CVE-2024-5706 – This vulnerability in Hitachi Vantara Pentaho D... (How to Fix)

Q: What is the severity of CVE-2024-5706?

CVE-2024-5706 has a CVSS score of 8.8 (HIGH). This vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics allows attackers to inject malicious JNDI identifiers when creating Community Dashboards, potentially gaining unauthorized access to system-level data sources. Affected organizations using vulnerable versions could experience data breaches or system compromise. The vulnerability impacts versions before 10.2.0.0 and 9.3.0.9, including 8.3.x.

📋 TL;DR

This vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics allows attackers to inject malicious JNDI identifiers when creating Community Dashboards, potentially gaining unauthorized access to system-level data sources. Affected organizations using vulnerable versions could experience data breaches or system compromise. The vulnerability impacts versions before 10.2.0.0 and 9.3.0.9, including 8.3.x.

💻 Affected Systems

Products:

Hitachi Vantara Pentaho Data Integration & Analytics

Versions: Versions before 10.2.0.0 and 9.3.0.9, including 8.3.x

Operating Systems: All supported operating systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in Community Dashboards functionality; all deployments with this feature enabled are affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized access to sensitive data, modification of system resources, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though vulnerability remains present.

🌐 Internet-Facing: HIGH - If exposed to the internet, attackers can directly exploit without internal access.

🏢 Internal Only: MEDIUM - Requires internal network access but could be exploited by malicious insiders or through lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to create Community Dashboards; may require some authentication level.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.2.0.0 or 9.3.0.9

Vendor Advisory: https://support.pentaho.com/hc/en-us/articles/34296195570189--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-5706

Restart Required: No

Instructions:

1. Download the appropriate patched version (10.2.0.0 or 9.3.0.9) from official vendor sources. 2. Backup current installation and data. 3. Apply the update following vendor's upgrade documentation. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Community Dashboards

all

Temporarily disable the Community Dashboards feature to prevent exploitation.

Consult Pentaho documentation for feature disablement procedures specific to your version.

Restrict Dashboard Creation Permissions

all

Limit who can create Community Dashboards to trusted administrators only.

Configure role-based access controls to restrict dashboard creation privileges.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Pentaho servers from sensitive systems
Enhance monitoring for unusual JNDI lookup patterns or unauthorized dashboard creation attempts

🔍 How to Verify

Check if Vulnerable:

Check Pentaho version via web interface or configuration files; versions before 10.2.0.0 and 9.3.0.9 (including 8.3.x) are vulnerable.

Check Version:

Check Pentaho web interface admin panel or examine server configuration files for version information.

Verify Fix Applied:

Confirm version is 10.2.0.0 or 9.3.0.9 or later; test Community Dashboard creation with malicious JNDI identifiers should be blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual JNDI lookup patterns
Unauthorized Community Dashboard creation attempts
Access to system-level data sources from non-admin users

Network Indicators:

Unexpected outbound connections from Pentaho servers
Traffic to unusual LDAP/JNDI endpoints

SIEM Query:

source="pentaho" AND (event="dashboard_creation" OR event="jndi_lookup") AND user NOT IN [admin_users]

📊 Metadata

CVE ID: CVE-2024-5706

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-99

EPSS Score: 0.94% exploit probability (75.8th percentile)

Published: February 19, 2025

Last Updated: February 19, 2025

🔗 References

https://support.pentaho.com/hc/en-us/articles/34296195570189--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-5706

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5706, you might also want to check these: