You are currently viewing Oracle Releases Critical Security Updates January 2025 – Patch Now!

Oracle Releases Critical Security Updates January 2025 – Patch Now!

  • Post author:
  • Reading time:77 mins read

Oracle has released its Critical Patch Update (CPU) for January 2025, addressing 318 new security patches across various product families, including Oracle Database Server, Oracle MySQL, Oracle Communications, Oracle E-Business Suite, Oracle Fusion Middleware, and more. This update mitigates vulnerabilities in both Oracle code and third-party components. Oracle strongly recommends applying these patches immediately to reduce risks, particularly remotely exploitable ones without authentication.

Oracle Database Server Risk Matrix

This Critical Patch Update contains five new security patches for Oracle Database Products, with two vulnerabilities that may be remotely exploitable without authentication. Additionally, patches apply to client-only installations. The following products and components are affected:

Products: Oracle Graal Development Kit for Micronaut (Nimbus JOSE+JWT), Oracle Database Data Mining (Intel oneAPI Toolkit OpenMP), Database Migration Assistant for Unicode (Apache Mina SSHD), Java VM, GraalVM Multilingual Engine
Affected Components: None, Authenticated User, None, Create Session, Create Procedure, Authenticated User
CVE IDs: CVE-2023-52428, CVE-2022-26345, CVE-2023-48795, CVE-2025-21553, CVE-2024-21211

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Database Grid (Apache Tomcat): CVE-2024-52316, CVE-2024-47554 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Database Workload Manager (Apache Commons-IO): CVE-2024-52316, CVE-2024-47554 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Spatial and Graph (Apache Lucene): CVE-2024-45772 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Spatial and Graph Mapviewer (Google Protobuf-Java): CVE-2024-7254 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Spatial and Graph Spatial Web Services (RequireJS): CVE-2024-38998, CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

Oracle Application Express Risk Matrix

This Critical Patch Update includes one new security patch for Oracle Application Express. The vulnerability addressed is not remotely exploitable without authentication.

Products: Oracle Application Express
Affected Components: General
CVE IDs: CVE-2025-21557

Oracle Big Data Spatial and Graph Risk Matrix

This Critical Patch Update for Oracle Big Data Spatial and Graph included no new exploitable security patches. However, third-party patches were applied to address non-exploitable vulnerabilities.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Blockchain Platform Risk Matrix

This Critical Patch Update does not introduce new security patches for exploitable vulnerabilities but includes third-party patches to address non-exploitable vulnerabilities.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Blockchain Cloud Service Console (glibc): CVE-2024-33602, CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601 [VEX Justification: vulnerable_code_not_in_execute_path].

Blockchain Cloud Service Console (Golang Go): CVE-2024-24791 [VEX Justification: vulnerable_code_not_in_execute_path].

Blockchain Cloud Service Console (Python): CVE-2024-45491, CVE-2023-27043, CVE-2024-28757, CVE-2024-4030, CVE-2024-4032, CVE-2024-45490, CVE-2024-45492, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592, CVE-2024-8088 [VEX Justification: vulnerable_code_not_in_execute_path].

Oracle Essbase Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but includes third-party patches for non-exploitable CVEs.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Essbase Web Platform (curl): CVE-2024-11053 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle GoldenGate Risk Matrix

Oracle GoldenGate received two new security patches, neither of which are remotely exploitable without authentication.

Products: Oracle GoldenGate, Oracle GoldenGate Big Data and Application Adapters
Affected Components: Install (Microsoft ODBC Driver), Java Delivery (Apache Avro)
CVE IDs: CVE-2023-36785, CVE-2024-47561

Additional CVEs addressed:

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle GoldenGate (Embedded Web UI for Services – RequireJS): CVE-2024-38998, CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle GoldenGate Big Data and Application Adapters (Spring Framework): CVE-2024-38819, CVE-2024-38820 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle GoldenGate Studio (Spring Framework): CVE-2024-22262 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle GoldenGate Veridata (Spring Framework): CVE-2024-22262 [VEX Justification: vulnerable_code_not_in_execute_path].

Oracle Graph Server and Client Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities. Still, it includes third-party patches noted below for the following non-exploitable third-party CVEs for Oracle Graph Server and Client. If the last Critical Patch Update was not applied for the Oracle Graph Server and Client, please refer to previous Critical Patch Update Advisories.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Graph Server and Client

Oracle REST Data Services Risk Matrix

Oracle REST Data Services received one new security patch, which can be remotely exploited without authentication. The update also incorporates third-party patches addressing non-exploitable vulnerabilities.

