CVE-2024-37361 Overview
CVE-2024-37361 is an insecure deserialization vulnerability in Hitachi Vantara Pentaho Business Analytics Server. The application deserializes untrusted JSON data without constraining the parser to approved classes and methods [CWE-502]. Authenticated attackers can leverage gadget chains during deserialization to execute unauthorized actions on the server. The flaw affects Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including the 8.3.x branch.
Critical Impact
Network-accessible attackers with low-privilege accounts can chain gadget classes during JSON deserialization to achieve unauthorized code execution and full compromise of the Pentaho Business Analytics Server.
Affected Products
- Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0
- Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.9
- Hitachi Vantara Pentaho Business Analytics Server 8.3.x branch
Discovery Timeline
- 2025-02-20 - CVE-2024-37361 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-37361
Vulnerability Analysis
The vulnerability stems from unsafe JSON deserialization within Pentaho Business Analytics Server. The application accepts serialized JSON input and reconstructs Java objects without restricting which classes the parser may instantiate. This permissive behavior is the defining condition for insecure deserialization flaws categorized under [CWE-502].
During deserialization, attacker-supplied data drives constructor calls, setter invocations, and method dispatch on classes available in the server's classpath. Pentaho ships with a broad set of libraries common to enterprise Java analytics platforms, providing ample candidate classes for gadget chain construction. Attackers can combine these instances to trigger arbitrary method invocations before the deserialized object is returned to the caller.
Because the issue resides in the parser configuration rather than a single endpoint, multiple request paths that accept JSON payloads can become exploitation vectors. Exploitation requires only low privileges and no user interaction, and the scope changes once code executes within the Pentaho process context.
Root Cause
Developers placed no restrictions on the JSON deserializer to allowlist approved classes or block known dangerous types. Without a class filter or type guard, the parser honors polymorphic type hints embedded in attacker-controlled JSON and instantiates whatever classes the input requests.
Attack Vector
An authenticated attacker submits a crafted JSON document to a Pentaho endpoint that triggers deserialization. The payload references a gadget chain assembled from classes already present on the server. Method invocations executed during object reconstruction lead to unauthorized command execution, data access, or modification of server state. No verified public exploit code is available at this time. See the Pentaho Security Advisory CVE-2024-37361 for vendor-provided technical details.
Detection Methods for CVE-2024-37361
Indicators of Compromise
- Unexpected child processes spawned by the Pentaho Java process, such as cmd.exe, powershell.exe, bash, or sh.
- HTTP POST or PUT requests to Pentaho endpoints containing JSON payloads with polymorphic type hints like @class, @type, or fully qualified Java class names.
- Outbound network connections from the Pentaho server to unfamiliar hosts immediately following JSON API requests.
- New or modified files in the Pentaho web application directories created by the server process outside scheduled jobs.
Detection Strategies
- Inspect web server and application logs for JSON request bodies referencing classes such as com.sun.rowset.JdbcRowSetImpl, org.apache.commons.collections, or other known gadget chain entry points.
- Monitor the Pentaho JVM for anomalous reflection activity and unexpected class loading through Java Flight Recorder or equivalent runtime telemetry.
- Correlate authenticated session activity with process and network telemetry to identify low-privilege accounts triggering server-side code execution.
Monitoring Recommendations
- Forward Pentaho access logs, JVM logs, and host-level process telemetry to a centralized analytics platform for correlation.
- Alert on any process spawned by the Pentaho service account that is not part of an approved job execution baseline.
- Track authentication events for service and analyst accounts and flag deviations in source IP, user-agent, or request volume.
How to Mitigate CVE-2024-37361
Immediate Actions Required
- Upgrade Hitachi Vantara Pentaho Business Analytics Server to version 10.2.0.0 or 9.3.0.9 or later as published in the vendor advisory.
- Restrict network access to the Pentaho Business Analytics Server so only trusted administrative networks can reach its HTTP endpoints.
- Audit Pentaho user accounts and rotate credentials for any account with API or report-execution privileges.
- Review server logs and host telemetry for indicators of exploitation prior to patching.
Patch Information
Hitachi Vantara has released fixed builds. Apply Pentaho Business Analytics Server 10.2.0.0, 9.3.0.9, or later. Customers on the 8.3.x branch must migrate to a supported fixed release. Refer to the Pentaho Security Advisory CVE-2024-37361 for upgrade procedures and validated fix versions.
Workarounds
- Place the Pentaho Business Analytics Server behind a reverse proxy or web application firewall that inspects and blocks JSON bodies containing polymorphic type hints.
- Enforce least-privilege access on Pentaho roles to reduce the number of accounts capable of submitting deserialization-triggering requests.
- Run the Pentaho service under a dedicated low-privilege OS account with restricted filesystem and network egress permissions until patches are applied.
# Example reverse proxy rule to block JSON payloads with polymorphic type hints
# (adapt regex and paths to your environment)
location /pentaho/ {
if ($request_method ~* "(POST|PUT|PATCH)") {
set $block_json 0;
}
if ($http_content_type ~* "application/json") {
set $block_json "${block_json}1";
}
if ($request_body ~* "(\"@class\"|\"@type\"|JdbcRowSetImpl|TemplatesImpl)") {
set $block_json "${block_json}1";
}
if ($block_json = "011") {
return 403;
}
proxy_pass http://pentaho_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
