CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection

CVE-2022-43769 is a critical security vulnerability identified in Hitachi Vantara’s Pentaho Business Analytics (BA) Server. This flaw allows attackers to inject malicious templates, leading to arbitrary code execution on affected systems.​

What is Vulnerable to CVE-2022-43769

The following versions of Pentaho BA Server are susceptible to this vulnerability:​

• Versions prior to 9.4.0.1​
• Versions prior to 9.3.0.2​
• All 8.3.x versions​

These versions do not adequately filter user-controlled input for special elements with control implications, making them vulnerable to injection attacks. ​support.pentaho.com

Mitigation and Remediation for CVE-2022-43769

To protect your systems from this vulnerability, it is recommended to:

• Upgrade to the latest version: Update to Pentaho BA Server version 9.4.0.1 or later. For those on version 9.3, update to Service Pack 9.3.0.2 or above.​
• Review the Pentaho End-of-Life policy: Ensure your current version is supported and receives security updates.​

Detailed instructions and updates are available in the official Hitachi Vantara advisory. ​support.pentaho.com

Impact of Successful Exploitation of CVE-2022-43769

Exploiting this vulnerability allows attackers to:​

• Execute arbitrary commands: Run malicious code on the server, potentially compromising the entire system.​
• Gain unauthorized access: Access sensitive data and functionalities without proper authorization.​

The severity of this vulnerability has led to its inclusion in CISA’s Known Exploited Vulnerabilities Catalog, highlighting the significant risks it poses. ​

Proof of Concept for CVE-2022-43769

A proof of concept (PoC) demonstrating the exploitation of this vulnerability has been published. The exploit involves sending a crafted request to the vulnerable server, leading to remote code execution. Details and the exploit code are available on Exploit-DB. ​

Administrators are strongly urged to apply the recommended updates and mitigations to protect their systems from potential attacks exploiting CVE-2022-43769.