Products: Oracle REST Data Services
Affected Components: General (Eclipse Jetty)
CVE IDs: CVE-2024-6763

Additional non-exploitable CVEs addressed in this update:

Oracle Secure Backup Risk Matrix

This Critical Patch Update for Oracle Secure Backup includes one new security patch. This vulnerability can be remotely exploited without requiring authentication.

Products: Oracle Secure Backup
Affected Components: General (PHP)
CVE IDs: CVE-2024-8927

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update does not contain new security patches for exploitable vulnerabilities but includes updates for non-exploitable third-party vulnerabilities within Oracle TimesTen In-Memory Database. Prior Critical Patch Updates should be reviewed if they have not been applied.

Additional non-exploitable CVEs addressed in this update:

Oracle Commerce Risk Matrix

This update includes one new security patch for Oracle Commerce, which can be remotely exploited without requiring authentication.

Products: Oracle Commerce Guided Search
Affected Components: Workbench (Bouncy Castle Java Library)
CVE IDs: CVE-2023-33201

Oracle Communications Applications Risk Matrix

The latest Critical Patch Update provides twenty-eight new security patches for Oracle Communications Applications, fifteen of which are remotely exploitable without authentication. Additional third-party patches have also been included.

Products: Oracle Communications Billing and Revenue Management, Oracle Communications BRM – Elastic Charging Engine, Oracle Communications Service Catalog and Design, Oracle Communications Service Catalog and Design, Oracle Communications Unified Assurance, Oracle Communications Unified Assurance, Oracle Communications Unified Assurance, Oracle Communications Unified Assurance, Oracle Communications Service Catalog and Design, Oracle Communications Unified Assurance, Oracle Communications Unified Assurance, Oracle Communications Unified Assurance, Oracle Communications Order and Service Management, Oracle Communications Service Catalog and Design, Oracle Communications Unified Assurance, Oracle Communications Offline Mediation Controller, Oracle Communications Unified Assurance, Oracle Communications Messaging Server, Oracle Communications Messaging Server, Oracle Communications Service Catalog and Design, Oracle Communications Order and Service Management, Oracle Communications Unified Assurance, Oracle Communications Messaging Server, Oracle Communications Order and Service Management, Oracle Communications Unified Inventory Management, Oracle Communications Billing and Revenue Management, Oracle Communications Unified Assurance, Oracle Communications Convergence
Affected Components: Platform (Kerberos), Security (Netty), Solution Designer (Apache Commons IO), Solution Designer (Google Protobuf-Java), Core (Apache Commons IO), Core (Google Protobuf-Java), Core (Python), Microservices (Google Protobuf-Java), Solution Designer (Apache Kafka), Core (Apache Avro), Core (Apache Commons Configuration), Core (Golang Go), Security, Solution Designer (Spring Boot), Core (Grafana), Install (requests), Core (requests), Security (Apache Commons Compress), Security (SQLite), Solution Designer (Netty), Security, Microservices (Apache Commons Configuration), Security (Netty), Security, Security (Spring Security), Billing Care (urllib3), Core (urllib3), Configuration (Apache Commons IO)
CVE IDs: CVE-2024-37371, CVE-2024-6162, CVE-2024-47554, CVE-2024-7254, CVE-2024-47554, CVE-2024-24786, CVE-2024-7592, CVE-2024-7254, CVE-2024-27309, CVE-2024-47561, CVE-2024-28849, CVE-2023-29408, CVE-2025-21542, CVE-2024-38807, CVE-2024-1442, CVE-2024-35195, CVE-2024-35195, CVE-2024-26308, CVE-2024-0232, CVE-2024-47535, CVE-2025-21544, CVE-2024-29133, CVE-2024-29025, CVE-2025-21554, CVE-2024-38827, CVE-2024-37891, CVE-2024-37891, CVE-2024-47554

Additional non-exploitable CVEs addressed in this update:

Oracle Communications Risk Matrix

This Critical Patch Update contains eighty-five new security patches for Oracle Communications. Fifty-nine of these vulnerabilities are remotely exploitable without authentication. Additionally, third-party patches addressing non-exploitable vulnerabilities have been included. Please refer to previous Critical Patch Update Advisories if the last update was not applied for Oracle Communications.

