Pentaho API Auth bypass (CVE-2021-31602)
Description
This vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms in Pentaho Business Analytics Server by sending specially crafted HTTP requests to the API endpoints. The authentication bypass occurs due to improper access control enforcement (CWE-863), enabling unauthorized access to protected API functionality without providing valid credentials.
Remediation
Immediately upgrade Pentaho Business Analytics Server to version 9.2 or later, which addresses CVE-2021-31602. If immediate patching is not possible, implement the following temporary mitigations:
1. Restrict network access to Pentaho API endpoints using firewall rules or web application firewall (WAF) policies to allow only trusted IP addresses
2. Enable additional authentication layers at the reverse proxy or load balancer level
3. Monitor API access logs for suspicious unauthenticated requests
4. Review and validate all existing API access controls after applying the patch
Verify the patch installation by attempting to access API endpoints without authentication credentials to confirm that access is properly denied.