CVE-2022-43938

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code through malicious Pentaho Reports (*.prpt files) due to inability to disable scripting capabilities. It affects Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. System administrators cannot restrict the JVM script manager as intended.

💻 Affected Systems

Products:

• Hitachi Vantara Pentaho Business Analytics Server

Versions: Versions before 9.4.0.1 and 9.3.0.2, including all 8.3.x versions

Operating Systems: All supported operating systems

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using affected versions are vulnerable by default; no special configuration required.

📦 What is this software?

Vantara Pentaho Business Analytics Server by Hitachi

View all CVEs affecting Vantara Pentaho Business Analytics Server →

Vantara Pentaho Business Analytics Server by Hitachi

View all CVEs affecting Vantara Pentaho Business Analytics Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized code execution with the privileges of the Pentaho server process, potentially leading to data exfiltration or further exploitation.

🟢

If Mitigated

Limited impact if network segmentation and strict file upload controls prevent malicious report uploads.

🌐 Internet-Facing: HIGH - If the Pentaho server is exposed to the internet, attackers can upload malicious reports to achieve RCE.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could still exploit this, but requires some level of access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to upload or create malicious .prpt report files, which typically requires some level of access to the Pentaho server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.4.0.1 or 9.3.0.2

Vendor Advisory: https://support.pentaho.com/hc/en-us/articles/14454630725645--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Directives-in-Statically-Saved-Code-Static-Code-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43938-

Restart Required: Yes

Instructions:

1. Download the patched version (9.4.0.1 or 9.3.0.2) from Hitachi Vantara. 2. Backup current installation and data. 3. Stop the Pentaho server. 4. Apply the update following vendor documentation. 5. Restart the server and verify functionality.

🔧 Temporary Workarounds

Restrict Report Uploads

all

Implement strict controls on who can upload or create .prpt report files through application permissions and network controls.

Network Segmentation

all

Isolate Pentaho servers from sensitive systems and restrict inbound access to only necessary users.

🧯 If You Can't Patch

• Implement strict file upload validation to reject suspicious .prpt files
• Monitor server logs for unusual report creation or execution activities

🔍 How to Verify

Check if Vulnerable:

Copy

Check the Pentaho server version in the administration console or by examining the server startup logs.

Check Version:

Copy

Check the Pentaho administration web interface or examine the server logs for version information during startup.

Verify Fix Applied:

Copy

Confirm the server version is 9.4.0.1, 9.3.0.2, or later after patching.

📡 Detection & Monitoring

Log Indicators:

• Unusual .prpt file uploads or executions
• Errors related to script execution in report files
• Unexpected process creation from Pentaho server

Network Indicators:

• Unusual outbound connections from Pentaho server
• Traffic patterns suggesting data exfiltration

SIEM Query:

Copy

source="pentaho_server" AND (event="report_upload" OR event="script_execution") AND result="success" | stats count by user, file_name

📊 Metadata

CVE ID: CVE-2022-43938

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-96

Published: April 3, 2023

Last Updated: November 21, 2024

🔗 References

• https://support.pentaho.com/hc/en-us/articles/14454630725645--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Directives-in-Statically-Saved-Code-Static-Code-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43938- Vendor Advisory
• https://support.pentaho.com/hc/en-us/articles/14454630725645--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Directives-in-Statically-Saved-Code-Static-Code-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43938- Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43938, you might also want to check these:

CVE-2015-2079 9.9

This vulnerability allows remote attackers to execute arbitrary code on Usermin servers by exploitin...

Same vulnerability type (CWE-96)

CVE-2024-55877 9.9

This vulnerability allows any authenticated user in XWiki Platform to execute arbitrary code remotel...

Same vulnerability type (CWE-96)

CVE-2020-6143 9.8

This is a critical remote code execution vulnerability in OS4Ed openSIS 7.4's installation functiona...

Same vulnerability type (CWE-96)