Products: Oracle Communications Diameter Signaling Router, Oracle Communications Network Analytics Data Director, Oracle Communications Policy Management, Oracle Communications Diameter Signaling Router, Oracle Communications User Data Repository, Oracle SD-WAN Edge, Oracle Communications Cloud Native Core Console, Oracle Communications Operations Monitor, Oracle Communications Policy Management, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Converged Application Server, Oracle Communications Cloud Native Core Policy, Oracle SD-WAN Edge, Oracle Communications Operations Monitor, Oracle Communications Cloud Native Core Automated Test Suite, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Console, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Service Communication Proxy, Oracle Communications Cloud Native Core Unified Data Repository, Oracle Communications Cloud Native Core Unified Data Repository, Oracle Communications Cloud Native Core Unified Data Repository, Oracle Communications Diameter Signaling Router, Oracle Communications EAGLE Element Management System, Oracle SD-WAN Edge, Oracle SD-WAN Edge, Oracle Communications Diameter Signaling Router, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Operations Monitor, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Diameter Signaling Router, Oracle Communications Cloud Native Core Console, Oracle Communications Diameter Signaling Router, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Console, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Unified Data Repository, Oracle Communications Cloud Native Core DBTier, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Service Communication Proxy, Oracle Communications Cloud Native Core Unified Data Repository, Oracle Communications Operations Monitor, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Service Communication Proxy, Oracle Communications Cloud Native Core Unified Data Repository, Oracle Communications Operations Monitor, Oracle Communications User Data Repository, Oracle Communications Network Analytics Data Director, Oracle Communications Session Border Controller, Oracle Communications User Data Repository, Oracle Enterprise Communications Broker, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Operations Monitor, Oracle Communications Policy Management, Oracle Communications User Data Repository, Oracle SD-WAN Edge, Oracle Communications Cloud Native Core Automated Test Suite, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core DBTier, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Service Communication Proxy, Oracle Communications Cloud Native Core Certificate Management
Affected Components: Patches (Apache ActiveMQ), Install/Upgrade (LibExpat), Configuration Management Platform (Apache Tomcat), Automated Test Suite (Kerberos), Platform (Kerberos), Internal tools (Kerberos), Configuration (Kerberos), Mediation Engine (pyrad), Configuration Management Platform (Apache Struts 2), Install (dnsjava), Install (dnsjava), Alarms, KPI, and Measurements (dnsjava), Signaling (dnsjava), Installer (dnsjava), Policy Control Function (Google Protobuf-Java), Platform (Apache HTTP Server), Mediation Engine (ImageMagick), ATS Framework (Werkzeug), Install (Spring Framework), Install (Undertow), Install (Werkzeug), Configuration (Undertow), Install (Undertow), Install (Werkzeug), Alarms, KPI, and Measurements (Spring Framework), Alarms, KPI, and Measurements (Undertow), Alarms, KPI, and Measurements (Werkzeug), Automated Test Suite (Werkzeug), Signaling (Spring Framework), Configuration (Undertow), Signaling (Undertow), Install (Spring Framework), Install (Undertow), Install (Werkzeug), Patches (Apache Tomcat), Security (Apache Tomcat), Platform (BIND), Platform (Apache Tomcat), Automated Test Suite (glibc), Install (Pillow), Alarms, KPI, and Measurements (Pillow), Install (Pillow), Mediation Engine (Pillow), Configuration (Werkzeug), Automated Test Suite (curl), Configuration (Spring Boot), Automated Test Suite (Python), Alarms, KPI, and Measurements (LibExpat), Configuration (OpenSSL), Configuration (Cryptography), Alarms, KPI, and Measurements (LibExpat), Install (LibExpat), Configuration (requests), ATS Framework (requests), ATS Framework (requests), Install (requests), Mediation Engine (requests), Install (Jinja), Configuration (Golang Go), Alarms, KPI, and Measurements (Jinja), ATS Framework (Jinja), ATS Framework (Jinja), ATS Framework (Jinja), Mediation Engine (Jinja), Platform (Jinja), Third Party (GnuTLS), Third Party (OpenSSL), Platform (GnuTLS), Third Party (OpenSSL), Install (Spring Security), Alarms, KPI, and Measurements (Spring Security), Signaling (Spring Security), Alarms, KPI, and Measurements (urllib3), ATS Framework (libpcap), Mediation Engine (libpcap), Configuration Management Platform (urllib3), Platform (urllib3), Internal Tools (libpcap), ATS Framework (Jenkins), Install (Jenkins), Configuration (Werkzeug), Alarms, KPI, and Measurements (Jenkins), ATS Framework (Jenkins), ATS Framework (Jenkins), Configuration (OpenSSL)
CVE IDs: CVE-2023-46604, CVE-2024-45492, CVE-2024-56337, CVE-2024-37371, CVE-2024-37371, CVE-2024-37371, CVE-2024-3596, CVE-2024-3596, CVE-2024-53677, CVE-2024-25638, CVE-2024-25638, CVE-2024-25638, CVE-2024-25638, CVE-2024-25638, CVE-2024-7254, CVE-2024-38475, CVE-2024-41817, CVE-2024-49767, CVE-2024-38819, CVE-2024-7885, CVE-2024-49767, CVE-2024-7885, CVE-2024-7885, CVE-2024-49767, CVE-2024-38819, CVE-2024-7885, CVE-2024-49767, CVE-2024-49767, CVE-2024-38819, CVE-2024-7885, CVE-2024-7885, CVE-2024-38819, CVE-2024-7885, CVE-2024-49767, CVE-2024-34750, CVE-2024-34750, CVE-2023-50868, CVE-2024-34750, CVE-2024-33602, CVE-2024-28219, CVE-2024-28219, CVE-2024-28219, CVE-2024-28219, CVE-2024-49767, CVE-2023-46218, CVE-2024-38807, CVE-2024-0450, CVE-2024-50602, CVE-2024-5535, CVE-2024-6119, CVE-2024-50602, CVE-2024-50602, CVE-2024-35195, CVE-2024-35195, CVE-2024-35195, CVE-2024-35195, CVE-2024-35195, CVE-2024-34064, CVE-2023-40577, CVE-2024-34064, CVE-2024-34064, CVE-2024-34064, CVE-2024-34064, CVE-2024-34064, CVE-2024-34064, CVE-2024-28834, CVE-2023-5678, CVE-2024-28834, CVE-2023-5678, CVE-2024-38827, CVE-2024-38827, CVE-2024-38827, CVE-2024-37891, CVE-2024-8006, CVE-2024-8006, CVE-2024-37891, CVE-2024-37891, CVE-2024-8006, CVE-2024-47804, CVE-2024-47804, CVE-2024-49766, CVE-2024-47804, CVE-2024-47804, CVE-2024-47804, CVE-2024-9143

