Oracle Critical Patch Update Advisory - January 2025

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 318 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2025 Critical Patch Update: Executive Summary and Analysis.

Please note that since the release of the October 2024 Critical Patch Update, Oracle has released a Security Alert for Oracle Agile PLM Framework CVE-2024-21287 (November 18, 2024). Customers are strongly advised to apply the January 2025 Critical Patch Update for Oracle Agile PLM Framework, which includes patches for this Alert as well as additional patches.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions Patch Availability Document
Enterprise Manager for MySQL Database, version 13.5.2.0.0 Oracle Enterprise Manager
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.9.2 JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.9.2 JD Edwards
MySQL Cluster, versions 7.6.32 and prior, 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior MySQL
MySQL Connectors, versions 9.1.0 and prior MySQL
MySQL Enterprise Backup, versions 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior MySQL
MySQL Enterprise Firewall, versions 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior MySQL
MySQL Server, versions 8.0.40 and prior, 8.4.3 and prior, 9.0.1 and prior, 9.1.0 and prior MySQL
MySQL Shell, versions 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior MySQL
Oracle Agile Engineering Data Management, version 6.2.1 Oracle Supply Chain Products
Oracle Agile PLM Framework, version 9.3.6 Oracle Supply Chain Products
Oracle Analytics Desktop, versions prior to 8.1.0 Oracle Analytics
Oracle Application Express, versions 23.2, 24.1 Database
Oracle Application Testing Suite, version 13.3.0.1 Oracle Enterprise Manager
Oracle Banking Corporate Lending Process Management, versions 14.4.0.0.0-14.7.0.0.0 Contact Support
Oracle Banking Liquidity Management, version 14.7.5.0.0 Contact Support
Oracle Banking Origination, versions 14.5.0.0.0-14.7.0.0.0 Contact Support
Oracle BI Publisher, versions 7.0.0.0.0, 7.6.0.0.0 Oracle Analytics
Oracle Big Data Spatial and Graph, version 3.7 Database
Oracle Blockchain Platform, versions 21.1.2, 24.1.3 Oracle Blockchain Platform
Oracle Business Activity Monitoring, version 12.2.1.4.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0 Oracle Analytics
Oracle Business Process Management Suite, version 12.2.1.4.0 Fusion Middleware
Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
Oracle Commerce Guided Search, version 11.3.2 Oracle Commerce
Oracle Communications Billing and Revenue Management, versions 12.0.0.4-12.0.0.8, 15.0.0.0-15.0.0.1 Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine, versions 12.0.0.4-12.0.0.8, 15.0.0.0, 15.0.1.0 Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Cloud Native Core Automated Test Suite, version 24.2.0 Oracle Communications Cloud Native Core Automated Test Suite
Oracle Communications Cloud Native Core Binding Support Function, versions 24.2.0, 24.2.1 Oracle Communications Cloud Native Core Binding Support Function
Oracle Communications Cloud Native Core Certificate Management, version 24.2.1 Oracle Communications Cloud Native Core Certificate Management
Oracle Communications Cloud Native Core Console, version 24.2.1 Oracle Communications Cloud Native Core Console
Oracle Communications Cloud Native Core DBTier, versions 24.1.0, 24.2.0 Oracle Communications Cloud Native Core DBTier
