Article Details
Scrape Timestamp (UTC): 2025-01-22 07:30:44.395
Source: https://thehackernews.com/2025/01/oracle-releases-january-2025-patch-to.html
Original Article Text
Click to Toggle View
Oracle Releases January 2025 Patch to Address 318 Flaws Across Major Products. Oracle is urging customers to apply its January 2025 Critical Patch Update (CPU) to address 318 new security vulnerabilities spanning its products and services. The most severe of the flaws is a bug in the Oracle Agile Product Lifecycle Management (PLM) Framework (CVE-2025-21556, CVSS score: 9.9) that could allow an attacker to seize control of susceptible instances. "Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Agile PLM Framework," according to a description of the security hole in the NIST National Vulnerability Database (NVD). It's worth noting that Oracle warned of active exploitation attempts against another flaw in the same product (CVE-2024-21287, CVSS score: 7.5) in November 2024. Both vulnerabilities affect Oracle Agile PLM Framework version 9.3.6. "Customers are strongly advised to apply the January 2025 Critical Patch Update for Oracle Agile PLM Framework as it includes patches for [CVE-2024-21287] as well as additional patches," Eric Maurice, vice president of Security Assurance at Oracle, said. Some of the other critical severity flaws, all rated 9.8 on the CVSS score, addressed by Oracle are as follows - CVE-2025-21535 is also similar to CVE-2020-2883 (CVSS score: 9.8), another critical security vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2020-2883 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active in-the-wild exploitation. Also addressed by Oracle is CVE-2024-37371 (CVSS score: 9.1), a critical Kerberos 5 flaw affecting its Communications Billing and Revenue Management that could permit an attacker to "cause invalid memory reads by sending message tokens with invalid length fields." Users are advised to apply the necessary patches to keep their systems up-to-date and avoid potential security risks.
Daily Brief Summary
Oracle issued a Critical Patch Update in January 2025, addressing 318 security vulnerabilities across its various products.
The most critical flaw, CVE-2025-21556 in Oracle Agile Product Lifecycle Management (PLM) Framework, has a CVSS score of 9.9 and permits attackers with limited privileges and HTTP network access to take control of affected systems.
Oracle has noted active attack attempts on another significant vulnerability within the same PLM Framework, CVE-2024-21287.
The patch includes fixes for multiple critical vulnerabilities, each with CVSS scores nearing 9.8, indicating their severity.
Among the serious vulnerabilities patched was CVE-2025-21535 in Oracle WebLogic Server, susceptible to remote unauthorized exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the active exploitation of several vulnerabilities now patched, adding CVE-2020-2883 to its KEV catalog.
Oracle’s Security Assurance VP, Eric Maurice, strongly advises customers to apply the updates urgently to mitigate potential security risks.
The update also rectifies a critical Kerberos 5 issue in Oracle Communications Billing and Revenue Management, marked by CVE-2024-37371, which could allow attackers to manipulate memory via invalid message tokens.