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Communications Cloud Native Core Binding Support Function

  • Install (RequireJS): CVE-2024-38998, CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Install (Apache Tomcat): CVE-2024-34750 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle Communications Cloud Native Core Certificate Management

  • Configuration (Kerberos): CVE-2024-3596 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle Communications Cloud Native Core Policy

  • Alarms, KPI, and Measurements (RequireJS): CVE-2024-38998, CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Alarms, KPI, and Measurements (Apache Tomcat): CVE-2024-34750 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains four new security patches for Oracle Construction and Engineering. One vulnerability can be remotely exploited without authentication.

Products: Primavera Unifier, Primavera P6 Enterprise Project Portfolio Management, Primavera P6 Enterprise Project Portfolio Management, Primavera P6 Enterprise Project Portfolio Management
Affected Components: Document Management (Apache Commons IO), Web Access, Web Access, Web Access
CVE IDs: CVE-2024-47554, CVE-2025-21526, CVE-2025-21558, CVE-2025-21528

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Primavera Gateway

Primavera Unifier

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains four new security patches for Oracle E-Business Suite. One vulnerability can be remotely exploited without authentication.

Products: Oracle Customer Care, Oracle Project Foundation, Oracle Advanced Outbound Telephony, Oracle Workflow
Affected Components: Service Requests, Technology Foundation, Region Mapping, Admin Screens and Grants UI
CVE IDs: CVE-2025-21516, CVE-2025-21506, CVE-2025-21489, CVE-2025-21541

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that may be affected by the vulnerabilities listed in their respective sections. Customers are advised to apply the January 2025 Critical Patch Update to their Oracle Database and Fusion Middleware components.

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update includes three new security patches for Oracle Enterprise Manager, all remotely exploitable without authentication. The patches do not apply to client-only installations.

Products: Enterprise Manager for MySQL Database, Oracle Enterprise Manager Base Platform, Oracle Application Testing Suite
Affected Components: EM Plugin: General (Spring Framework), Agent Next Gen (Bouncy Castle Java Library), Load Testing for Web Apps (JsonPath)
CVE IDs: CVE-2024-38819, CVE-2024-29857, CVE-2023-51074

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Application Testing Suite

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update provides thirty-one new security patches for Oracle Financial Services Applications, with twenty-four vulnerabilities that can be remotely exploited without authentication.