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 24.2.0, 24.3.0 Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Repository Function, version 24.2.2 Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Policy, versions 24.2.0-24.2.2 Oracle Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.4.0, 24.2.0, 24.2.1, 24.2.2 Oracle Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Service Communication Proxy, versions 24.2.0, 24.3.0 Oracle Communications Cloud Native Core Service Communication Proxy
Oracle Communications Cloud Native Core Unified Data Repository, versions 23.4.4, 24.1.1, 24.2.2, 24.2.3, 24.3.0 Oracle Communications Cloud Native Core Unified Data Repository
Oracle Communications Converged Application Server, versions 8.0, 8.1 Oracle Communications Converged Application Server
Oracle Communications Convergence, versions 3.0.2.0.0, 3.0.3.0.0, 3.0.3.3.0 Oracle Communications Convergence
Oracle Communications Diameter Signaling Router, versions 8.2.3.0.0, 8.6.0.4.0, 9.0, 9.0.0.0.0-9.0.2.0.0 Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Element Management System, version 47.0.0.0.0 Oracle Communications EAGLE Element Management System
Oracle Communications Messaging Server, version 8.1.0.26 Oracle Communications Messaging Server
Oracle Communications Network Analytics Data Director, versions 24.1.0, 24.2.0 Oracle Communications Network Analytics Data Director
Oracle Communications Offline Mediation Controller, versions 12.0.0.8, 15.0.0.0, 15.0.1.0 Oracle Communications Offline Mediation Controller
Oracle Communications Operations Monitor, versions 5.1, 5.2 Oracle Communications Operations Monitor
Oracle Communications Order and Service Management, versions 7.4.0, 7.4.1, 7.5.0 Oracle Communications Order and Service Management
Oracle Communications Policy Management, version 15.0.0.0.0 Oracle Communications Policy Management
Oracle Communications Service Catalog and Design, versions 8.0.0.3, 8.1.0.1 Oracle Communications Service Catalog and Design
Oracle Communications Session Border Controller, versions 9.2.0, 9.3.0 Oracle Communications Session Border Controller
Oracle Communications Unified Assurance, versions 6.0.0-6.0.5 Oracle Communications Unified Assurance
Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2, 7.5.1, 7.6.0 Oracle Communications Unified Inventory Management
Oracle Communications User Data Repository, versions 12.11, 14.0, 15.0 Oracle Communications User Data Repository
Oracle Database Server, versions 19.1, 19.3-19.25, 21.3-21.16, 23.4-23.6 Database
Oracle Documaker, versions 12.7.1, 12.7.2, 13.0.0 Oracle Insurance Applications
Oracle E-Business Suite, versions 12.2.3-12.2.14 Oracle E-Business Suite
Oracle Enterprise Communications Broker, versions 4.1.0, 4.2.0 Oracle Enterprise Communications Broker
Oracle Enterprise Manager Base Platform, version 13.5.0.0 Oracle Enterprise Manager
Oracle Enterprise Session Border Controller, versions 9.2.0, 9.3.0 Oracle Enterprise Session Border Controller
Oracle Essbase, version 21.7 Database
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.8, 8.0.8.6, 8.1.2.5 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.2.7, 8.1.2.8 Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Compliance Studio, versions 8.1.2.5, 8.1.2.6 Oracle Financial Services Compliance Studio
Oracle Financial Services Enterprise Case Management, versions 8.0.8.2, 8.1.2.7, 8.1.2.8 Oracle Financial Services Enterprise Case Management
Oracle Financial Services Model Management and Governance, versions 8.1.2.6, 8.1.2.7, 8.1.3.0 Oracle Financial Services Model Management and Governance
Oracle Financial Services Regulatory Reporting, versions 8.1.2.7, 8.1.2.8 Oracle Financial Services Regulatory Reporting
Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0.0-7.0.0.0.0 Oracle Financial Services Revenue Management and Billing
