Lucene search
+L

Oracle Business Intelligence Enterprise Edition (OAS 7.6) (January 2025 CPU)

🗓️ 24 Jan 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 34 Views

Oracle Business Intelligence Enterprise Edition 7.6.0.0 has multiple critical vulnerabilities affecting security.

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: IBM Sterling Connect:Direct Web Services is uses spring-web-6.0.21.jar which is vulnerable to denial of service
12 Nov 202405:46
ibm
IBM Security Bulletins
Security Bulletin: IBM License Key Server Administration Agent is vulnerable to a remote code attack in Apache Commons (CVE-2024-29131, CVE-2024-29133)
30 Jul 202416:54
ibm
IBM Security Bulletins
Security Bulletin: Multiple Vulnerabilities in IBM API Connect
15 Mar 202500:18
ibm
IBM Security Bulletins
Security Bulletin: Due to the use of Apache spring-web, IBM ECM Content Management Interoperability Services (CMIS) is affected by remote code execution (RCE) security vulnerability CVE-2016-1000027
25 May 202315:44
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data (March 2025)
27 Mar 202516:18
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities in IBM DevOps Solution Workbench
30 Oct 202520:15
ibm
IBM Security Bulletins
Security Bulletin: IBM Operational Decision Manager for Sep 2024 - Multiple CVEs addressed
4 Oct 202406:44
ibm
IBM Security Bulletins
Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities
19 Jun 202505:35
ibm
IBM Security Bulletins
Security Bulletin: IBM Asset Data Dictionary uses multiple third party dependencies which is vulnerable to CVEs.
6 Feb 202505:30
ibm
IBM Security Bulletins
Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to out of bounds writes due to hbase-client
10 Mar 202515:31
ibm
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(214601);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id(
    "CVE-2016-1000027",
    "CVE-2023-29824",
    "CVE-2024-5535",
    "CVE-2024-29131",
    "CVE-2024-36114",
    "CVE-2024-38809",
    "CVE-2024-43382",
    "CVE-2024-47561"
  );
  script_xref(name:"IAVA", value:"2025-A-0060-S");

  script_name(english:"Oracle Business Intelligence Enterprise Edition (OAS 7.6) (January 2025 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The version of Oracle Business Intelligence Enterprise Edition (OAS) 7.6.0.0 installed on the remote
host is affected by multiple vulnerabilities as referenced in the January 2025 CPU advisory, including the
following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Analytics Server (SciPy)). Supported versions that are affected are 7.0.0.0.0 and 7.6.0.0.0. 
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to 
    compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can 
    result in takeover of Oracle Business Intelligence Enterprise Edition. (CVE-2023-29824)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Platform Security (OpenSSL)). Supported versions that are affected are 7.0.0.0.0, 7.6.0.0.0 
    and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via 
    TLS to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this 
    vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business 
    Intelligence Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently 
    repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2024-5535)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics 
    (component: Analytics Server, Pipeline Test Failures, Installation (Spring Framework)). Supported versions 
    that are affected are 7.0.0.0.0, 7.6.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows 
    unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence 
    Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause 
    a partial denial of service (partial DOS) of Oracle Business Intelligence Enterprise Edition. 
    (CVE-2024-38809)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2025.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2025 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_supplemental", value:"CVSS:4.0/U:Amber");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-29824");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2024-47561");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/01/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/01/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/01/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_analytics_server_installed.nbin");
  script_require_keys("installed_sw/Oracle Analytics Server");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Oracle Analytics Server');

# based on Oracle CPU data
var constraints = [
  {'min_version': '7.6.0.0.0', 'fixed_version': '7.6.0.0.241220', 'fixed_display': '7.6.0.0.241220 patch: 37415730'}
];

vcf::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_HOLE);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Apr 2026 00:00Current
7High risk
Vulners AI Score7
CVSS 27.5
CVSS 3.19.8
CVSS 49.2
EPSS0.32257
SSVC
34