Products: Oracle Financial Services Behavior Detection Platform, Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, Oracle Financial Services Revenue Management and Billing, Oracle Banking Corporate Lending Process Management, Oracle Banking Origination, Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Behavior Detection Platform, Oracle Financial Services Compliance Studio, Oracle Financial Services Compliance Studio, Oracle Financial Services Compliance Studio, Oracle Financial Services Model Management and Governance, Oracle Financial Services Model Management and Governance, Oracle Financial Services Model Management and Governance, Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, Oracle Banking Liquidity Management, Oracle Financial Services Compliance Studio, Oracle Financial Services Compliance Studio, Oracle Financial Services Behavior Detection Platform, Oracle Financial Services Compliance Studio, Oracle Banking Liquidity Management, Oracle Financial Services Compliance Studio, Oracle Banking Corporate Lending Process Management, Oracle Banking Liquidity Management, Oracle Banking Origination, Oracle Financial Services Compliance Studio, Oracle Financial Services Behavior Detection Platform, Oracle Financial Services Compliance Studio, Oracle Financial Services Model Management and Governance, Oracle Financial Services Regulatory Reporting, Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, Oracle Financial Services Compliance Studio
Affected Components: Platform (LibExpat), Platform (LibExpat), Chatbot (JFreeChart), Base (Apache Avro), Maintenance (Apache Avro), Platform (Spring Framework), Platform (Spring Framework), Reports (Apache Hadoop), Reports (Apache Xalan-Java), Reports (Spring Framework), Installer (Apache Avro), Installer (Spring Framework), Installer (Apache Tomcat), Platform (Spring Framework), Common (Pillow), Reports (Pillow), Reports (Apache Santuario XML Security For Java), Web UI, Reports (Apache Mina SSHD), Common (requests), Reports (requests), Base (Jinja), Common (Jinja), Maintenance (Jinja), Reports (Jinja), Platform (JsonPath), Reports (JsonPath), Installer (Bouncy Castle Java Library), Platform (JsonPath), Platform (JsonPath), Reports (Spring Security)
CVE IDs: CVE-2024-45492, CVE-2024-45492, CVE-2023-52070, CVE-2023-39410, CVE-2023-39410, CVE-2024-38819, CVE-2024-38819, CVE-2023-26031, CVE-2022-34169, CVE-2024-38819, CVE-2023-39410, CVE-2024-38819, CVE-2024-34750, CVE-2024-38819, CVE-2024-28219, CVE-2024-28219, CVE-2023-44483, CVE-2025-21550, CVE-2023-48795, CVE-2024-35195, CVE-2024-35195, CVE-2024-34064, CVE-2024-34064, CVE-2024-34064, CVE-2024-34064, CVE-2023-51074, CVE-2023-51074, CVE-2023-33201, CVE-2023-51074, CVE-2023-51074, CVE-2024-38827

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Financial Services Analytical Applications Infrastructure

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains twenty-two new security patches for Oracle Fusion Middleware, eighteen of which are remotely exploitable without authentication. In addition, third-party patches addressing non-exploitable vulnerabilities are included.

Products: Oracle HTTP Server, Oracle WebLogic Server, Oracle HTTP Server, Oracle HTTP Server, Oracle Security Service, Oracle WebLogic Server, Oracle Business Activity Monitoring, Oracle Identity Manager, Oracle Managed File Transfer, Oracle Middleware Common Libraries and Tools, Oracle WebLogic Server, Oracle WebLogic Server, Oracle WebLogic Server, Oracle Business Process Management Suite, Oracle HTTP Server, Oracle Middleware Common Libraries and Tools, Oracle Outside In Technology, Oracle WebLogic Server, Oracle Business Process Management Suite, Oracle HTTP Server, Oracle HTTP Server, Oracle WebCenter Portal
Affected Components: Core (LibExpat), Core, Mod_rewrite, Core (Apache HTTP Server), Mod_Security (OpenSSL), Security Toolkit (Kerberos), Centralized Third party Jars (Eclipse Parsson), BAM (XStream), Installer (Spring Framework), MFT Runtime Server (Apache Tomcat), Third Party (Spring Framework), Centralized Third party Jars (Apache Commons IO), Core, Centralized Third party Jars (Bouncy Castle Java Library), Composer (Apache Avro), Mod_Security (curl), Third Party (jose4j), Outside In Clean Content SDK (Apache Santuario XML Security For Java), Centralized Third party Jars (AntiSamy), Runtime Engine (Apache POI), Core (Apache Portable Runtime), Core, Security Framework (Apache Commons IO)
CVE IDs: CVE-2024-45492, CVE-2025-21535, CVE-2024-38475, CVE-2024-5535, CVE-2024-37371, CVE-2023-7272, CVE-2024-47072, CVE-2024-38819, CVE-2024-34750, CVE-2024-38819, CVE-2024-47554, CVE-2025-21549, CVE-2024-29857, CVE-2024-47561, CVE-2024-8096, CVE-2023-51775, CVE-2023-44483, CVE-2024-23635, CVE-2019-12415, CVE-2023-49582, CVE-2025-21498, CVE-2024-47554