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8 Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0 Fusion Middleware
Oracle GoldenGate, versions 19.1.0.0.0-19.25.0.0.241015, 21.3-21.16, 23.4-23.6 Database
Oracle GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.18, 21.3.0.0.0-21.16.0.0.0, 23.4-23.6 Database
Oracle GoldenGate Studio, version 12.2.0.4.0 Database
Oracle GoldenGate Veridata, versions 12.2.1.4.0-12.2.1.4.240430 Database
Oracle GraalVM Enterprise Edition, versions 20.3.16, 21.3.12 Java SE
Oracle GraalVM for JDK, versions 17.0.13, 21.0.5, 23.0.1 Java SE
Oracle Graph Server and Client, versions 23.4.4, 24.4.0 Database
Oracle Hospitality OPERA 5, versions 5.6.19.20, 5.6.25.8, 5.6.26.6, 5.6.27.1 Oracle Hospitality OPERA 5 Property Services
Oracle HTTP Server, version 12.2.1.4.0 Fusion Middleware
Oracle Hyperion Data Relationship Management, version 11.2.19.0.0 Oracle Enterprise Performance Management
Oracle Identity Manager, version 12.2.1.4.0 Fusion Middleware
Oracle Java SE, versions 8u431, 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1 Java SE
Oracle Life Sciences Argus Safety, version 8.2.3 Health Sciences
Oracle Life Sciences Empirica Signal, versions prior to 9.2.3 Health Sciences
Oracle Managed File Transfer, version 12.2.1.4.0 Fusion Middleware
Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0 Fusion Middleware
Oracle Outside In Technology, version 8.5.7 Fusion Middleware
Oracle Policy Automation, versions 12.2.18-12.2.36 Oracle Policy Automation
Oracle REST Data Services, versions 23.3.0.289.1830, 23.3.1.305.1055, 23.4.0.346.1619, 23.4.1.38.1857, 24.1.0.108.942, 24.1.1.120.1228, 24.1.2.163.1158, 24.2.0, 24.2.0.169.2208, 24.2.1.180.1634, 24.2.2.187.1943, 24.3.0 Database
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3.0, 19.0.1.0 Retail Applications
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3.0, 19.0.1.0 Retail Applications
Oracle SD-WAN Edge, versions 9.1.1.0-9.1.1.9 Oracle SD-WAN Edge
Oracle Secure Backup, versions 18.1.0.1.0, 18.1.0.2.0, 19.1.0.0.0 Oracle Secure Backup
Oracle Security Service, version 12.2.1.4.0 Fusion Middleware
Oracle Solaris, version 11 Systems
Oracle TimesTen In-Memory Database, versions 18.1, 22.1 Database
Oracle Utilities Application Framework, versions 4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 24.1.0.0.0-24.3.0.0.0 Oracle Utilities Applications
Oracle Utilities Network Management System, versions 2.5.0.1.14, 2.5.0.1.15, 2.5.0.2.9, 2.6.0.1.5, 2.6.0.1.7 Oracle Utilities Applications
Oracle Utilities Testing Accelerator, versions 6.0.0.1.0-6.0.0.3.0, 7.0.0.0.0-7.0.0.1.0 Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 7.0.24, prior to 7.1.6 Virtualization
Oracle WebCenter Portal, version 12.2.1.4.0 Fusion Middleware
Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 Fusion Middleware
PeopleSoft Enterprise CC Common Application Objects, version 9.2 PeopleSoft
PeopleSoft Enterprise FIN Cash Management, version 9.2 PeopleSoft
PeopleSoft Enterprise FIN eSettlements, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.60, 8.61 PeopleSoft
PeopleSoft Enterprise SCM Purchasing, version 9.2 PeopleSoft
Primavera Gateway, versions 20.12.0-20.12.15, 21.12.0-21.12.13 Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 20.12.1.0-20.12.21.5, 21.12.1.0-21.12.20.0, 22.12.1.0-22.12.16.0, 23.12.1.0-23.12.10.0 Oracle Construction and Engineering Suite
Primavera Unifier, versions 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.12, 24.12.0 Oracle Construction and Engineering Suite
Siebel Applications, versions 24.11 and prior Siebel

