CVE-2024-37361 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-37361?

CVE-2024-37361 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Hitachi Vantara Pentaho Business Analytics Server by sending specially crafted JSON data. The deserialization flaw enables attackers to leverage gadget chains to perform unauthorized actions. Organizations running affected Pentaho versions are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Hitachi Vantara Pentaho Business Analytics Server by sending specially crafted JSON data. The deserialization flaw enables attackers to leverage gadget chains to perform unauthorized actions. Organizations running affected Pentaho versions are at risk.

💻 Affected Systems

Products:

Hitachi Vantara Pentaho Business Analytics Server

Versions: Versions before 10.2.0.0 and 9.3.0.9, including all 8.3.x versions

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, or lateral movement across the network.

🟠

Likely Case

Remote code execution allowing attackers to install backdoors, exfiltrate sensitive data, or disrupt business operations.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting the application service.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances prime targets.

🏢 Internal Only: HIGH - Even internally, the vulnerability can be exploited by malicious insiders or attackers who have gained initial network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Deserialization vulnerabilities are commonly weaponized, and the high CVSS score suggests exploitation is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.2.0.0 or 9.3.0.9

Vendor Advisory: https://support.pentaho.com/hc/en-us/articles/34299135441805--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37361

Restart Required: Yes

Instructions:

1. Download the patched version (10.2.0.0 or 9.3.0.9) from official Pentaho sources. 2. Backup current configuration and data. 3. Stop the Pentaho service. 4. Install the updated version. 5. Restart the service and verify functionality.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to Pentaho servers to only trusted sources

Use firewall rules to limit inbound connections to specific IP ranges

Input Validation

all

Implement application-level validation to reject unexpected JSON structures

Configure web application firewall rules to block suspicious JSON payloads

🧯 If You Can't Patch

Immediately isolate affected systems from internet access and restrict internal network connectivity
Implement strict monitoring and alerting for suspicious deserialization attempts

🔍 How to Verify

Check if Vulnerable:

Check the Pentaho server version in the administration console or by examining the server startup logs

Check Version:

Check the Pentaho administration interface or examine the pentaho-server/version.txt file

Verify Fix Applied:

Confirm the version is 10.2.0.0 or higher, or 9.3.0.9 or higher for the 9.x branch

📡 Detection & Monitoring

Log Indicators:

Unusual JSON payloads in application logs
Stack traces containing deserialization errors
Unexpected process execution

Network Indicators:

Unusual outbound connections from Pentaho servers
Large JSON payloads to Pentaho endpoints

SIEM Query:

source="pentaho" AND (message="*deserialization*" OR message="*JSON*" AND size>threshold)

📊 Metadata

CVE ID: CVE-2024-37361

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.23% exploit probability (45.1th percentile)

Published: February 20, 2025

Last Updated: February 20, 2025

🔗 References

https://support.pentaho.com/hc/en-us/articles/34299135441805--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37361

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37361, you might also want to check these: