SB2026012084 - Multiple vulnerabilities in Oracle GoldenGate Big Data and Application Adapters

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026012084

SB2026012084 - Multiple vulnerabilities in Oracle GoldenGate Big Data and Application Adapters

Published: January 20, 2026

Security Bulletin ID SB2026012084
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-68161)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName"  system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic. 


2) Command Injection (CVE-ID: CVE-2025-59419)

The vulnerability allows a remote attacker to execute arbitrary SMTP commands.

The vulnerability exists due to insufficient input validation in the SMTP codec. A remote attacker can pass specially crafted data to the application and forge arbitrary emails from the trusted server.


3) Input validation error (CVE-ID: CVE-2025-59250)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied input in JDBC Driver for SQL Server. A remote attacker can trick a victim into connecting to a malicious server and perform spoofing attack.


Remediation

Install update from vendor's website.

References