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE ID. A vulnerability that affects multiple products will appear with the same CVE ID in all risk matrices.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about conditions required to exploit the vulnerability and the potential impact of a successful exploit. Oracle provides this information so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Vulnerabilities in third party components that are not exploitable through their inclusion in Oracle products are listed below the respective Oracle product's risk matrix. Starting with the July 2023 Critical Patch Update, a VEX justification is also provided.

The protocol in the risk matrix implies that all of its secure variants are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy that further supplements the Lifetime Support Policy as explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • Ahmed Shah of Malleum: CVE-2025-21507, CVE-2025-21508, CVE-2025-21509, CVE-2025-21510, CVE-2025-21511, CVE-2025-21512, CVE-2025-21513, CVE-2025-21514, CVE-2025-21515, CVE-2025-21527
  • Alex Warren of Softsource vBridge: CVE-2025-21512
  • Arjun Giri of Green Tick Nepal Pvt. Ltd.: CVE-2025-21532
  • Dawid Jonienc: CVE-2025-21568
  • Jie Liang of WingTecher Lab of Tsinghua University: CVE-2025-21500, CVE-2025-21501, CVE-2025-21518
  • Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2025-21500, CVE-2025-21501, CVE-2025-21518
  • Joel Snape of CrowdStrike: CVE-2025-21556
  • Kandi Abhishek Reddy: CVE-2025-21533
  • Long Lagon: CVE-2025-21550
  • Lutz Wolf of CrowdStrike: CVE-2025-21556
  • Marco Nappi: CVE-2025-21570
  • Milad Seddigh: CVE-2025-21557
  • Nadeem Douba of Malleum: CVE-2025-21507, CVE-2025-21508, CVE-2025-21509, CVE-2025-21510, CVE-2025-21511, CVE-2025-21512, CVE-2025-21513, CVE-2025-21514, CVE-2025-21515, CVE-2025-21527
  • Niels te Grotenhuis: CVE-2025-21546
  • Robert Ingruber of Siemens Energy: CVE-2025-21558
  • Sonny of watchTowr : CVE-2025-21547
  • Thomas Riedmaier of Siemens Energy: CVE-2025-21558
  • Weibin Shi: CVE-2025-21548
  • Yuhao Jiang: CVE-2025-21571
  • Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2025-21500, CVE-2025-21501, CVE-2025-21518
  • Zongrui Peng of WingTecher Lab of Tsinghua University: CVE-2025-21518

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program:

  • Ameen Basha M K
  • Balasubramannyam Sunil
  • Michał Matuśkiewicz of POL Cyber Command
  • Sergey Bylokhov of Amazon

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

  • Aditya Bohra
  • Ahmed Abdel Hady
  • Cale Anderson
  • David PS Abraham
  • Dima Ashkinazi of Alerts Bar
  • Donato Di Pasquale
  • Eslam Monex
  • Guillaume Valadon of GitGuardian
  • Hannu Forsten [2 reports]
  • Immanuel Chavoya
  • Jiya Varghese [4 reports]
  • Lucio Sá (Wordfence)
  • Mrfidal
  • Philippe Delteil
  • Praveen Das [2 reports]
  • Sabyasachi Samanta
  • Sambardhan Khanal
  • Saptak Saha
  • Sebastian Radulea
  • Shivam Dhingra
  • Shivansh Khare [2 reports]
  • vishal kumar
  • Xiang Li from AOSP Lab of Nankai University

Critical Patch Update Schedule

Critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 15 April 2025
  • 15 July 2025
  • 21 October 2025
  • 20 January 2026

References

 

Modification History

Date Note
2025-February-11 Rev 2. Updated version information for CVE-2024-35195 and CVE-2024-49766.
2025-January-21 Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 10 new security patches for Oracle Database Products divided as follows:

  • 5 new security patches for Oracle Database Products
  • 1 new security patch for Oracle Application Express
  • No new security patches for Oracle Big Data Spatial and Graph, but third party patches are provided
  • No new security patches for Oracle Blockchain Platform, but third party patches are provided
  • No new security patches for Oracle Essbase, but third party patches are provided
  • 2 new security patches for Oracle GoldenGate
  • No new security patches for Oracle Graph Server and Client, but third party patches are provided
  • 1 new security patch for Oracle REST Data Services
  • 1 new security patch for Oracle Secure Backup
  • No new security patches for Oracle TimesTen In-Memory Database, but third party patches are provided

