Oracle Application Testing Suite (April 2025 CPU)

🗓️ 17 Apr 2025 00:00:00Reported by TenableType

Oracle Application Testing Suite versions vulnerable to DOS attacks; see April 2025 CPU advisory.

Reporter	Title	Published	Views	Family All 109
IBM Security Bulletins	Security Bulletin: A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1, affects watsonx.data	12 Jun 202510:50	–	ibm
IBM Security Bulletins	Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to Denial of Service vulnerability in Json-smart (CVE-2024-57699)	27 Mar 202500:18	–	ibm
IBM Security Bulletins	Security Bulletin: A denial-of-service attack, heap use after free, network server exploit, and other vulnerabilities might affect IBM Storage Defender - Resiliency Service	8 Jul 202517:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to a vulnerability found in Node.js	6 May 202509:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Db2 used by IBM Security Verify Governance has multiple vulnerabilities	23 Feb 202612:30	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerability fixes in IBM webMethods Managed File Transfer On-Prem	22 Dec 202513:43	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Application Modernization Accelerator is vulnerable to a vulnerability found in Node.js	6 May 202509:39	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to json-smart (CVE-2024-57699)	27 May 202512:14	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM® Db2® affect IBM® Db2® Big SQL on IBM Cloud Pak for Data	23 Jan 202612:14	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Engineering Requirements Management DOORS/DWA vulnerabilities addressed in 9.7.2.10	29 Jul 202522:30	–	ibm

Source	Link
oracle	www.oracle.com/docs/tech/security-alerts/cpuapr2025csaf.json
oracle	www.oracle.com/security-alerts/cpuapr2025.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(234548);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/24");

  script_cve_id("CVE-2024-57699");
  script_xref(name:"IAVA", value:"2025-A-0267-S");

  script_name(english:"Oracle Application Testing Suite (April 2025 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The versions of Oracle Application Testing Suite installed on the remote host are affected by multiple vulnerabilities
as referenced in the April 2025 CPU advisory.

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component:
    Load Testing for Web Apps (json-smart)). The supported version that is affected is 13.3.0.1. Easily
    exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise
    Oracle Application Testing Suite. Successful attacks of this vulnerability can result in unauthorized
    ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Application Testing
    Suite. (CVE-2024-57699)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpuapr2025csaf.json");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2025.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2025 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-57699");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/04/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/04/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_testing_suite");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_application_testing_suite_installed.nbin");
  script_require_keys("installed_sw/Oracle Application Testing Suite");

  exit(0);
}

include('vcf_extras_oracle.inc');

var app_info = vcf::oracle_oats::get_app_info();

var patches_to_report;
var patches_to_check;
if (get_kb_item('SMB/Registry/Enumerated'))
{
  patches_to_report = make_list('37766891');
}
else
{
  patches_to_report = make_list('37766891', '37155595');
  patches_to_check = make_list('37155595');
}


var constraints = [
  { 'min_version' : '13.3.0.1', 'fixed_version' : '13.3.0.1.638' }
];

vcf::oracle_oats::check_version_and_report(
  app_info:app_info,
  severity:SECURITY_HOLE,
  constraints:constraints,
  patches_to_report:patches_to_report,
  patches_to_check:patches_to_check
);

24 Feb 2026 00:00Current

6.2Medium risk

Vulners AI Score6.2

CVSS 3.17.5

EPSS0.00058

SSVC