Phil Dobson (Aura Information Security)
A researcher from Kiwi information security consultancy Aura has identified concerning security flaws in the widely used Pentaho business intelligence platform.
Harry Withington discovered several critical vulnerabilities in Pentaho, a Hitachi Vantara owned business intelligence and data analytics platform used in a wide range of industries.
Three of the identified weaknesses could be exploited to allow an attacker to gain complete control of a server hosting the software, allowing them to execute malicious commands and steal data.
In the case of two of the vulnerabilities, successful exploitation of the flaws was possible even for users with minimal privileges and in one instance, exploitation was possible using an account without any authentication at all.
Withington followed a disclosure process to report the issues and Hitachi Vantara issued patches to remediate them.
The find comes as a recent survey by Aura's parent Kordia found that third-party attacks were responsible for 28 per cent of cyber incidents impacting Kiwi businesses in the past 12 months.
“Attackers often look at third-party software and data platforms as a 'back door' to access sensitive customer data," said Phil Dobson, general manager of assurance at Aura.
"Businesses are increasingly seeing their suppliers and vendors leveraged by cybercriminals to inflict damage, so there’s a real need to ensure that any third-party software or application used meets the most stringent levels of security.”
Due to the critical nature of the flaws discovered, Aura advised Pentaho customers to urgently update to the latest version.
Dobson said Withington’s find is just one example of how “white hat” hackers are playing a vital role in remediating security issues.
“When a 'white hat' hacker finds these weaknesses first, it gives developers and vendors a chance to remediate and push out patches to their customers, before any damage can be done,” Dobson said.
Aura Information Security sets aside up to 20 per cent of its consultants’ time for such research-based projects.