Oracle Database Server Risk Matrix

This Critical Patch Update contains 5 new security patches, plus additional third party patches noted below, for Oracle Database Products.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE ID Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-52428 Oracle Graal Development Kit for Micronaut (Nimbus JOSE+JWT) None HTTP Yes 7.5 Network Low None None Un-
changed
None None High 23.5-23.6  
CVE-2022-26345 Oracle Database Data Mining (Intel oneAPI Toolkit OpenMP) Authenticated User None No 6.7 Local High Low Required Un-
changed
High High High 19.3-19.25, 21.3-21.16  
CVE-2023-48795 Database Migration Assistant for Unicode (Apache Mina SSHD) None SSH Yes 5.9 Network High None None Un-
changed
None High None 19.1  
CVE-2025-21553 Java VM Create Session, Create Procedure Oracle Net No 4.2 Network High Low None Un-
changed
Low Low None 19.3-19.25, 21.3-21.16, 23.4-23.6  
CVE-2024-21211 GraalVM Multilingual Engine Authenticated User Oracle Net No 3.1 Network High Low None Un-
changed
None Low None 21.4-21.16, 23.5-23.6  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Database Grid (Apache Tomcat): CVE-2024-52316 and CVE-2024-47554 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Database Workload Manager (Apache Commons-IO): CVE-2024-52316 and CVE-2024-47554 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Spatial and Graph (Apache Lucene): CVE-2024-45772 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Spatial and Graph Mapviewer (Google Protobuf-Java): CVE-2024-7254 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Spatial and Graph Spatial Web Services (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Application Express Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Application Express.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21557 Oracle Application Express General HTTP No 5.4 Network Low Low Required Changed Low Low None 23.2, 24.1  

 

Oracle Big Data Spatial and Graph Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Big Data Spatial and Graph.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Big Data Spatial and Graph.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Big Data Spatial and Graph
    • Big Data Spatial (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Blockchain Platform Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Blockchain Platform.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Blockchain Platform.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Blockchain Platform
    • Blockchain Cloud Service Console (Golang Go): CVE-2024-24791 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (Python): CVE-2024-45491, CVE-2023-27043, CVE-2024-28757, CVE-2024-4030, CVE-2024-4032, CVE-2024-45490, CVE-2024-45492, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592 and CVE-2024-8088 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Blockchain Cloud Service Console (glibc): CVE-2024-33602, CVE-2024-2961, CVE-2024-33599, CVE-2024-33600 and CVE-2024-33601 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Essbase Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Essbase.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Essbase.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Essbase
    • Essbase Web Platform (curl): CVE-2024-11053 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 2 new security patches, plus additional third party patches noted below, for Oracle GoldenGate.  Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-36785 Oracle GoldenGate Install (Microsoft ODBC Driver) None No 7.8 Local Low None Required Un-
changed
High High High 21.3-21.16,23.4-23.6  
CVE-2024-47561 Oracle GoldenGate Big Data and Application Adapters Java Delivery (Apache Avro) None No 5.9 Local Low None None Un-
changed
Low Low Low 19.1.0.0.0-19.1.0.0.18,21.3.0.0.0-21.16.0.0.0,23.4-23.6  

Additional CVEs addressed are:

  • The patch for CVE-2023-36785 also addresses CVE-2023-36730.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle GoldenGate
    • Embedded Web UI for Services (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle GoldenGate Big Data and Application Adapters
    • Application Adapters (Spring Framework): CVE-2024-38819 and CVE-2024-38820 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle GoldenGate Studio
    • General (Spring Framework): CVE-2024-22262 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle GoldenGate Veridata
    • General (Spring Framework): CVE-2024-22262 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Graph Server and Client Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Graph Server and Client.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for the Oracle Graph Server and Client.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Graph Server and Client
    • Install (Apache Tomcat): CVE-2024-56337, CVE-2024-50379 and CVE-2024-54677 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Install (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle REST Data Services.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-6763 Oracle REST Data Services General (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 24.2.0, 24.3.0  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle REST Data Services
    • General (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Secure Backup.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-8927 Oracle Secure Backup General (PHP) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 18.1.0.1.0, 18.1.0.2.0, 19.1.0.0.0  

 

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle TimesTen In-Memory Database.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle TimesTen In-Memory Database.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle TimesTen In-Memory Database
    • TimesTen Install (Golang Go): CVE-2024-24790, CVE-2024-24789 and CVE-2024-24791 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Commerce Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Commerce.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-33201 Oracle Commerce Guided Search Workbench (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None Un-
changed
Low None None 11.3.2  

 

