Home / os / winmobile

Pentaho 5.2.x BA Suite / PDI Information Disclosure

Posted on 19 September 2015

Exploit Title: Improper authentication allows unauthenticated access to configuration files Product: Pentaho GA PDI & Pentaho GA BA Vulnerable Versions: 5.2.x GA BA Suite and PDI - Suite and previous versions Tested Version: 5.2.x GA BA Suite and PDI - Suite Advisory Publication: 15/02/2015 Latest Update: 15/02/2015 Vulnerability Type: Improper Authentication [CWE-287] CVE Reference: CVE-2015-6940 Credit: Gregory DRAPERI Advisory Details: (1) Vendor & Product Description -------------------------------- Vendor: PENTAHO Product & Version: 4.3.x GA PDI - Suite 4.4.x GA PDI - Suite 4.5.x GA BA Suite 4.8.x GA BA Suite 5.0.x GA BA Suite and PDI - Suite 5.1.x GA BA Suite and PDI - Suite 5.2.x GA BA Suite and PDI - Suite Vendor URL & Download: http://www.pentaho.com Product Description: "Pentaho Business Analytics, a suite of open source Business Intelligence (BI) products which provide data integration, OLAP services, reporting, dashboarding, data mining and ETL capabilities." (2) Vulnerability Details: -------------------------- The GetResource servlet, a vestige of the old platform UI, allows unauthenticated access to resources in the pentaho-solutions/system folder. Specifically vulnerable are properties files that may reveal passwords. The servlet allows access to files with the following extensions: .xsl .mondrian.xml .jpg .jpeg .gif .bmp .properties .jar The vulnerability allows unauthenticated access to properties files in the system solution which include properties files containing passwords. The offending code was heavily used in our previous version of our web UI but has since then been deprecated and is only being used in an old deprecated plugin (JPivot). For example, unauthenticated access to the defaultUser.spring.properties is allowed with the following URL: http://localhost:8080/pentaho/GetResource?resource=system/defaultUser.spring.properties (3) Advisory Timeline: ---------------------- 05/02/2015 - First Contact informing vendor of vulnerability 05/02/2015 - Response requesting details of vulnerability. Details sent 05/02/2015 - Vendor indicates issue is under investigation. 15/02/2015 - Vendor confirms patch ready and releases the patch 16/09/2015 - Public disclosure of vulnerability. (4)Solution: ------------ Apply the patches listed below to your Server at the following location. Download the appropriate .jar file for your version of the DI and BI Platform. Copy the .jar file to the WEB-INF/lib folder of each of your DI and BI Servers. Restart each of your servers Please note: SPA9-xxxx-4.5.0.11.jar works for both 4.3.x GA PDI - Suite and 4.5.x GA BI - Suite SPA9_xxxx-4.8.3.4-patch.jar works for both 4.4.x GA PDI - Suite and 4.8.x. GA BI - Suite SPA9_xxxx-5.x-patch.jar works for all 5.x Versions (5) Credits: ------------ Discovered by Gregory DRAPERI (6) References: ------------ https://support.pentaho.com/entries/78884125-Security-Vulnerability-Announcement-Feb-2015

 

TOP