Lucene search
K

Oracle GoldenGate for Big Data Multiple Vulnerabilities 21.x < 21.21.0.0.0 (January 2026 CPU)

🗓️ 22 Jan 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Oracle GoldenGate for Big Data 21.x has vulnerabilities in SQL server driver input validation, Xml stream reader, and Netty request smuggling.

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Oct 2025
31 Oct 202511:14
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in Apache Commons IO affects IBM watsonx Assistant for IBM Cloud Pak for Data
5 Feb 202520:46
ibm
IBM Security Bulletins
Security Bulletin: IBM Operational Decision Manager for December 2025 - Multiple CVEs addressed
29 Jan 202607:37
ibm
IBM Security Bulletins
Security Bulletin: Denial of Service vulnerability in Apache Commons IO affects IBM Business Automation Workflow - CVE-2024-47554
7 Feb 202516:25
ibm
IBM Security Bulletins
Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Publishing Apache Commons IO is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the org.apache.commons.io.input.XmlStreamReader class.
3 Jan 202511:04
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data (March 2025)
27 Mar 202516:18
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in commons-io affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-47554]
20 Jun 202510:31
ibm
IBM Security Bulletins
Security Bulletin: Remediation of Multiple Apache Struts Vulnerabilities in IBM Library Support for Struts
9 Mar 202610:35
ibm
IBM Security Bulletins
Security Bulletin: IBM InfoSphere Information Server is affected by a denial of service vulnerability in Apache Commons IO (CVE-2024-47554)
28 Mar 202517:07
ibm
IBM Security Bulletins
Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to command injection due to the Netty package (CVE-2025-59419)
13 Jan 202616:06
ibm
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(294984);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id(
    "CVE-2024-47554",
    "CVE-2025-58056",
    "CVE-2025-58057",
    "CVE-2025-59250",
    "CVE-2025-59419"
  );
  script_xref(name:"IAVA", value:"2026-A-0065-S");

  script_name(english:"Oracle GoldenGate for Big Data Multiple Vulnerabilities 21.x < 21.21.0.0.0 (January 2026 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The Oracle GoldenGate for Big Data application on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Oracle GoldenGate for Big Data application located on the remote
host is affected by multiple vulnerabilities:

  - Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.
    (CVE-2025-59250)

  - Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class 
    may excessively consume CPU resources when processing maliciously crafted input. (CVE-2024-47554)

  - Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol 
    servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline 
    characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per 
    HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), 
    attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. 
    (CVE-2025-58056)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2026.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Oracle GoldenGate for Big Data version 21.21.0.0.0 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-59250");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2025-59419");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/10/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/02/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:goldengate_application_adapters");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_goldengate_for_big_data_installed.nbin");
  script_require_keys("installed_sw/Oracle GoldenGate for Big Data");

  exit(0);
}

include('vcf.inc');

var app_name = 'Oracle GoldenGate for Big Data';
var app_info = vcf::get_app_info(app:app_name);

var constraints = [
  { 'min_version':'21.0.0.0.0', 'fixed_version':'21.21.0.0.0', 'fixed_display': '21.21.0.0.0 (38858521)' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Apr 2026 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.18.1
CVSS 46.9
EPSS0.01617
SSVC
3