web site for patch, upgrade or suggested workaround information.

CVE-2022-43769

CVE-2022-43771

CVE-2022-43772

CVE-2022-43773

CVE-2022-43938

CVE-2022-43939

CVE-2022-43940

CVE-2022-43941