Pentaho version 5.2.x GA BA Suite and PDI allow unauthenticated access to configuration files. The GetResource servlet, a vestige of the old platform UI, allows unauthenticated access to resources in the pentaho-solutions/system folder. Specifically vulnerable are properties files that may reveal passwords.
0888853ff4779b5907a0ff21cd8ea09daabbccf2686a3c59adcb64e634280c5e
Exploit Title: Improper authentication allows unauthenticated access
to configuration files
Product: Pentaho GA PDI & Pentaho GA BA
Vulnerable Versions: 5.2.x GA BA Suite and PDI - Suite and previous versions
Tested Version: 5.2.x GA BA Suite and PDI - Suite
Advisory Publication: 15/02/2015
Latest Update: 15/02/2015
Vulnerability Type: Improper Authentication [CWE-287]
CVE Reference: CVE-2015-6940
Credit: Gregory DRAPERI
Advisory Details:
(1) Vendor & Product Description
--------------------------------
Vendor: PENTAHO
Product & Version:
4.3.x GA PDI - Suite
4.4.x GA PDI - Suite
4.5.x GA BA Suite
4.8.x GA BA Suite
5.0.x GA BA Suite and PDI - Suite
5.1.x GA BA Suite and PDI - Suite
5.2.x GA BA Suite and PDI - Suite
Vendor URL & Download:
http://www.pentaho.com
Product Description:
"Pentaho Business Analytics, a suite of open source Business
Intelligence (BI) products which provide data integration, OLAP
services, reporting, dashboarding, data mining and ETL capabilities."
(2) Vulnerability Details:
--------------------------
The GetResource servlet, a vestige of the old platform UI, allows
unauthenticated access to resources in the pentaho-solutions/system
folder. Specifically vulnerable are properties files that may reveal
passwords.
The servlet allows access to files with the following extensions:
.xsl
.mondrian.xml
.jpg
.jpeg
.gif
.bmp
.properties
.jar
The vulnerability allows unauthenticated access to properties files in
the system solution which include properties files containing
passwords. The offending code was heavily used in our previous version
of our web UI but has since then been deprecated and is only being
used in an old deprecated plugin (JPivot).
For example, unauthenticated access to the
defaultUser.spring.properties is allowed with the following URL:
http://localhost:8080/pentaho/GetResource?resource=system/defaultUser.spring.properties
(3) Advisory Timeline:
----------------------
05/02/2015 - First Contact informing vendor of vulnerability
05/02/2015 - Response requesting details of vulnerability. Details sent
05/02/2015 - Vendor indicates issue is under investigation.
15/02/2015 - Vendor confirms patch ready and releases the patch
16/09/2015 - Public disclosure of vulnerability.
(4)Solution:
------------
Apply the patches listed below to your Server at the following location.
Download the appropriate .jar file for your version of the DI and BI Platform.
Copy the .jar file to the WEB-INF/lib folder of each of your DI and BI Servers.
Restart each of your servers
Please note:
SPA9-xxxx-4.5.0.11.jar works for both 4.3.x GA PDI - Suite and 4.5.x
GA BI - Suite
SPA9_xxxx-4.8.3.4-patch.jar works for both 4.4.x GA PDI - Suite and
4.8.x. GA BI - Suite
SPA9_xxxx-5.x-patch.jar works for all 5.x Versions
(5) Credits:
------------
Discovered by Gregory DRAPERI
(6) References:
------------
https://support.pentaho.com/entries/78884125-Security-Vulnerability-Announcement-Feb-2015