Active exploitation reported of Hitachi Vantara Pentaho BA Server flaws

Threat actors are actively exploiting two critical vulnerabilities in the Hitachi Vantara Pentaho Business Analytics (BA) Server, a widely-used platform for data analysis and business intelligence. 

FortiGuard network sensors have detected attack attempts on over 500 devices, and the Cybersecurity and Infrastructure Security Agency (CISA) to add these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

Vulnerability summary

• CVE-2022-43939 (CVSS score 9.8), affects Pentaho BA Server versions prior to 9.4.0.1 and 9.3.0.2, including 8.3.x. This flaw allows attackers to bypass security restrictions by exploiting non-canonical URLs used for authorization decisions. Attackers can gain unauthorized access to protected resources.
• CVE-2022-43769 (CVSS score 8.8), stems from improper sanitization of special elements within the server. This  flaw enables attackers to insert malicious Spring templates into property values, which are then processed by the server and potentially exploited for remote code execution.

Both vulnerabilities were fixed since 2023, but are still actively exploited in the wild. The widespread adoption of Pentaho BA Server among enterprise organizations makes these vulnerabilities particularly concerning.

Security teams are strongly advised to take the following actions immediately:

1. Apply the latest patches or updates from Hitachi Vantara to affected Pentaho BA Server installations
2. Upgrade to versions 9.4.0.1, 9.3.0.2, or later, which address both vulnerabilities

Organizations that cannot immediately patch should implement additional network segmentation around Pentaho servers and enhance monitoring for unusual access patterns or suspicious activities.