Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Editor Deserialization Vulnerability

A deserialization vulnerability has been identified in the Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Editor plugin. This issue affects versions prior to 10.2.0.4, including 9.3.0.x and 8.3.x. The vulnerability arises because the application deserializes untrusted JSON data without properly validating it, allowing for potential exploitation by manipulating the deserialization process.

Impact

Exploitation of this vulnerability could allow attackers to execute unauthorized actions by taking advantage of unrestricted 'gadget chains' during the deserialization process, where instances and method invocations can self-execute before the object is returned to the caller.

Remediation

Users are advised to remove the Community Dashboard Editor plugin from their installation. For those using Hitachi Vantara Pentaho Business Analytics Server, upgrading to the latest release or Service Pack where this vulnerability has been addressed is recommended. Please consult the Pentaho End-of-Life policy to ensure your version is current.