CVE-2021-31602 Overview
CVE-2021-31602 is an authentication bypass vulnerability affecting Hitachi Vantara Pentaho through version 9.1 and Pentaho Business Intelligence Server through 7.x. The flaw resides in the application's Spring Security configuration, defined in applicationContext-spring-security.xml. The default access control configuration permits unauthenticated network requests to retrieve sensitive platform information without valid credentials. The weakness maps to [CWE-287] Improper Authentication and is exploitable remotely over the network without user interaction.
Critical Impact
Unauthenticated remote attackers can extract sensitive platform information from affected Pentaho deployments by abusing default Spring Security access control rules, with an EPSS probability of 92.77%.
Affected Products
- Hitachi Vantara Pentaho through 9.1
- Hitachi Vantara Pentaho Business Intelligence Server through 7.x
- Deployments using the default applicationContext-spring-security.xml configuration
Discovery Timeline
- 2021-11-08 - CVE-2021-31602 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-31602
Vulnerability Analysis
The Pentaho security architecture relies on multiple layers of access control. One layer, the applicationContext security, is governed by the applicationContext-spring-security.xml file. This file declares URL patterns, filter chains, and the authentication requirements for each endpoint exposed by the platform.
The shipped configuration assigns permissive access roles to endpoints that should require authentication. As a result, an attacker who only knows the base URL of a Pentaho instance can issue HTTP requests to protected resources and receive valid responses. No credentials, session token, or prior reconnaissance of platform settings are required.
The vulnerability is classified as Improper Authentication [CWE-287]. The impact is limited to confidentiality, as the issue exposes information that should be authenticated-only without modifying server state or denying service.
Root Cause
The root cause is an insecure default configuration in the Spring Security XML descriptor. Filter mappings declared in applicationContext-spring-security.xml do not enforce authentication on URL patterns that disclose platform information. Administrators inherit this permissive policy unless they manually harden the file after installation.
Attack Vector
An attacker reaches the vulnerable endpoints directly over HTTP or HTTPS, depending on how the server is exposed. The attacker sends crafted requests to Pentaho URLs governed by the default Spring Security chain. The server returns information that should be restricted to authenticated users. A public proof of concept titled "Pentaho Business Analytics / Pentaho Business Server 9.1 Authentication Bypass" was published via Packet Storm Security.
Detection Methods for CVE-2021-31602
Indicators of Compromise
- Unauthenticated HTTP requests to Pentaho endpoints normally requiring authentication, returning HTTP 200 with sensitive payloads
- Access log entries for protected URLs lacking a corresponding authenticated session identifier or JSESSIONID
- Spikes in requests from a single source IP enumerating Pentaho API paths
Detection Strategies
- Review the deployed applicationContext-spring-security.xml for filter mappings that resolve to IS_AUTHENTICATED_ANONYMOUSLY on sensitive URLs
- Inspect Pentaho server access logs for requests to administrative or data-retrieval endpoints without a preceding successful authentication
- Correlate web application firewall (WAF) telemetry against the request patterns documented in the Packet Storm proof of concept
Monitoring Recommendations
- Forward Pentaho and reverse proxy access logs to a centralized log platform with alerts on anonymous access to protected paths
- Track HTTP response sizes for typically small endpoints, as information disclosure responses often exceed baseline
- Monitor for outbound data transfers from the Pentaho host that follow anonymous inbound request bursts
How to Mitigate CVE-2021-31602
Immediate Actions Required
- Restrict network access to Pentaho servers using firewall rules or reverse proxy allowlists until patching is complete
- Audit applicationContext-spring-security.xml and tighten filter mappings so sensitive URLs require authenticated roles
- Review access logs for prior unauthenticated requests to protected endpoints and treat exposed data as potentially leaked
Patch Information
Hitachi publishes security advisories and fixed versions through Hitachi Security Resources. Upgrade Pentaho and Pentaho Business Intelligence Server to a release later than 9.1 that addresses CVE-2021-31602, and apply vendor-supplied configuration changes after upgrade.
Workarounds
- Replace anonymous access rules in applicationContext-spring-security.xml with ROLE_AUTHENTICATED or stricter role requirements
- Place Pentaho behind an authenticating reverse proxy or VPN to block direct internet exposure
- Disable unused Pentaho services and endpoints to reduce the attack surface available to unauthenticated clients
# Configuration example: enforce authentication on Pentaho URL patterns
# in applicationContext-spring-security.xml
# <sec:intercept-url pattern="/api/**" access="IS_AUTHENTICATED_FULLY"/>
# <sec:intercept-url pattern="/plugin/**" access="IS_AUTHENTICATED_FULLY"/>
# <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
