CVE-2024-37359
📋 TL;DR
This is a Server-Side Request Forgery (SSRF) vulnerability in Hitachi Vantara Pentaho Business Analytics Server where the server doesn't validate the Host header in HTTP/HTTPS requests. Attackers can make the server send requests to unexpected destinations, potentially bypassing firewalls and accessing internal resources. Affected are Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x.
💻 Affected Systems
- Hitachi Vantara Pentaho Business Analytics Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers use the server as a proxy to scan internal networks, access internal systems via file:// protocol, or exploit other protocols like gopher:// to gain control over request contents and potentially access sensitive data or systems.
Likely Case
Attackers bypass firewall restrictions to access internal web services, conduct port scanning of internal networks, or retrieve internal files using file:// URLs.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to the server's network segment and authorized destinations only.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests but doesn't require authentication. Attackers need network access to the vulnerable server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.2.0.0 or 9.3.0.9
Restart Required: No
Instructions:
1. Download the patched version (10.2.0.0 or 9.3.0.9) from official Hitachi Vantara sources. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Egress Filtering
allConfigure firewall rules to restrict outbound connections from the Pentaho server to only authorized destinations and protocols.
Reverse Proxy Validation
allDeploy a reverse proxy that validates and sanitizes Host headers before forwarding requests to the Pentaho server.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Pentaho server from sensitive internal networks
- Deploy web application firewall (WAF) rules to detect and block SSRF patterns in HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check the server version via the web interface or configuration files. If version is below 10.2.0.0 or 9.3.0.9 (including 8.3.x), the system is vulnerable.Check Version:
Check the Pentaho server version via the web interface at /pentaho/Home or examine server configuration files for version information.Verify Fix Applied:
After patching, test with controlled SSRF payloads to ensure the server no longer processes requests with manipulated Host headers to unauthorized destinations.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound connections from the Pentaho server
- HTTP requests with file://, gopher://, or tftp:// URLs in logs
- Requests to internal IP addresses from the Pentaho server
Network Indicators:
- Pentaho server making unexpected outbound connections to internal systems
- Traffic to unusual ports or protocols from the Pentaho server
SIEM Query:
source="pentaho_server" AND (url="file://*" OR url="gopher://*" OR url="tftp://*") OR (destination_ip IN internal_ranges AND source="pentaho_server")