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Coherence

Oracle WebCenter Portal

Oracle Analytics Risk Matrix

This Critical Patch Update provides twenty-six new security patches for Oracle Analytics, with twenty-one vulnerabilities that can be remotely exploited without authentication.

Products: Oracle BI Publisher, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Analytics Desktop, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle BI Publisher, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition, Oracle Business Intelligence Enterprise Edition
Affected Components: Development Operations (Spring Framework), Analytics Server (SciPy), BI Platform Security (Apache XMLBeans), Platform Security (OpenSSL), Analytics Server (Aircompressor), Analytics Server (Eclipse Parsson), Install, Analytics Server (Apache Commons FileUpload), Analytics Server (Google Guava), Analytics Server (scikit-learn), Analytics Server, Map viewer (Google Protobuf-Java), BI Platform Security (Jettison), Content Storage Service (CodeMirror), Pipeline Test Failures (Gunicorn), Web Catalog (JDOM), Analytics Server (gRPC), Analytics Server (OpenSSL), Platform Security (Apache Avro), Platform Security (Apache Commons Configuration), XML Services (Snowflake JDBC), Analytics Server (requests), Analytics Server (Bouncy Castle Java Library), Analytics Server (Jinja), Analytics Server (Apache HttpClient), Analytics Server, Pipeline Test Failures, Installation (Spring Framework), Analytics Server (urllib3)
CVE IDs: CVE-2016-1000027, CVE-2023-29824, CVE-2021-23926, CVE-2024-5535, CVE-2024-36114, CVE-2023-7272, CVE-2025-21532, CVE-2023-24998, CVE-2023-33953, CVE-2020-28975, CVE-2024-7254, CVE-2022-40150, CVE-2020-7760, CVE-2024-1135, CVE-2021-33813, CVE-2023-4785, CVE-2024-26130, CVE-2024-47561, CVE-2024-29131, CVE-2024-43382, CVE-2024-35195, CVE-2023-33202, CVE-2024-34064, CVE-2020-13956, CVE-2024-38809, CVE-2024-37891

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Analytics Server

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains two new security patches for Oracle Health Sciences Applications, with one vulnerability can be remotely exploited without authentication.

Products: Oracle Life Sciences Argus Safety, Oracle Life Sciences Empirica Signal
Affected Components: Login, Platform (Apache Commons Compress)
CVE IDs: CVE-2025-21570, CVE-2024-26308

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Life Sciences Empirica Signal

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains one new security patch for Oracle Hospitality Applications, which can be remotely exploited without authentication.

Products: Oracle Hospitality OPERA 5
Affected Components: Opera Servlet
CVE IDs: CVE-2025-21547

Oracle Hyperion Risk Matrix

This Critical Patch Update contains two new security patches for Oracle Hyperion. Neither of them can be remotely exploited without authentication.

Products: Oracle Hyperion Data Relationship Management, Oracle Hyperion Data Relationship Management
Affected Components: Web Services, Access and Security
CVE IDs: CVE-2025-21569, CVE-2025-21568

Oracle Insurance Applications Risk Matrix

This Critical Patch Update does not contain new security patches for exploitable vulnerabilities. Still, it does include third-party patches addressing non-exploitable vulnerabilities.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Documaker

Oracle Java SE Risk Matrix

This Critical Patch Update contains two new security patches for Oracle Java SE. One vulnerability can be remotely exploited without authentication.

Products: Oracle Java SE, Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition
Affected Components: Install (Sparkle), Hotspot
CVE IDs: CVE-2025-0509, CVE-2025-21502

Oracle JD Edwards Risk Matrix

This Critical Patch Update includes twenty-three new security patches for Oracle JD Edwards, with fourteen of these vulnerabilities are remotely exploitable without authentication.

