CVE-2022-43769
📋 TL;DR
This vulnerability allows attackers to inject Spring Expression Language templates through certain web services in Pentaho Business Analytics Server, leading to server-side template injection. This can result in authentication bypass and remote code execution. Affected systems include Pentaho BA Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x.
💻 Affected Systems
- Hitachi Vantara Pentaho Business Analytics Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution as the application service account, potentially leading to data theft, lateral movement, and complete system takeover.
Likely Case
Authentication bypass followed by remote code execution, allowing attackers to execute arbitrary commands on the server and access sensitive business analytics data.
If Mitigated
Limited impact with proper network segmentation, application firewalls, and strict access controls preventing exploitation attempts.
🎯 Exploit Status
Public exploit code is available and has been weaponized. CISA has added this to their Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.0.1 or 9.3.0.2
Vendor Advisory: https://support.pentaho.com/hc/en-us/articles/14455561548301
Restart Required: Yes
Instructions:
1. Download the patched version (9.4.0.1 or 9.3.0.2) from the Pentaho support portal. 2. Backup your current installation and configuration. 3. Stop the Pentaho BA Server service. 4. Install the patched version following the vendor's upgrade guide. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to Pentaho BA Server to only trusted IP addresses and networks
Web Application Firewall Rules
allImplement WAF rules to block requests containing Spring Expression Language patterns
🧯 If You Can't Patch
- Isolate the Pentaho server in a separate network segment with strict firewall rules
- Implement application-level input validation to filter Spring Expression Language patterns
🔍 How to Verify
Check if Vulnerable:
Check the Pentaho BA Server version in the administration console or by examining the server logs for version informationCheck Version:
Check the Pentaho administration console or examine the server startup logs for version informationVerify Fix Applied:
Verify the version is 9.4.0.1 or higher, or 9.3.0.2 or higher. Test that Spring Expression Language injection attempts are properly rejected📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to web services endpoints
- Requests containing Spring Expression Language patterns like ${, #{, or T(
Network Indicators:
- Unusual outbound connections from Pentaho server
- Exploitation attempts to known vulnerable endpoints
SIEM Query:
source="pentaho" AND (http_method="POST" AND (uri_path="*web services*" OR uri_path="*api*")) AND (request_body="*${*" OR request_body="*#{" OR request_body="*T(")🔗 References
- http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html
- https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-
- http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html
- https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-43769
