Oracle is urging prospects to use its January 2025 Crucial Patch Replace (CPU) to handle 318 new safety vulnerabilities spanning its services.
Probably the most extreme of the issues is a bug within the Oracle Agile Product Lifecycle Administration (PLM) Framework (CVE-2025-21556, CVSS rating: 9.9) that might permit an attacker to grab management of prone cases.
“Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Agile PLM Framework,” based on a description of the safety gap within the NIST Nationwide Vulnerability Database (NVD).
It is value noting that Oracle warned of lively exploitation makes an attempt in opposition to one other flaw in the identical product (CVE-2024-21287, CVSS rating: 7.5) in November 2024. Each vulnerabilities have an effect on Oracle Agile PLM Framework model 9.3.6.
“Customers are strongly advised to apply the January 2025 Critical Patch Update for Oracle Agile PLM Framework as it includes patches for [CVE-2024-21287] as well as additional patches,” Eric Maurice, vice chairman of Safety Assurance at Oracle, stated.
A number of the different important severity flaws, all rated 9.8 on the CVSS rating, addressed by Oracle are as follows –
- CVE-2025-21524 – A vulnerability within the Monitoring and Diagnostics SEC element of JD Edwards EnterpriseOne Instruments
- CVE-2023-3961 – A vulnerability within the E1 Dev Platform Tech (Samba) element of JD Edwards EnterpriseOne Instruments
- CVE-2024-23807 – A vulnerability within the Apache Xerces C++ XML parser element of Oracle Agile Engineering Information Administration
- CVE-2023-46604 – A vulnerability within the Apache ActiveMQ element of the Oracle Communications Diameter Signaling Router
- CVE-2024-45492 – A vulnerability within the XML parser (libexpat) element of Oracle Communications Community Analytics Information Director, Monetary Companies Conduct Detection Platform, Monetary Companies Commerce-Based mostly Anti Cash Laundering Enterprise Version, and HTTP Server
- CVE-2024-56337 – A vulnerability within the Apache Tomcat server element of Oracle Communications Coverage Administration
- CVE-2025-21535 – A vulnerability within the Core element of Oracle WebLogic Server
- CVE-2016-1000027 – A vulnerability within the Spring Framework element of Oracle BI Writer
- CVE-2023-29824 – A vulnerability within the Analytics Server (SciPy) element of Oracle Enterprise Intelligence Enterprise Version
CVE-2025-21535 can also be much like CVE-2020-2883 (CVSS rating: 9.8), one other important safety vulnerability in Oracle WebLogic Server that could possibly be exploited by an unauthenticated attacker with community entry by way of IIOP or T3.
Earlier this month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2020-2883 to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively in-the-wild exploitation.
Additionally addressed by Oracle is CVE-2024-37371 (CVSS rating: 9.1), a important Kerberos 5 flaw affecting its Communications Billing and Income Administration that might allow an attacker to “cause invalid memory reads by sending message tokens with invalid length fields.”
Customers are suggested to use the required patches to maintain their programs up-to-date and keep away from potential safety dangers.