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 28 new security patches, plus additional third party patches noted below, for Oracle Communications Applications.  15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-37371 Oracle Communications Billing and Revenue Management Platform (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 12.0.0.4-12.0.0.8, 15.0.0.0-15.0.0.1  
CVE-2024-6162 Oracle Communications BRM - Elastic Charging Engine Security (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.0.0.4-12.0.0.8, 15.0.0.0, 15.0.1.0  
CVE-2024-47554 Oracle Communications Service Catalog and Design Solution Designer (Apache Commons IO) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.0.0.3, 8.1.0.1  
CVE-2024-7254 Oracle Communications Service Catalog and Design Solution Designer (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.0.0.3, 8.1.0.1  
CVE-2024-47554 Oracle Communications Unified Assurance Core (Apache Commons IO) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 6.0.4-6.0.5  
CVE-2024-24786 Oracle Communications Unified Assurance Core (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 6.0.0-6.0.5  
CVE-2024-7592 Oracle Communications Unified Assurance Core (Python) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 6.0.0-6.0.5  
CVE-2024-7254 Oracle Communications Unified Assurance Microservices (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 6.0.0-6.0.5  
CVE-2024-27309 Oracle Communications Service Catalog and Design Solution Designer (Apache Kafka) HTTP Yes 7.4 Network High None None Un-
changed
High High None 8.0.0.3, 8.1.0.1  
CVE-2024-47561 Oracle Communications Unified Assurance Core (Apache Avro) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 6.0.4-6.0.5  
CVE-2024-28849 Oracle Communications Unified Assurance Core (Apache Commons Configuration) HTTP No 6.5 Network Low Low None Un-
changed
High None None 6.0.1-6.0.5  
CVE-2023-29408 Oracle Communications Unified Assurance Core (Golang Go) HTTP Yes 6.5 Network Low None Required Un-
changed
None None High 6.0.0-6.0.5  
CVE-2025-21542 Oracle Communications Order and Service Management Security HTTP No 6.3 Network Low Low None Un-
changed
Low Low Low 7.4.0, 7.4.1, 7.5.0  
CVE-2024-38807 Oracle Communications Service Catalog and Design Solution Designer (Spring Boot) None No 6.3 Local High Low None Un-
changed
High High None 8.0.0.3, 8.1.0.1  
CVE-2024-1442 Oracle Communications Unified Assurance Core (Grafana) HTTP No 6.0 Network Low High None Un-
changed
High Low Low 6.0.0-6.0.5  
CVE-2024-35195 Oracle Communications Offline Mediation Controller Install (requests) HTTP No 5.7 Network High High Required Un-
changed
High High None 12.0.0.8, 15.0.0.0, 15.0.1.0  
CVE-2024-35195 Oracle Communications Unified Assurance Core (requests) HTTP No 5.7 Network High High Required Un-
changed
High High None 6.0.0-6.0.5  
CVE-2024-26308 Oracle Communications Messaging Server Security (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 8.1.0.26  
CVE-2024-0232 Oracle Communications Messaging Server Security (SQLite) None No 5.5 Local Low None Required Un-
changed
None None High 8.1.0.26  
CVE-2024-47535 Oracle Communications Service Catalog and Design Solution Designer (Netty) None No 5.5 Local Low Low None Un-
changed
None None High 8.0.0.3, 8.1.0.1  
CVE-2025-21544 Oracle Communications Order and Service Management Security HTTP No 5.4 Network Low Low Required Changed Low Low None 7.4.0, 7.4.1, 7.5.0  
CVE-2024-29133 Oracle Communications Unified Assurance Microservices (Apache Commons Configuration) HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 6.0.0-6.0.5  
CVE-2024-29025 Oracle Communications Messaging Server Security (Netty) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 8.1.0.26  
CVE-2025-21554 Oracle Communications Order and Service Management Security HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 7.4.0, 7.4.1, 7.5.0  
CVE-2024-38827 Oracle Communications Unified Inventory Management Security (Spring Security) HTTPS Yes 4.8 Network High None None Un-
changed
Low Low None 7.4.1, 7.4.2  
CVE-2024-37891 Oracle Communications Billing and Revenue Management Billing Care (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 12.0.0.4-12.0.0.8, 15.0.0.0-15.0.0.1  
CVE-2024-37891 Oracle Communications Unified Assurance Core (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 6.0.0-6.0.5  
CVE-2024-47554 Oracle Communications Convergence Configuration (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 3.0.2.0.0, 3.0.3.0.0, 3.0.3.3.0  

