Hitachi Vantara Pentaho Data Integration and Analytics H2 JDBC Driver External Script Execution Vulnerability

A vulnerability allowing external script execution has been identified in the H2 JDBC driver bundled with Hitachi Vantara Pentaho Data Integration and Analytics. This issue affects all versions prior to 10.2.0.7 and 11.0.0.0. The vulnerability arises when a data source administrator creates a new connection, potentially leading to unauthorized access or modification of sensitive data and system resources. Such exploitation could allow access to protected files, including configuration files and other sensitive information, and could result in remote code execution by unauthorized users.

Impact

Exploitation of this vulnerability could allow unauthorized users to execute scripts remotely, potentially leading to remote code execution on the server where Pentaho is running.

Remediation

Users are advised to upgrade to Hitachi Vantara Pentaho Data Integration and Analytics versions 10.2.0.7 or 11.0.0.0 and later, as these versions do not include the vulnerable H2 JDBC driver. If an upgrade is not possible, the H2 JDBC driver can be manually removed from the application directories. However, this may disrupt any Pentaho features or samples that rely on H2.