You are currently viewing 378 Vulnerabilities Fixed in Oracle’s Latest Critical Patch Update

378 Vulnerabilities Fixed in Oracle’s Latest Critical Patch Update

  • Post author:
  • Reading time:10 mins read

Oracle’s quarterly critical patch update made its entrance with a bang this April, fixing 378 vulnerabilities in both Oracle and third-party product families. Oracle Communications accounted for the highest number of flaws, totaling 103, with Oracle MySQL and Oracle Communications Applications trailing behind at 43 and 42 respectively.

Many of the 378 flaws found have a CVSS score higher than 9, making them critical. Some have low attack complexity and can be exploited by a remote, unauthenticated attacker. Such flaws pose a serious threat to users and should be patched immediately.

Notable Vulnerabilities and Impact

According to Thomson Data, Oracle is one of the 100 largest companies in the world, with hundreds of thousands of customers spanning the globe. Its products are not only used by direct customers like Boeing and IBM, but are also present within other popular applications such as YouTube and Netflix, scaling up the number of affected devices exponentially. Here are a few of Oracle’s most widely used products and some of the high-severity vulnerabilities found within them:

Oracle MySQL

This product is the foundation for websites like Facebook, YouTube, GitHub, and even WordPress, which currently powers over 40% of all sites on the web.

  • CVE-2024-40896, CVSS 9.1: The SAX parser in libxml2 may still generate events for external entities, even when custom SAX handlers attempt to override the entity content. This can allow a remote, unauthenticated attacker to conduct an XML External Entity (XXE) injection attack to compromise the MySQL Workbench component of Oracle MySQL, which uses libxml2.

    Successful exploitation can give the attacker unauthorized creation, deletion or modification access to critical data or all data accessible to MySQL Workbench and the unauthorized ability to cause a complete DOS of MySQL Workbench.

  • CVE-2024-7254, CVSS 7.5: The MySQL Connectors component of Oracle MySQL uses Protobuf-Java, and parses untrusted protocol buffer data with nested groups/a series of SGROUP tags, potentially exceeding the stack limit and causing a stack overflow. The resultant unbounded recursions may allow a remote, unauthenticated attacker to cause a complete DOS of MySQL Connectors.

Oracle Database Server

Aerospace giants Boeing and Airbus, whose aircraft are used worldwide, use Oracle databases to manage a wide range of operational and data systems.

  • CVE-2025-30736, CVSS 7.4: A remote, unauthenticated attacker can compromise the Java VM component of Oracle Database Server and obtain unauthorized creation, deletion or modification access to critical data or all data accessible to Java VM.

  • CVE-2025-30701, CVSS 7.3: A remote attacker with low privileges can compromise the RAS Security component of Oracle Database Server and obtain unauthorized creation, deletion or modification access to critical data or all data accessible to RAS Security.

Oracle Java SE

Popular sites like Twitter, LinkedIn, and Netflix all use Oracle Java, and many Android apps are written with it as well.

  • CVE-2025-23083, CVSS 7.7: A local, unauthenticated attacker can compromise the Oracle GraalVM for JDK component of Oracle Java SE and obtain unauthorized creation, deletion or modification access to critical data or all data accessible to Oracle GraalVM.

  • CVE-2024-47606, CVSS 7.5: An integer underflow in the JavaFX (gstreamer) component of Oracle Java SE, Oracle GraalVM Enterprise Edition could cause a function pointer hijack. A remote, unauthenticated attacker can execute arbitrary code and take over a vulnerable instance of the product. This flaw affects Java deployments that run untrusted code, and requires user interaction to exploit.

Oracle Fusion Middleware

Many prominent companies are known customers of this product, including (but not limited to) IBM, Xerox, Huawei Technologies, and Boeing.

  • CVE-2024-38476, CVSS 9.8: The Oracle HTTP Server product of Oracle Fusion Middleware uses Apache HTTP Server, which is susceptible to information disclosure, server-side request forgery (SSRF), or local script execution when interacting with backend applications that return malicious or vulnerable response headers.

    This can allow a remote, unauthenticated attacker to completely take over a vulnerable instance of Oracle HTTP Server.

  • CVE-2024-52046, CVSS 9.8: The Oracle Access Manager product of Oracle Fusion Middleware uses Apache MINA, which does not implement adequate security measures when processing incoming serialized data with Java’s native deserialization protocol. A remote, unauthenticated attacker can craft and send malicious serialized data to execute remote code on the affected instance, potentially leading to a complete takeover of Oracle Access Manager.

Products Affected

The following products were covered in the patch update:

  • Oracle Analytics
  • Oracle Application Express
  • Oracle Autonomous Health Framework
  • Oracle Commerce
  • Oracle Communications
  • Oracle Communications Applications
  • Oracle Construction and Engineering
  • Oracle Database Server
  • Oracle E-Business Suite
  • Oracle Enterprise Manager
  • Oracle Essbase
  • Oracle Financial Services Applications
  • Oracle Food and Beverage Applications
  • Oracle Fusion Middleware
  • Oracle GoldenGate
  • Oracle Graph Server and Client
  • Oracle Hospitality Applications
  • Oracle Hyperion
  • Oracle Insurance Applications
  • Oracle Java SE
  • Oracle JD Edwards
  • Oracle MySQL
  • Oracle NoSQL Database
  • Oracle PeopleSoft
  • Oracle Policy Automation
  • Oracle REST Data Services
  • Oracle Retail Applications
  • Oracle Secure Backup
  • Oracle Siebel CRM
  • Oracle SQL Developer
  • Oracle Supply Chain
  • Oracle Support Tools
  • Oracle Systems
  • Oracle TimesTen In-Memory Database
  • Oracle Utilities Applications
  • Oracle Virtualization

Solution

A list of available patches for the aforementioned products is available to Oracle customers.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.