Products: JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Orchestrator, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Tools
Affected Components: Monitoring and Diagnostics SEC, E1 Dev Platform Tech – Cloud (Samba), Web Runtime SEC, E1 Dev Platform Tech – Cloud (Node.js), E1 Dev Platform Tech – Cloud (Terraform), Web Runtime SEC, Web Runtime SEC, Monitoring and Diagnostics SEC (Google Guava), E1 IOT Orchestrator Security, Web Runtime SEC, Web Runtime SEC, Enterprise Infrastructure SEC (OpenSSL), Design Tools SEC, E1 Dev Platform Tech – Cloud (Express.js), Web Runtime SEC, Web Runtime SEC, Web Runtime SEC, Enterprise Infrastructure SEC (Apache Mina SSHD), Business Logic Infra SEC, Web Runtime SEC, E1 Dev Platform Tech – Cloud (Ruby), Web Runtime SEC, Web Runtime SEC
CVE IDs: CVE-2025-21524, CVE-2023-3961, CVE-2025-21515, CVE-2024-27983, CVE-2023-4782, CVE-2025-21510, CVE-2025-21511, CVE-2023-2976, CVE-2025-21552, CVE-2025-21508, CVE-2025-21509, CVE-2023-6129, CVE-2025-21527, CVE-2024-29041, CVE-2025-21512, CVE-2025-21513, CVE-2025-21538, CVE-2023-48795, CVE-2024-21245, CVE-2025-21507, CVE-2024-27280, CVE-2025-21514, CVE-2025-21517

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

JD Edwards EnterpriseOne Orchestrator

  • E1 IOT Orchestrator Security (Quartz): CVE-2023-39017 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle MySQL Risk Matrix

This Critical Patch Update contains thirty-nine new security patches for Oracle MySQL, with four vulnerabilities that can be remotely exploited without authentication.

Products: MySQL Enterprise Backup, MySQL Server, MySQL Server, MySQL Server, MySQL Cluster, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Connectors, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Cluster, MySQL Cluster, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Enterprise Firewall, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Server, MySQL Cluster, MySQL Server
Affected Components: Enterprise Backup (curl), Server: Packaging (Kerberos), Server: Packaging (curl), Server: Thread Pooling, Cluster: General, Server: Optimizer, Server: Optimizer, Server: Optimizer, Server: Optimizer, Server: Parser, Connector/Python, InnoDB, InnoDB, InnoDB, Server: Security: Privileges, Cluster: General, Cluster: Packaging, InnoDB, InnoDB, InnoDB, InnoDB, InnoDB, Server: Components Services, Server: DDL, Server: DDL, Server: Information Schema, Server: Optimizer, Server: Optimizer, Server: Optimizer, Server: Packaging, Server: Performance Schema, Firewall, Server: Security: Privileges, Server: Security: Privileges, Server: Security: Privileges, Server: Security: Privileges, Server: Security: Privileges, Cluster: General, Server: Options
CVE IDs: CVE-2024-11053, CVE-2024-37371, CVE-2024-11053, CVE-2025-21521, CVE-2025-21518, CVE-2025-21500, CVE-2025-21501, CVE-2025-21518, CVE-2025-21566, CVE-2025-21522, CVE-2025-21548, CVE-2025-21497, CVE-2025-21555, CVE-2025-21559, CVE-2025-21540, CVE-2025-21531, CVE-2025-21543, CVE-2025-21490, CVE-2025-21491, CVE-2025-21503, CVE-2025-21523, CVE-2025-21531, CVE-2025-21505, CVE-2025-21499, CVE-2025-21525, CVE-2025-21529, CVE-2025-21492, CVE-2025-21504, CVE-2025-21536, CVE-2025-21543, CVE-2025-21534, CVE-2025-21495, CVE-2025-21493, CVE-2025-21519, CVE-2025-21567, CVE-2025-21494, CVE-2025-21546, CVE-2025-21520, CVE-2025-21520

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

MySQL Server

  • Server: Packaging (memcached): CVE-2021-37519 [VEX Justification: vulnerable_code_not_present].

MySQL Shell

  • Shell General / Core Client (requests): CVE-2024-35195 [VEX Justification: vulnerable_code_not_in_execute_path].

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains sixteen new security patches for Oracle PeopleSoft, six of which can be remotely exploited without authentication.

