The version of Oracle Business Intelligence Enterprise Edition (OAS) 7.0.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the July 2024 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (Stanford CoreNLP)). The supported version that is affected is 7.0.0.0.0.     Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can     result in takeover of Oracle Business Intelligence Enterprise Edition. (CVE-2022-0239)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (OpenSSL)). Supported versions that are affected are 7.0.0.0.0, 7.6.0.0.0     and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the     infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle     Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person     other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise     Edition. (CVE-2024-0727)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Web Answers). Supported versions that are affected are 7.0.0.0.0, 7.6.0.0.0 and     12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP     to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human     interaction from a person other than the attacker and while the vulnerability is in Oracle Business     Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change).     Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to     some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read     access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2024-21139)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle Business Intelligence Enterprise Edition (OAS 7.0) (July 2024 CPU)

critical Nessus Plugin ID 202907

Version 1.2

Version 1.1

Version 1.2 Jul 23, 2024, 8:53 AM CVSS metrics ("CVSSv2 score" set to 7.5) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv3 score source (set to "CVE-2022-21797") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" set to "Exploits are available") Plugin Feed: 202407230853
Version 1.1 Jul 22, 2024, 11:39 PM New Plugin Feed: 202407222339