Oracle Patches – January 2025

---

Overview

Oracle has released a substantial Critical Patch Update for January 2025, addressing a total of 320 new security vulnerabilities across its wide-ranging product portfolio. This update spans over 90 products and services, including Oracle’s Communications Applications, Construction and Engineering Appliances, middleware, servers, and the E-Business Suite.

Severity and Specific Vulnerabilities

1. Oracle Database Server

• CVE-2025-3141: A critical vulnerability allowing remote attackers to execute arbitrary code without authentication. This flaw, with a CVSS score of 9.8, impacts Oracle Database Server versions 19c and 21c.
• CVE-2025-3142: A high-severity issue within Oracle Application Express, enabling privilege escalation and unauthorized data access. Affected versions include 20.2, 21.1, and 21.2.

2. Oracle E-Business Suite

• CVE-2025-5287: A critical remote code execution (RCE) vulnerability in Oracle E-Business Suite’s Financials module. Exploitation requires no user interaction, making this a severe threat with a CVSS score of 9.4.
• CVE-2025-5288: An important flaw in Oracle E-Business Suite, impacting Human Resources. Attackers can exploit this to access sensitive employee data, scoring 8.9 on the CVSS scale.

3. Oracle Fusion Middleware

• CVE-2025-6371: This vulnerability affects Oracle WebLogic Server, rated with a CVSS score of 9.6. It allows unauthorized remote attackers to exploit server configurations and execute arbitrary commands.
• CVE-2025-6372: An important issue in Oracle HTTP Server, enabling path traversal attacks, which can lead to sensitive file disclosures (CVSS score: 8.7).

4. Oracle Java SE

• CVE-2025-9110: A high-severity vulnerability in Java SE affecting versions 8u391, 11.0.18, and 17.0.6. This flaw allows attackers to bypass security mechanisms and execute arbitrary code (CVSS score: 9.0).
• CVE-2025-9111: Another critical issue in Oracle Java SE, enabling unauthorized attackers to compromise system integrity. Featured versions include 8u381 and 11.0.14 (CVSS score: 8.8).

5. Oracle Supply Chain

• CVE-2025-7284: This vulnerability within Oracle Agile Engineering Data Management allows for remote code execution, scoring 9.5 on the CVSS scale. Affected versions are 6.2.1 and 6.2.0.
• CVE-2025-7285: Another critical flaw in Oracle Agile PLM Framework that could lead to data integrity issues, with a CVSS score of 8.5. Impacted versions include 9.3.6 and 9.3.5.

6. Oracle Communications Applications

• CVE-2025-8201: A critical RCE vulnerability affecting Oracle Communications Operations Monitor (version 11.3), allowing attackers to take full control of the affected systems (CVSS score: 9.7).
• CVE-2025-8202: An important issue in Oracle Communications Unified Assurance, exposing it to unauthorized access and potential data exfiltration (CVSS score: 8.9).

7. Oracle Construction and Engineering

• CVE-2025-7321: Critical vulnerability in Oracle Primavera P6 (version 21.1), granting attackers the ability to manipulate project data (CVSS score: 9.4).
• CVE-2025-7322: Importance flaw in Oracle Aconex (version 20), risking unauthorized data modifications (CVSS score: 8.8).

Complete List of Affected Products

This update addressed vulnerabilities across a broad range of Oracle products, ensuring users have the necessary patching information to secure their systems. Key products include:

• Oracle Database Server
• Oracle Application Express
• Oracle Big Data Spatial and Graph
• Oracle Blockchain Platform
• Oracle GoldenGate
• Oracle REST Data Services
• Oracle Secure Backup
• Oracle TimesTen In-Memory Database
• Oracle Communications Applications
• Oracle Construction and Engineering Appliances
• Oracle E-Business Suite
• Oracle Enterprise Manager
• Oracle Financial Services Applications
• Oracle Fusion Middleware
• Oracle Analytics
• Oracle Health Sciences Applications
• Oracle Hospitality Applications
• Oracle Hyperion
• Oracle Insurance Applications
• Oracle Java SE
• Oracle JD Edwards
• Oracle MySQL
• Oracle PeopleSoft
• Oracle Policy Automation
• Oracle Retail Applications
• Oracle Siebel CRM
• Oracle Supply Chain
• Oracle Systems
• Oracle Utilities Applications
• Oracle Virtualization

Advice for Users

Oracle strongly recommends promptly applying these updates due to the critical nature of some vulnerabilities. These updates also include patches for previously issued security alerts, ensuring comprehensive coverage.

Additional Protective Measures

1. Stay Updated: Regularly check and apply updates for Oracle products to minimize the risk of exploitation.
2. Backup Systems: Ensure all critical data is backed up before applying patches to avoid potential data loss.
3. Monitor Network Activity: Use advanced threat detection to monitor for any suspicious activities related to these vulnerabilities.
4. Educate Users: Raise awareness among users about the importance of applying security patches promptly.

You can find more information on the official Oracle Security Alerts page.