Oracle is urging shoppers to use its January 2025 Crucial Patch Replace (CPU) to deal with 318 new safety vulnerabilities spanning its services and products.
Essentially the most critical of the issues is a trojan horse within the Oracle Agile Product Lifecycle Control (PLM) Framework (CVE-2025-21556, CVSS rating: 9.9) that would permit an attacker to grab keep watch over of inclined circumstances.
“Simply exploitable vulnerability lets in low privileged attackers with community get entry to by means of HTTP to compromise Oracle Agile PLM Framework,” in keeping with an outline of the safety hollow within the NIST Nationwide Vulnerability Database (NVD).
It is value noting that Oracle warned of energetic exploitation makes an attempt towards every other flaw in the similar product (CVE-2024-21287, CVSS rating: 7.5) in November 2024. Each vulnerabilities have an effect on Oracle Agile PLM Framework model 9.3.6.
“Consumers are strongly prompt to use the January 2025 Crucial Patch Replace for Oracle Agile PLM Framework because it comprises patches for [CVE-2024-21287] in addition to further patches,” Eric Maurice, vice chairman of Safety Assurance at Oracle, mentioned.
Probably the most different vital severity flaws, all rated 9.8 at the CVSS rating, addressed via Oracle are as follows –
- CVE-2025-21524 – A vulnerability within the Tracking and Diagnostics SEC part of JD Edwards EnterpriseOne Gear
- CVE-2023-3961 – A vulnerability within the E1 Dev Platform Tech (Samba) part of JD Edwards EnterpriseOne Gear
- CVE-2024-23807 – A vulnerability within the Apache Xerces C++ XML parser part of Oracle Agile Engineering Knowledge Control
- CVE-2023-46604 – A vulnerability within the Apache ActiveMQ part of the Oracle Communications Diameter Signaling Router
- CVE-2024-45492 – A vulnerability within the XML parser (libexpat) part of Oracle Communications Community Analytics Knowledge Director, Monetary Products and services Conduct Detection Platform, Monetary Products and services Business-Based totally Anti Cash Laundering Endeavor Version, and HTTP Server
- CVE-2024-56337 – A vulnerability within the Apache Tomcat server part of Oracle Communications Coverage Control
- CVE-2025-21535 – A vulnerability within the Core part of Oracle WebLogic Server
- CVE-2016-1000027 – A vulnerability within the Spring Framework part of Oracle BI Writer
- CVE-2023-29824 – A vulnerability within the Analytics Server (SciPy) part of Oracle Trade Intelligence Endeavor Version
CVE-2025-21535 may be very similar to CVE-2020-2883 (CVSS rating: 9.8), every other vital safety vulnerability in Oracle WebLogic Server that may be exploited via an unauthenticated attacker with community get entry to by means of IIOP or T3.
Previous this month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2020-2883 to its Identified Exploited Vulnerabilities (KEV) catalog, bringing up proof of energetic in-the-wild exploitation.
Additionally addressed via Oracle is CVE-2024-37371 (CVSS rating: 9.1), a vital Kerberos 5 flaw affecting its Communications Billing and Income Control that would allow an attacker to “motive invalid reminiscence reads via sending message tokens with invalid duration fields.”
The tool products and services supplier has moreover launched updates to Oracle Linux with 285 new safety patches. Customers are prompt to use the important fixes to stay their methods up-to-date and keep away from possible safety dangers.