Oracle is urging clients to use its January 2025 Essential Patch Replace (CPU) to handle 318 new safety vulnerabilities spanning its services and products.
Probably the most extreme of the failings is a bug within the Oracle Agile Product Lifecycle Administration (PLM) Framework (CVE-2025-21556, CVSS rating: 9.9) that might enable an attacker to grab management of inclined cases.
“Simply exploitable vulnerability permits low privileged attackers with community entry by way of HTTP to compromise Oracle Agile PLM Framework,” in keeping with a description of the safety gap within the NIST Nationwide Vulnerability Database (NVD).
It is price noting that Oracle warned of energetic exploitation makes an attempt in opposition to one other flaw in the identical product (CVE-2024-21287, CVSS rating: 7.5) in November 2024. Each vulnerabilities have an effect on Oracle Agile PLM Framework model 9.3.6.
“Clients are strongly suggested to use the January 2025 Essential Patch Replace for Oracle Agile PLM Framework because it contains patches for [CVE-2024-21287] in addition to extra patches,” Eric Maurice, vp of Safety Assurance at Oracle, mentioned.
A number of the different crucial severity flaws, all rated 9.8 on the CVSS rating, addressed by Oracle are as follows –
- CVE-2025-21524 – A vulnerability within the Monitoring and Diagnostics SEC element of JD Edwards EnterpriseOne Instruments
- CVE-2023-3961 – A vulnerability within the E1 Dev Platform Tech (Samba) element of JD Edwards EnterpriseOne Instruments
- CVE-2024-23807 – A vulnerability within the Apache Xerces C++ XML parser element of Oracle Agile Engineering Information Administration
- CVE-2023-46604 – A vulnerability within the Apache ActiveMQ element of the Oracle Communications Diameter Signaling Router
- CVE-2024-45492 – A vulnerability within the XML parser (libexpat) element of Oracle Communications Community Analytics Information Director, Monetary Companies Conduct Detection Platform, Monetary Companies Commerce-Based mostly Anti Cash Laundering Enterprise Version, and HTTP Server
- CVE-2024-56337 – A vulnerability within the Apache Tomcat server element of Oracle Communications Coverage Administration
- CVE-2025-21535 – A vulnerability within the Core element of Oracle WebLogic Server
- CVE-2016-1000027 – A vulnerability within the Spring Framework element of Oracle BI Writer
- CVE-2023-29824 – A vulnerability within the Analytics Server (SciPy) element of Oracle Enterprise Intelligence Enterprise Version
CVE-2025-21535 can also be just like CVE-2020-2883 (CVSS rating: 9.8), one other crucial safety vulnerability in Oracle WebLogic Server that may very well be exploited by an unauthenticated attacker with community entry by way of IIOP or T3.
Earlier this month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2020-2883 to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic in-the-wild exploitation.
Additionally addressed by Oracle is CVE-2024-37371 (CVSS rating: 9.1), a crucial Kerberos 5 flaw affecting its Communications Billing and Income Administration that might allow an attacker to “trigger invalid reminiscence reads by sending message tokens with invalid size fields.”
The software program companies supplier has moreover launched updates to Oracle Linux with 285 new safety patches. Customers are suggested to use the required fixes to maintain their methods up-to-date and keep away from potential safety dangers.