Oracle releases January 2025 Patch update addressing 318 new security vulnerabilities
Take action: Once again, a massive patch release covering all products of Oracle. Make sure you review the list of products with critical vulnerabilities, then go through the full list. It's going to be a difficult patching process. Prioritize products with critical flaws and move onward. As usual, always make a backup before running a patch on Oracle product.
Learn More
Oracle has released its first Critical Patch Update for 2025, addressing a total of 318 new security vulnerabilities across its product families.
This quarterly update includes patches for 18 critical vulnerabilities with CVSS scores of 9.0 or higher, affecting major products including WebLogic Server, HTTP Server, MySQL, and various communications and business intelligence applications.
Oracle's database products receive significant attention, with 10 new security patches addressing various components including the Oracle Database Server and Application Express. MySQL received particular attention with 39 new security patches, four of which are remotely exploitable without authentication. The Java SE platform received two new security patches, with one being remotely exploitable without authentication. Oracle Fusion Middleware received 22 new security patches, with 18 of these being remotely exploitable without authentication.
Critical Vulnerabilities Patched
- CVE-2025-21556 (CVSS score 9.9) - Oracle Agile PLM Framework, Agile Integration Services. Requires low complexity and low privileges
- CVE-2024-23807 (CVSS score 9.8) - Oracle Agile Engineering Data Management, Core (Apache Xerces-C++)
- CVE-2024-45492 (CVSS score 9.8) - Oracle HTTP Server, Core (LibExpat)
- CVE-2025-21535 (CVSS score 9.8) - Oracle WebLogic Server
- CVE-2016-1000027 (CVSS score 9.8) - Oracle BI Publisher, Development Operations (Spring Framework).
- CVE-2023-29824 (CVSS score 9.8) - Oracle Business Intelligence Enterprise Edition, Analytics Server (SciPy)
- CVE-2023-46604 (CVSS score 9.8) - Oracle Communications Diameter Signaling Router, Patches (Apache ActiveMQ)
- CVE-2024-45492 (CVSS score 9.8) - Oracle Financial Services Behavior Detection Platform, Platform (LibExpat)
- CVE-2024-56337 (CVSS score 9.8) - Oracle Communications Policy Management, Configuration Management Platform (Apache Tomcat)
- CVE-2025-21524 (CVSS score 9.8) - JD Edwards EnterpriseOne Tools, Monitoring and Diagnostics SEC
- CVE-2023-3961 (CVSS score 9.8) - JD Edwards EnterpriseOne Tools, E1 Dev Platform Tech - Cloud (Samba)
- CVE-2024-37371 (CVSS score 9.1) - Multiple Products affected: Oracle Security Service, Oracle HTTP Server, Oracle Communications Billing and Revenue Management
- CVE-2024-5535 (CVSS score 9.1) - PeopleSoft Enterprise PeopleTools, Security, Porting, Cloud Deployment Architecture (OpenSSL)
- CVE-2025-21547 (CVSS score 9.1) - Oracle Hospitality OPERA 5, Opera Servlet
- CVE-2024-38475 (CVSS score 9.1) - Oracle HTTP Server, Mod_rewrite, Core (Apache HTTP Server)
- CVE-2021-23926 (CVSS score 9.1) - Oracle Business Intelligence Enterprise Edition, BI Platform Security (Apache XMLBeans)
- CVE-2024-11053 (CVSS score 9.1) - Multiple Products: MySQL Enterprise Backup, MySQL Server, Enterprise Backup (curl) / Server: Packaging (curl)
- CVE-2024-3596 (CVSS score 9.0) - Multiple Products: Oracle Communications Cloud Native Core Console, Oracle Communications Operations Monitor
Oracle strongly advises timely patching due to persistent successful attacks against customers who failed to apply available security patches. The company provides patches only for product versions covered under Premier Support or Extended Support phases of the Lifetime Support Policy.
Oracle has announced its Critical Patch Update schedule for 2025, with the next updates scheduled for April 15, July 15, and October 21, 2025, followed by January 20, 2026.
