CVE-2021-45447 is a critical security vulnerability found in older versions of Hitachi Vantara Pentaho Business Analytics Server, specifically versions before 9.3.., 9.2..2, and 8.3..25. This flaw is linked to the "Data Lineage" feature, which is supposed to help users understand where data comes from, how it's transformed, and where it ends up. Instead, for a period and under certain configurations, this feature exposed your database passwords openly across the network.
Let’s break down what this means, see how you can test for it (with example code), and learn how to protect your business from this security disaster.
Why Is This a Big Deal?
When enabled, the Data Lineage feature transmits database connection passwords unencrypted (in plain clear text) across the network. Anyone with access to your network traffic could simply sniff this sensitive information, authenticate as your database user, and do pretty much anything: read or destroy data, steal secrets, or escalate their attack.
If you’re using an affected Pentaho server, your org’s data is exposed to *internal* threat actors (like a malicious employee or an attacker who already compromised your network). This isn’t just a theoretical risk: The flaw was confirmed in production environments.
Technical Details — What's Happening?
Whenever the Data Lineage feature is used in vulnerable Pentaho versions, the server may send REST requests containing sensitive connection info, including the database password in clear text. Typically, this is via HTTP, meaning *no encryption at all*.
Here’s a simplified look at what can happen
POST /pentaho/plugin/data-lineage/api/v1/lineage HTTP/1.1
Host: analytics.example.com
Content-Type: application/json
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
{
"databaseConnection": {
"name": "MainDB",
"databaseType": "PostgreSQL",
"hostname": "db.example.com",
...
"username": "pentaho_user",
"password": "SuperSecretPassword123"
}
}
As you can see, the password field is right there, readable by anyone snooping the network traffic! If this is a production user, all data on that database could be at risk.
Look for Password Leaks:
- Analyze HTTP traffic for API calls to /plugin/data-lineage/api/v1/lineage.
Example Wireshark Filter
http.request.method == "POST" && http contains "password"
Pentaho 8.3..25
- Official Pentaho downloads and advisories
Use HTTPS Everywhere:
- Make sure all connections to your Pentaho server are over TLS/SSL.
Audit Your Logs and Network:
- Check network logs for unauthorized access to /plugin/data-lineage/api/v1/lineage.
References
- NIST CVE-2021-45447
- Hitachi Security Advisory
- Pentaho
- Original Issue - GitHub Discussion (if available)
In Summary
CVE-2021-45447 is a classic example of how a “feature” can become a major security risk if it isn’t designed with privacy in mind. Transmitting passwords in clear text over the network is a critical flaw—one that can be easily detected, exploited, and devastating if left unpatched.
If you're running an old version of Pentaho with Data Lineage enabled, upgrade now.
Disable features you don’t use, enforce strong encryption, and audit your network for leaks. Don’t wait until someone inside or outside your company uses this simple exploit against you!
*Bookmark this page and share it with your IT team to keep your data—and your business—safe.*
Timeline
Published on: 11/02/2022 15:15:00 UTC
Last modified on: 11/04/2022 13:28:00 UTC