Oracle Critical Patch Update, January 2025 Security Update Review

Oracle released its first quarterly edition of this year's Critical Patch Update, which received patches for 318 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.

In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 85 constituting about 27% of the total patches released. Oracle MySQL and Oracle Financial Services Applications followed, with 39 and 31 security patches.

230 of the 318 security patches provided by the January Critical Patch Update (about 72%) are for non-Oracle CVEs, such as open-source components included and exploitable in the context of their Oracle product distributions.

This batch of security patches received 10 updates for Oracle Database products. The following is the product-wise distribution:

• Five new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 7.5.
  • None of these updates apply to client-only deployments of the Oracle Database.
• One new security update for Oracle Application Express with a maximum reported CVSS Base Score of 5.4.
• Two new security updates for Oracle GoldenGate with a maximum reported CVSS Base Score of 7.8.
• One new security update for Oracle REST Data Services with a maximum reported CVSS Base Score of 5.3.
• One new security update for Oracle Secure Backup with a maximum reported CVSS Base Score of 7.5.

In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Application Express, Oracle GoldenGate, Oracle REST Data Services, Oracle Secure Backup, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Qualys QID Coverage

Qualys has released 12 QIDs mentioned in the table below:

Note: The table will be updated with the additional QIDs once released.

Notable Oracle Vulnerabilities Patched

Oracle Communications

This Critical Patch Update for Oracle Communications received 85 security patches. Out of these, 59 vulnerabilities can be exploited over a network without user credentials.

CVE-2023-46604, CVE-2024-45492, CVE-2024-56337, CVE-2024-37371, CVE-2024-3596, and CVE-2024-53677 in different Oracle Communications products have critical severity ratings. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.

Oracle MySQL

This Critical Patch Update for Oracle MySQL received 39 security patches. Out of these, four vulnerabilities can be exploited over a network without user credentials.

CVE-2024-11053 and CVE-2024-37371 in different Oracle MySQL products have critical severity ratings with a CVSS score of 9.1. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.

Oracle Financial Services Applications

This Critical Patch Update for Oracle Financial Services Applications received 31 security patches. Out of these, 24 vulnerabilities can be exploited over a network without user credentials.

CVE-2024-45492 in Oracle Financial Services Behavior Detection Platform and Oracle Financial Services Trade-Based Anti-Money Laundering Enterprise Edition has a critical severity rating with a CVSS score of 9.8. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.

Oracle Communications Applications

This Critical Patch Update for Oracle Communications Applications received 28 security patches. Out of these, 15 vulnerabilities can be exploited over a network without user credentials.

CVE-2024-37371 in Oracle Communications Billing and Revenue Management has a critical severity rating with a CVSS score of 9.1. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.

Oracle Analytics

This Critical Patch Update for Oracle Analytics received 26 security patches. Out of these, 21 vulnerabilities can be exploited over a network without user credentials.

CVE-2024-5535, CVE-2021-23926, CVE-2023-29824, and CVE-2016-1000027 in different products of Oracle Analytics have critical severity ratings. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.

Oracle JD Edwards

This Critical Patch Update for Oracle JD Edwards received 23 security patches. Out of these, 14 vulnerabilities can be exploited over a network without user credentials.

CVE-2023-3961 and CVE-2025-21524 in the JD Edwards EnterpriseOne Tools have critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.

Oracle Fusion Middleware

This Critical Patch Update for Oracle Enterprise Manager received 22 security patches. Out of these, 18 vulnerabilities can be exploited over a network without user credentials.

CVE-2024-45492, CVE-2025-21535, CVE-2024-38475, CVE-2024-5535, CVE-2024-37371, and CVE-2024-53677 in the different products of Oracle Fusion Middleware have critical severity ratings. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.

Related

Public link

Please use the above public link if you want to share this noodl on another website.