Oracle January 2025 Patch Fixes 318 Critical Vulnerabilities

Oracle has released its Critical Patch Update (CPU) for January 2025, aiming to resolve 318 newly identified security vulnerabilities affecting a range of Oracle products and services. The update addresses critical flaws, some of which could lead to severe security breaches if left unpatched.

Key Vulnerabilities and Their Impact

The most severe vulnerability, identified as CVE-2025-21556, has been assigned a CVSS score of 9.9, signaling its critical nature. This flaw affects the Oracle Agile Product Lifecycle Management (PLM) Framework, allowing low-privileged attackers with network access via HTTP to take control of affected instances. The vulnerability is particularly concerning as it is easily exploitable.

This is not the first time Oracle has warned about serious issues within the Oracle Agile PLM Framework. In November 2024, Oracle highlighted an active exploitation attempt against CVE-2024-21287 (CVSS score: 7.5), also impacting the same version of the PLM Framework (version 9.3.6). Customers are urged to apply the January 2025 update, as it addresses both this flaw and other critical vulnerabilities within the product.

Other Critical Vulnerabilities

Several other high-risk vulnerabilities have been patched in the January update, many with CVSS scores of 9.8. These include:

• CVE-2025-21524: A flaw in the Monitoring and Diagnostics SEC component of JD Edwards EnterpriseOne Tools.
• CVE-2023-3961: A vulnerability in the E1 Dev Platform Tech (Samba) component of JD Edwards EnterpriseOne Tools.
• CVE-2024-23807: A vulnerability in the Apache Xerces C++ XML parser component of Oracle Agile Engineering Data Management.
• CVE-2023-46604: A flaw in the Apache ActiveMQ component of Oracle Communications Diameter Signaling Router.
• CVE-2024-45492: A vulnerability in the XML parser (libexpat) component of several Oracle services, including Oracle Communications Network Analytics Data Director and Financial Services platforms.
• CVE-2024-56337: A flaw in the Apache Tomcat server component of Oracle Communications Policy Management.
• CVE-2025-21535: A vulnerability in the Core component of Oracle WebLogic Server.
• CVE-2016-1000027: A vulnerability in the Spring Framework component of Oracle BI Publisher.
• CVE-2023-29824: A vulnerability in the Analytics Server (SciPy) component of Oracle Business Intelligence Enterprise Edition.

Similarities to Past Vulnerabilities

Some of the vulnerabilities patched in the January update, such as CVE-2025-21535, are reminiscent of CVE-2020-2883, another critical security flaw in Oracle WebLogic Server. The latter, which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, is already being actively exploited. Both flaws could allow unauthenticated attackers with network access to exploit the vulnerabilities via IIOP or T3.

Additionally, CVE-2024-37371 (CVSS score: 9.1) addresses a critical Kerberos 5 flaw in Oracle’s Communications Billing and Revenue Management. This flaw could allow an attacker to trigger invalid memory reads by sending message tokens with incorrect length fields.

The Importance of Applying the Patch

Oracle is strongly advising all users to apply the January 2025 Critical Patch Update as soon as possible. By doing so, organizations can protect their systems from potential exploitation and ensure that their Oracle products remain secure.

The vast number of patches released in this update highlights the importance of keeping software systems up to date and vigilant about cybersecurity threats. Regularly applying critical patches can significantly reduce the risk of security breaches and safeguard sensitive data.

In conclusion, Oracle’s January 2025 CPU is a vital update for anyone using its products and services, addressing a wide range of vulnerabilities that could otherwise be exploited by attackers. Users should prioritize patching their systems to mitigate these risks and maintain a secure environment.