Detections
Analytics

Oracle GoldenGate for Big Data 12.2.0.1.x < 12.2.0.1.10 / 12.3.1.1.x < 12.3.1.1.6 Multiple Vulnerabilities (Oct 2018 CPU)

critical Nessus Plugin ID 134225

Language:

Synopsis

The Oracle GoldenGate for Big Data application on the remote host is affected by a denial of service vulnerability.

Description

The version of Oracle GoldenGate for Big Data application located on the remote host is 12.2.0.1.x less than 12.2.0.1.10 or 12.3.1.1.x less than 12.3.1.1.6. It is, therefore, affected by multiple vulnerabilities :

- An unspecified vulnerability exists in Oracle GoldenGate for Big Data. An authenticated, remote attacker can exploit this, via unknown vectors, to compromise confidentiality, integrity, and availability.
 (CVE-2016-0635)

 - An authorization bypass vulnerability exists in Spring Framework 5.0.5 when used in conjunction with Spring Security and using method security. An authenticated, remote attacker can exploit this to gain unauthorized access to methods that should be restricted. (CVE-2018-1258)

 - A remote code execution vulnerability exists in the Spring Framework. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2018-1275)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patches according to the October 2018 Oracle Critical Patch Update advisory.

See Also

https://www.oracle.com/security-alerts/cpuoct2018.html

Plugin Details

Severity: Critical

ID: 134225

File Name: oracle_goldengate_for_big_data_cpu_oct_2018.nasl

Version: 1.5

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 3/5/2020

Updated: 5/18/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2016-0635

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2018-1275

Vulnerability Information

CPE: cpe:/a:oracle:goldengate_application_adapters

Required KB Items: Settings/ParanoidReport, installed_sw/Oracle GoldenGate for Big Data

Exploit Ease: No known exploits are available

Patch Publication Date: 10/18/2018

Vulnerability Publication Date: 10/18/2018

Reference Information

CVE: CVE-2016-0635, CVE-2018-1258, CVE-2018-1275

BID: 91869, 103771, 104222