Security Advisory

Pentaho DI Authenticated Remote Code Execution

Authenticated adversaries can gain remote code execution through insecure JSON deserialization.

Advisory ID: MLSA-2024-004
CVE: CVE-2024-37361
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: high
Affected versions: ≤ 10.1.0.0-317
Fixed versions: 10.2
Discovered by: Timo Müller

Product description

More than just ETL (Extract, Transform, Load), Pentaho Data Integration is a codeless data orchestration tool that blends diverse data sets into a single source of truth as a basis for analysis and reporting. Effortlessly managed in a drag-and-drop graphical interface, so you can easily track where it’s coming from, where it’s going and how it’s transforming.

Details

Pentaho serves two API endpoints responsible for creating “Adhoc Report Content.” These endpoints accept both HTTP POST and GET requests and are accessible at the following paths:

  • /pentaho/api/repos/pentaho-interactive-reporting/iadhocasync
  • /pentaho/api/repos/pentaho-interactive-reporting/iadhoc

When triggering an export command, the application tries to deserialize the user-controlled JSON object in the json parameter. This deserialization is performed using the Flexjson library, which allows an adversary to instantiate arbitrary classes with a parameter-less constructor.

The application attempts to filter allowed classes; however, this filter is only applied at the root level of the JSON object. It is not applied recursively to all sub-objects of the JSON object. This allows an adversary to inject a nested malicious JSON object, which, upon deserialization leads to remote code execution.

The vulnerable endpoints can be called by any authenticated user.

Workarounds

None

Coordinated Disclosure Timeline

  • 12/03/2024 Initial Contact to HIRT with vulnerability description.
  • 13/03/2024 HIRT forwards the report to the responsible security team Vantara.
  • 13/04/2024 MOGWAI LABS requests a status update.
  • 06/06/2024 MOGWAI LABS requests a status update again, mentioning our 90 days disclosure policy.
  • 07/06/2024 Response from Hitachi, say the update will be released in mid-july, providing the CVE.
  • 07/06/2024 Acknowledgement from MOGWAI LABS, advisory will be released after the update.
  • 16/07/2024 Mail from Hitachi, the release was delayed into second half of August.
  • 22/07/2024 Acknowledgement from MOGWAI LABS, advisory will be delayed a second time.
  • 15/08/2024 Release of Pentaho 10.2
  • 19/08/2024 Public release of the security advisory.