Oracle is urging prospects to use its January 2025 Vital Patch Replace (CPU) to handle 318 new safety vulnerabilities spanning its services and products.
Essentially the most extreme of the issues is a bug within the Oracle Agile Product Lifecycle Administration (PLM) Framework (CVE-2025-21556, CVSS rating: 9.9) that would permit an attacker to grab management of prone situations.
“Simply exploitable vulnerability permits low privileged attackers with community entry through HTTP to compromise Oracle Agile PLM Framework,” in keeping with a description of the safety gap within the NIST Nationwide Vulnerability Database (NVD).
It is price noting that Oracle warned of lively exploitation makes an attempt in opposition to one other flaw in the identical product (CVE-2024-21287, CVSS rating: 7.5) in November 2024. Each vulnerabilities have an effect on Oracle Agile PLM Framework model 9.3.6.
“Clients are strongly suggested to use the January 2025 Vital Patch Replace for Oracle Agile PLM Framework because it consists of patches for [CVE-2024-21287] in addition to further patches,” Eric Maurice, vp of Safety Assurance at Oracle, mentioned.
A number of the different essential severity flaws, all rated 9.8 on the CVSS rating, addressed by Oracle are as follows –
- CVE-2025-21524 – A vulnerability within the Monitoring and Diagnostics SEC part of JD Edwards EnterpriseOne Instruments
- CVE-2023-3961 – A vulnerability within the E1 Dev Platform Tech (Samba) part of JD Edwards EnterpriseOne Instruments
- CVE-2024-23807 – A vulnerability within the Apache Xerces C++ XML parser part of Oracle Agile Engineering Knowledge Administration
- CVE-2023-46604 – A vulnerability within the Apache ActiveMQ part of the Oracle Communications Diameter Signaling Router
- CVE-2024-45492 – A vulnerability within the XML parser (libexpat) part of Oracle Communications Community Analytics Knowledge Director, Monetary Providers Conduct Detection Platform, Monetary Providers Commerce-Based mostly Anti Cash Laundering Enterprise Version, and HTTP Server
- CVE-2024-56337 – A vulnerability within the Apache Tomcat server part of Oracle Communications Coverage Administration
- CVE-2025-21535 – A vulnerability within the Core part of Oracle WebLogic Server
- CVE-2016-1000027 – A vulnerability within the Spring Framework part of Oracle BI Writer
- CVE-2023-29824 – A vulnerability within the Analytics Server (SciPy) part of Oracle Enterprise Intelligence Enterprise Version
CVE-2025-21535 can also be much like CVE-2020-2883 (CVSS rating: 9.8), one other essential safety vulnerability in Oracle WebLogic Server that may very well be exploited by an unauthenticated attacker with community entry through IIOP or T3.
Earlier this month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2020-2883 to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively in-the-wild exploitation.
Additionally addressed by Oracle is CVE-2024-37371 (CVSS rating: 9.1), a essential Kerberos 5 flaw affecting its Communications Billing and Income Administration that would allow an attacker to “trigger invalid reminiscence reads by sending message tokens with invalid size fields.”
The software program providers supplier has moreover launched updates to Oracle Linux with 285 new safety patches. Customers are suggested to use the mandatory fixes to maintain their methods up-to-date and keep away from potential safety dangers.
