Aura Information Security said one of its researchers discovered several vulnerabilities in a business intelligence and data analytics platform. Photo: 123rf
A New Zealand cyber security consultancy firm has uncovered major flaws in a widely used business software.
Aura Information Security said one of its researchers, Harry Withington, discovered several vulnerabilities in Pentaho, a business intelligence and data analytics platform operating out of the United States.
Pentaho is used widely across the private and public sector and is owned by Japanese company Hitachi Vantara.
Aura general manager for assurance Phil Dobson said the security flaws discovered posed a major risk to servers hosting the software.
Aura said three of the weaknesses identified could have led to hackers gaining complete control of a server hosting Pentaho software.
"Cyber criminals or hackers, whichever preferred term you want to use, could take control essentially of servers hosting these tools," Dobson said.
"That might lead to them running code that could do malicious things, it would give them additional opportunities for stealing information."
Pentaho was notified of the discoveries and had since addressed the issues, he said.
Aura said in the case of two of the vulnerabilities, successful exploitation was possible for users with only minimal privileges, and in one case, exploitation was possible using an account without any authentication.
But Dobson said the discovery showed the importance of so-called "white hat" or ethical hackers.
"Research like this plays a critical role in keeping businesses safe. By taking an adversarial mindset when looking into how software and systems work, our team are identifying security flaws before malicious hackers and cyber criminals can exploit them."
He said cyber criminals were opportunistic operators.
"When a 'white hat' hacker finds these weaknesses first, it gives developers and vendors a chance to remediate and push out patches to their customers, before any damage can be done."
