Oracle is urging clients to use its January 2025 Essential Patch Replace (CPU) to deal with 318 new security vulnerabilities spanning its services and products.
Probably the most extreme of the failings is a bug within the Oracle Agile Product Lifecycle Administration (PLM) Framework (CVE-2025-21556, CVSS rating: 9.9) that might permit an attacker to grab management of prone cases.
“Simply exploitable vulnerability permits low privileged attackers with community entry through HTTP to compromise Oracle Agile PLM Framework,” in accordance with an outline of the security gap within the NIST Nationwide Vulnerability Database (NVD).
It is value noting that Oracle warned of energetic exploitation makes an attempt in opposition to one other flaw in the identical product (CVE-2024-21287, CVSS rating: 7.5) in November 2024. Each vulnerabilities have an effect on Oracle Agile PLM Framework model 9.3.6.
“Prospects are strongly suggested to use the January 2025 Essential Patch Replace for Oracle Agile PLM Framework because it contains patches for [CVE-2024-21287] in addition to extra patches,” Eric Maurice, vp of Safety Assurance at Oracle, stated.
Among the different crucial severity flaws, all rated 9.8 on the CVSS rating, addressed by Oracle are as follows –
- CVE-2025-21524 – A vulnerability within the Monitoring and Diagnostics SEC part of JD Edwards EnterpriseOne Instruments
- CVE-2023-3961 – A vulnerability within the E1 Dev Platform Tech (Samba) part of JD Edwards EnterpriseOne Instruments
- CVE-2024-23807 – A vulnerability within the Apache Xerces C++ XML parser part of Oracle Agile Engineering Data Administration
- CVE-2023-46604 – A vulnerability within the Apache ActiveMQ part of the Oracle Communications Diameter Signaling Router
- CVE-2024-45492 – A vulnerability within the XML parser (libexpat) part of Oracle Communications Community Analytics Data Director, Monetary Companies Habits Detection Platform, Monetary Companies Commerce-Based mostly Anti Cash Laundering Enterprise Version, and HTTP Server
- CVE-2024-56337 – A vulnerability within the Apache Tomcat server part of Oracle Communications Coverage Administration
- CVE-2025-21535 – A vulnerability within the Core part of Oracle WebLogic Server
- CVE-2016-1000027 – A vulnerability within the Spring Framework part of Oracle BI Writer
- CVE-2023-29824 – A vulnerability within the Analytics Server (SciPy) part of Oracle Enterprise Intelligence Enterprise Version
CVE-2025-21535 can be just like CVE-2020-2883 (CVSS rating: 9.8), one other crucial security vulnerability in Oracle WebLogic Server that could possibly be exploited by an unauthenticated attacker with community entry through IIOP or T3.
Earlier this month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2020-2883 to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic in-the-wild exploitation.
Additionally addressed by Oracle is CVE-2024-37371 (CVSS rating: 9.1), a crucial Kerberos 5 flaw affecting its Communications Billing and Income Administration that might allow an attacker to “trigger invalid reminiscence reads by sending message tokens with invalid size fields.”
Customers are suggested to use the mandatory patches to maintain their techniques up-to-date and keep away from potential security dangers.
