What are some of the critical vulnerabilities fixed in the April 2025 update?

Multiple critical-severity vulnerabilities have been patched, including: CVE-2024-56337 (CVSS 9.8) in Automated Test Suite component (Apache Tomcat), CVE-2024-52046 (CVSS 9.8) in BEServer component (Apache Mina SSHD), CVE-2024-38476 (CVSS 9.8) in Core component (Apache HTTP Server), CVE-2025-24813 (CVSS 9.8) in Content Acquisition System component (Apache Tomcat), CVE-2022-45047 (CVSS 9.8) in Agent Next Gen component (Apache Mina SSHD), CVE-2024-52316 (CVSS 9.8) in Next-Gen SPMS component (Apache Tomcat), CVE-2024-23807 (CVSS 9.8) in Interoperability SEC component (Apache Xerces-C++), CVE-2022-34381 (CVSS 9.8) in Core component (BSAFE Crypto-J), CVE-2025-30727 (CVSS 9.8) in iSurvey Module, CVE-2024-47561 (CVSS 9.8) in Rest Converters component (Apache Avro), CVE-2024-40896 (CVSS 9.1) in Core component (libxml2), CVE-2024-5535 (CVSS 9.1) in Routing component (OpenSSL), and CVE-2024-11053 (CVSS 9.1) in Mod_Security component (curl).

What products are affected by the CVE-2024-56337 vulnerability?

CVE-2024-56337 impacts Oracle Managed File Transfer, Oracle Management Cloud Engine, Oracle Agile Engineering Data Management, and Oracle Communications Cloud Native Core Network Data Analytics Function.

What products are affected by the CVE-2024-52046 vulnerability?

CVE-2024-52046 impacts Oracle Communications Applications Vulnerability, Oracle Management Cloud Engine, and Oracle Communications Network Integrity.

What products are affected by the CVE-2024-40896 vulnerability?

CVE-2024-40896 impacts Oracle HTTP Server, Oracle Communications Cloud Native Core Network Data Analytics Function, and Oracle MySQL Workbench.

Advisory

Oracle releases April 2025 Patch update addressing 378 vulnerabilities

Q: How are the severity levels distributed in the April 2025 Oracle CPU?

Apart from the critical flaws (CVSS 9.0-10.0), the patch contains High severity issues (CVSS 7.0-8.9) accounting for about 98 vulnerabilities, Medium severity vulnerabilities (CVSS 4.0-6.9) make up the largest portion with approximately 211 issues, while low severity vulnerabilities (CVSS 0.1-3.9) account for roughly 48 patches.

published: April 18, 2025

Take action: As usual, a massive patch release covering all products of Oracle. Make sure you review the list of products with critical vulnerabilities, then go through the full list. It's going to be a difficult patching process. Prioritize products with critical flaws and move onward. As usual, always make a backup before running a patch on Oracle product.

Learn More

Oracle has released its Critical Patch Update (CPU) for April 2025, addressing a total of 378 security vulnerabilities across multiple product families. This update is part of Oracle's quarterly patch cycle, which is released on the third Tuesday of January, April, July, and October.

Oracle strongly recommends that customers remain on actively-supported versions and apply these security patches without delay, as they continue to receive reports of successful exploitation of vulnerabilities for which patches have already been released.

The security vulnerabilities addressed in this update span across numerous Oracle product families, including Oracle Database, Oracle Communications Applications, Oracle MySQL, Oracle Java SE, Oracle Fusion Middleware, Oracle Financial Services Applications, and many other commonly used products.

Multiple critical-severity vulnerabilities have been patched in this update:

CVE-2024-56337 (CVSS score 9.8) - A critical vulnerability in the Automated Test Suite component (Apache Tomcat) that allows remote attackers to potentially compromise systems via HTTP protocol impacting:
- Oracle Managed File Transfer
- Oracle Management Cloud Engine
- Oracle Agile Engineering Data Management
- Oracle Communications Cloud Native Core Network Data Analytics Function
CVE-2024-52046 (CVSS score 9.8) - A critical vulnerability in the BEServer component (Apache Mina SSHD) that can be exploited remotely without authentication via SSH protocol impacting:
- Oracle Communications Applications Vulnerability
- Oracle Management Cloud Engine
- Oracle Communications Network Integrity
CVE-2024-38476 (CVSS score 9.8) - A critical vulnerability in the Core component (Apache HTTP Server) that can be exploited remotely without authentication impacting Oracle HTTP Server
CVE-2025-24813 (CVSS score 9.8) - A critical vulnerability in Content Acquisition System component (Apache Tomcat) that can be exploited remotely without authentication impacting Oracle Commerce Guided Search
CVE-2022-45047 (CVSS score 9.8) - A critical vulnerability in Agent Next Gen component (Apache Mina SSHD) that can be exploited remotely without authentication impacting Oracle Enterprise Manager Base Platform
CVE-2024-52316 (CVSS score 9.8) - A critical vulnerability in Next-Gen SPMS component (Apache Tomcat) that can be exploited remotely without authentication Oracle Hospitality Cruise Shipboard Property Management System
CVE-2024-23807 (CVSS score 9.8) - A critical vulnerability in Interoperability SEC component (Apache Xerces-C++) that can be exploited remotely without authentication impacting Oracle JD Edwards EnterpriseOne Tools
CVE-2022-34381 (CVSS score 9.8) - A critical vulnerability in Core component (BSAFE Crypto-J) that can be exploited remotely without authentication impacting Oracle Retail Store Inventory Management
CVE-2025-30727 (CVSS score 9.8) - A critical vulnerability in iSurvey Module that can be exploited remotely without authentication impacting Oracle Scripting
CVE-2024-47561 (CVSS score 9.8) - A critical vulnerability in Rest Converters component (Apache Avro) that can be exploited remotely without authentication impacting Oracle SOA Suite
CVE-2024-40896 (CVSS score 9.1) - A critical vulnerability in Core component (libxml2) that can be exploited remotely without authentication impacting:
- Oracle HTTP Server
- Oracle Communications Cloud Native Core Network Data Analytics Function
- Oracle MySQL Workbench
CVE-2024-5535 (CVSS score: 9.1) - A critical vulnerability in Routing component (OpenSSL) that can be exploited remotely without authentication.
- Oracle Communications Session Border Controller
- Oracle JD Edwards EnterpriseOne Tools
CVE-2024-11053 (CVSS score: 9.1) - A critical vulnerability in Mod_Security component (curl) that can be exploited remotely without authentication impacting Oracle HTTP Server

Apart from the critical flaws, the patch contains High severity issues (CVSS 7.0-8.9) accounting for about 98 vulnerabilities, including notable examples like Oracle MySQL Connectors Memory Corruption (CVE-2025-30706, CVSS 7.5), Oracle VM VirtualBox Authentication Bypass (CVE-2025-30712, CVSS 8.1), and Oracle WebLogic Server vulnerability (CVE-2020-13936, CVSS 8.8). Medium severity vulnerabilities (CVSS 4.0-6.9) make up the largest portion with approximately 211 issues, while low severity vulnerabilities (CVSS 0.1-3.9) account for roughly 48 patches.

Oracle releases April 2025 Patch update addressing 378 vulnerabilities

Read More
IBM App Connect Enterprise patches multiple vulnerabilities, at …
Vulnerabilities in ScrutisWeb, including critical, expose remote ATMs …
Apache patches critical remote code executuion flaw in …
Critical authentication bypass vulnerability reported in Apache Pinot
Installer hijacking vulnerability reported in Salesforce CLI, allows …