Products: PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise FIN Cash Management, PeopleSoft Enterprise FIN eSettlements, PeopleSoft Enterprise SCM Purchasing, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise CC Common Application Objects, PeopleSoft Enterprise CC Common Application Objects, PeopleSoft Enterprise PeopleTools
Affected Components: Security, Porting, Cloud Deployment Architecture (OpenSSL), File Processing (libssh2), OpenSearch, Porting (Python), OpenSearch Dashboards (follow-redirects), OpenSearch (Node.js), Porting (requests), Cash Management, eSettlements, Purchasing, Cloud Deployment Architecture, Logstash (Ruby), OpenSearch (Netty), Porting (urllib3), Run Control Management, Run Control Management, Panel Processor
CVE IDs: CVE-2024-5535, CVE-2020-22218, CVE-2025-21545, CVE-2024-7592, CVE-2024-28849, CVE-2024-22020, CVE-2024-35195, CVE-2025-21537, CVE-2025-21539, CVE-2025-21561, CVE-2024-27280, CVE-2024-29025, CVE-2024-37891, CVE-2025-21562, CVE-2025-21563, CVE-2025-21530

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

PeopleSoft Enterprise PeopleTools

Oracle Policy Automation Risk Matrix

This Critical Patch Update does not contain new security patches for exploitable vulnerabilities. Still, it does include third-party patches addressing non-exploitable vulnerabilities.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Policy Automation

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains two new security patches for Oracle Retail Applications. Both vulnerabilities can be remotely exploited without authentication.

Products: Oracle Retail Financial Integration, Oracle Retail Integration Bus
Affected Components: PeopleSoft Integration Bugs (Spring Framework), RIB Kernel (Spring Framework)
CVE IDs: CVE-2024-38819, CVE-2024-38819

Oracle Siebel CRM Risk Matrix

This Critical Patch Update includes two new security patches for Oracle Siebel CRM. One vulnerability can be remotely exploited without authentication.

Products: Siebel CRM End User, Siebel CRM End User
Affected Components: EAI, UI (Oxygen XML WebHelp), Open UI (Gradle)
CVE IDs: CVE-2024-38526, CVE-2023-44387

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains six new security patches for Oracle Supply Chain. Three vulnerabilities are remotely exploitable without authentication.

Products: Oracle Agile PLM Framework, Oracle Agile Engineering Data Management, Oracle Agile PLM Framework, Oracle Agile Engineering Data Management, Oracle Agile PLM Framework, Oracle Agile PLM Framework
Affected Components: Agile Integration Services, Core (Apache Xerces-C++), Agile Integration Services, Document Management (Apache Tomcat), Install, SDK-Software Development Kit
CVE IDs: CVE-2025-21556, CVE-2024-23807, CVE-2025-21564, CVE-2024-34750, CVE-2025-21565, CVE-2025-21560

Oracle Systems Risk Matrix

This Critical Patch Update contains one new security patch for Oracle Systems, which is not remotely exploitable without authentication.

Products: Oracle Solaris
Affected Components: File System
CVE IDs: CVE-2025-21551

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains six new security patches for Oracle Utilities Applications, with four vulnerabilities that are remotely exploitable without authentication.

Products: Oracle Utilities Testing Accelerator, Oracle Utilities Testing Accelerator, Oracle Utilities Application Framework, Oracle Utilities Network Management System, Oracle Utilities Testing Accelerator, Oracle Utilities Network Management System
Affected Components: Tools (Spring Framework), Tools (Apache Tomcat), General (DOMPurify), Third Party (requests), Tools (Netty), Third Party (urllib3)
CVE IDs: CVE-2024-38819, CVE-2024-34750, CVE-2024-45801, CVE-2024-35195, CVE-2024-29025, CVE-2024-37891

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

Oracle Utilities Application Framework

Oracle Virtualization Risk Matrix

This Critical Patch Update contains two new security patches for Oracle Virtualization. Neither of these vulnerabilities is remotely exploitable without authentication.

Products: Oracle VM VirtualBox, Oracle VM VirtualBox
Affected Components: Core
CVE IDs: CVE-2025-21571, CVE-2025-21533

Conclusion

Applying the January 2025 Critical Patch Update is crucial to mitigate the risks associated with the identified vulnerabilities across Oracle’s extensive product portfolio. Delaying the implementation of these patches could expose systems to potential exploits that target both Oracle and third-party components. It is recommended that organizations thoroughly test the patches in their staging environments before deploying them to production systems to ensure seamless integration and stability.

The next Oracle Critical Patch Update is scheduled for April 15, 2025. Organizations should monitor Oracle’s official security advisories and keep their systems up-to-date to defend against emerging threats.

To simplify the patching process and ensure continuous protection, organizations can leverage SanerNow VM and SanerNow PM, which can detect and remediate these vulnerabilities by applying necessary updates automatically. Stay secure with SanerNow and protect your infrastructure from potential cyber threats.