Detections
Analytics
Oracle Essbase Information Disclosure Vulnerability (January 2026 CPU)
high Nessus Plugin ID 296371
Synopsis
A business analytics solution installed on the remote host is affected by a Information Disclosure Vulnerability.Description
The version of Oracle Essbase installed on the remote host is missing a security patch from the January 2026 Critical Patch Update (CPU). It is, therefore, affected by:- yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. (CVE-2025-66566) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Apply the appropriate patch according to the January 2026 Oracle Critical Patch Update advisory.See Also
https://www.oracle.com/docs/tech/security-alerts/cpujan2026csaf.json
Plugin Details
Severity: High
ID: 296371
File Name: oracle_essbase_cpu_jan_2026.nasl
Version: 1.1
Type: local
Agent: windows, macosx, unix
Family: Misc.
Published: 1/23/2026
Updated: 1/23/2026
Configuration: Enable paranoid mode, Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: High
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS Score Source: CVE-2025-66566
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Information
CPE: cpe:/a:oracle:essbase
Required KB Items: Settings/ParanoidReport, installed_sw/Oracle Essbase
Patch Publication Date: 2/1/2026
Vulnerability Publication Date: 1/21/2026
Reference Information
CVE: CVE-2025-66566
IAVA: 2026-A-0064