Oracle encourages customers to apply it Critical January 2025 patch update (CPU) to address 318 new security vulnerabilities covering its products and services.
The most serious of the flaws is a flaw in the Oracle Agile Product Lifecycle Management (PLM) Framework (CVE-2025-21556, CVSS Score: 9.9) that could allow an attacker to seize control of sensitive instances.
“Easily exploitable vulnerability allows low-privileged attackers with network access via HTTP to compromise the Oracle Agile PLM Framework,” it said description security holes in the NIST National Vulnerability Database (NVD).
It should be noted that Oracle warned active attempts to exploit another flaw in the same product (CVE-2024-21287, CVSS score: 7.5) in November 2024. Both vulnerabilities affect Oracle Agile PLM Framework version 9.3.6.
“Customers are strongly encouraged to apply the January 2025 critical patch update for Oracle Agile PLM Framework as it includes patches for (CVE-2024-21287) as well as additional patches,” said Eric Morris, Oracle’s vice president of security . said.
Some of the other critical severity flaws, all with CVSS ratings of 9.8, reviewed by Oracle are as follows:
- CVE-2025-21524 – A vulnerability in the SEC component of JD Edwards EnterpriseOne’s monitoring and diagnostics tools
- CVE-2023-3961 – A vulnerability in the E1 Dev Platform Tech (Samba) component of JD Edwards EnterpriseOne tools
- CVE-2024-23807 – A vulnerability in the Apache Xerces C++ XML parser component of Oracle Agile Engineering Data Management
- CVE-2023-46604 – A vulnerability in the Apache ActiveMQ component of the Oracle Communications Diameter signaling router
- CVE-2024-45492 – Vulnerabilities in the XML parser (libexpat) component of Oracle Communications Network Analytics Data Director, Financial Services Behavior Detection Platform, Financial Services Trade-Based Anti Money Laundering Enterprise Edition, and HTTP Server
- CVE-2024-56337 – A vulnerability in the Apache Tomcat server component of Oracle Communications Policy Management
- CVE-2025-21535 – A vulnerability in the Core component of Oracle WebLogic Server
- CVE-2016-1000027 – A vulnerability in the Spring Framework component of Oracle BI Publisher
- CVE-2023-29824 – A vulnerability in the Analytics Server (SciPy) component of Oracle Business Intelligence Enterprise Edition
CVE-2025-21535 is also similar to CVE-2020-2883 (CVSS Score: 9.8), another critical vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3.
Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2020-2883 to its catalog of known vulnerabilities (KEV), citing evidence of active exploitation in the wild.
Oracle is also considered CVE-2024-37371 (CVSS Score: 9.1), a critical Kerberos 5 flaw affecting connection billing and revenue management that could allow an attacker to “cause an invalid memory read by sending message tokens with invalid length fields.”
Users are encouraged to apply the necessary patches to keep their systems up-to-date and avoid potential security risks.
