Oracle launched a January 2025 patch to handle 318 flaws in main merchandise

Faheem

January 22, 2025Ravi LakshmananVulnerability / Enterprise Safety

Oracle is urging clients to use the January 2025 Essential Patch Replace (CPU) to handle 318 new safety vulnerabilities spanning its services.

Probably the most critical of the vulnerabilities is a bug within the Oracle Agile Product Lifecycle Administration (PLM) framework (CVE-2025-21556, CVSS Rating: 9.9) that would enable an attacker to take management of delicate occasions.

“Simply exploitable vulnerability permits low-privileged attackers to realize community entry by way of HTTP to compromise the Oracle Agile PLM framework,” based on an outline of the safety gap within the NIST Nationwide Vulnerability Database (NVD). In line with

Cybersecurity

It is value noting that Oracle warned of energetic exploitation makes an attempt towards one other flaw in the identical product (CVE-2024-21287, CVSS rating: 7.5) in November 2024. Each vulnerabilities have an effect on Oracle Agile PLM Framework model 9.3.6.

“Clients are strongly suggested to use the January 2025 Essential Patch Replace for Oracle Agile PLM Framework because it contains (CVE-2024-21287) in addition to extra patches,” Eric Maris, stated Vice President of Safety Assurance at Oracle.

A number of the different vital flaws identified by Oracle, all rated 9.8 on the CVSS rating:

  • CVE-2025-21524 – A vulnerability within the Monitoring and Diagnostics SEC part of JD AdWords Enterprise One Instruments
  • CVE-2023-3961 – A vulnerability within the E1 Dev Platform Tech (Samba) part of JD Edwards EnterpriseOne Instruments
  • CVE-2024-23807 – A vulnerability within the Apache Xerces C++ XML Parser part of Oracle Agile Engineering Knowledge Administration
  • CVE-2023-46604 – A vulnerability within the Apache ActiveMQ part of the Oracle Communications Diameter Signaling Router
  • CVE-2024-45492 – A vulnerability in Oracle Communications Community Analytics Knowledge Director, Monetary Companies Habits Detection Platform, Monetary Companies Commerce-Primarily based Anti-Cash Laundering Enterprise Version, and the XML Parser (libexpat) part of HTTP Server.
  • CVE-2024-56337 – A vulnerability within the Apache Tomcat server part of Oracle Communications Coverage Administration
  • CVE-2025-21535 – A vulnerability in a core part of Oracle WebLogic Server.
  • CVE-2016-1000027 – A vulnerability within the Spring Framework part of Oracle BI Writer.
  • CVE-2023-29824 – A vulnerability within the Analytics Server (SciPy) part of Oracle Enterprise Intelligence Enterprise Version
Cybersecurity

CVE-2025-21535 can also be much like CVE-2020-2883 (CVSS rating: 9.8), one other vital safety vulnerability in Oracle WebLogic Server that would enable an unauthenticated attacker with community entry by way of IIOP or T3. could be exploited.

Earlier this month, the US Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2020-2883 to its Identified Exploited Vulnerabilities (KEV) catalog, citing energetic proof of untamed exploitation.

Additionally addressed by Oracle is CVE-2024-37371 (CVSS rating: 9.1), a vital Kerberos 5 flaw affecting its communications billing and income administration that enables an attacker to “ship messages with incorrect size fields.” Sending a token could cause an incorrect reminiscence learn.”

Customers are suggested to put in mandatory patches to maintain their programs up-to-date and keep away from potential safety dangers.

Did you discover this text fascinating? Comply with us. Twitter And LinkedIn to learn extra unique content material we submit.

Leave a Comment