Hitachi Vantara has issued a security advisory addressing a vulnerability, designated as CVE-2024-37361, in its Pentaho Business Analytics Server. This vulnerability carries a CVSS score of 9.9, indicating a critical severity and potential for significant impact.
CVE-2024-37361 involves the deserialization of untrusted data within the Pentaho Business Analytics Server. Specifically, the application deserializes untrusted JSON data without adequately verifying that the resulting data is valid. This lack of validation can enable attackers to leverage “gadget chains” – sequences of instances and method invocations that self-execute during the deserialization process – to perform unauthorized actions.
This vulnerability affects Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.0 and 9.3.0.9, including 8.3.x.
Successful exploitation of this vulnerability could allow attackers to execute arbitrary code on the affected server, potentially leading to complete system compromise.
As a temporary mitigation, Hitachi Vantara recommends removing the Pentaho Interactive Reporting plugin from the software installation.
To fully address this vulnerability, users are advised to upgrade to the latest Hitachi Vantara Pentaho 10.2 release or, for version 9.3, to install Service Pack 9.3.0.9 or higher. These updates also patch other security flaws, including:
- CVE-2024-37360 (Cross-site Scripting)
- CVE-2024-37362 (Insecure Transmission of Authentication Credentials)
- CVE-2024-37363 (Authorization Bypass)
Organizations using Hitachi Vantara Pentaho Business Analytics Server should prioritize applying the necessary updates to protect their systems from potential attacks.