Additional CVEs addressed are:

  • The patch for CVE-2023-29408 also addresses CVE-2022-41727 and CVE-2023-29407.
  • The patch for CVE-2024-37371 also addresses CVE-2024-37370.
  • The patch for CVE-2024-29133 also addresses CVE-2024-29131.
  • The patch for CVE-2024-47535 also addresses CVE-2024-29025.
  • The patch for CVE-2024-7592 also addresses CVE-2024-0397, CVE-2024-4030, CVE-2024-4032, and CVE-2024-6232.
  • The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Communications Billing and Revenue Management
    • Billing Care (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications Order and Service Management
    • Security (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications Service Catalog and Design
    • Solution Designer (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications Unified Inventory Management
    • Security (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Communications Risk Matrix

This Critical Patch Update contains 85 new security patches, plus additional third party patches noted below, for Oracle Communications.  59 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2023-46604 Oracle Communications Diameter Signaling Router Patches (Apache ActiveMQ) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.2.3.0.0  
CVE-2024-45492 Oracle Communications Network Analytics Data Director Install/Upgrade (LibExpat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 24.1.0, 24.2.0  
CVE-2024-56337 Oracle Communications Policy Management Configuration Management Platform (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0.0.0.0  
CVE-2024-37371 Oracle Communications Diameter Signaling Router Automated Test Suite (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 9.0.0.0.0-9.0.2.0.0  
CVE-2024-37371 Oracle Communications User Data Repository Platform (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 12.11, 14.0  
CVE-2024-37371 Oracle SD-WAN Edge Internal tools (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 9.1.1.5-9.1.1.8  
CVE-2024-3596 Oracle Communications Cloud Native Core Console Configuration (Kerberos) HTTP Yes 9.0 Network High None None Changed High High High 24.2.1  
CVE-2024-3596 Oracle Communications Operations Monitor Mediation Engine (pyrad) Radius Yes 9.0 Network High None None Changed High High High 5.1, 5.2  
CVE-2024-53677 Oracle Communications Policy Management Configuration Management Platform (Apache Struts 2) HTTP Yes 9.0 Network High None None Changed High High High 15.0.0.0.0  
CVE-2024-25638 Oracle Communications Cloud Native Core Binding Support Function Install (dnsjava) HTTP Yes 8.9 Network High None None Changed High High Low 24.2.0, 24.2.1  
CVE-2024-25638 Oracle Communications Cloud Native Core Network Repository Function Install (dnsjava) HTTP Yes 8.9 Network High None None Changed High High Low 24.2.2  
CVE-2024-25638 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (dnsjava) HTTP Yes 8.9 Network High None None Changed High High Low 24.2.0-24.2.2  
CVE-2024-25638 Oracle Communications Cloud Native Core Security Edge Protection Proxy Signaling (dnsjava) HTTP Yes 8.9 Network High None None Changed High High Low 24.2.0, 24.2.1, 24.2.2  
CVE-2024-25638 Oracle Communications Converged Application Server Installer (dnsjava) HTTP Yes 8.9 Network High None None Changed High High Low 8.0, 8.1  
CVE-2024-7254 Oracle Communications Cloud Native Core Policy Policy Control Function (Google Protobuf-Java) HTTP Yes 8.2 Network Low None None Un-
changed
Low High None 24.2.0-24.2.2  
CVE-2024-38475 Oracle SD-WAN Edge Platform (Apache HTTP Server) HTTP Yes 8.2 Network Low None None Un-
changed
High Low None 9.1.1.5-9.1.1.9  
CVE-2024-41817 Oracle Communications Operations Monitor Mediation Engine (ImageMagick) None No 7.8 Local Low Low None Un-
changed
High High High 5.1, 5.2  
CVE-2024-49767 Oracle Communications Cloud Native Core Automated Test Suite ATS Framework (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0  
CVE-2024-38819 Oracle Communications Cloud Native Core Binding Support Function Install (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 24.2.0, 24.2.1  
CVE-2024-7885 Oracle Communications Cloud Native Core Binding Support Function Install (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0, 24.2.1  
CVE-2024-49767 Oracle Communications Cloud Native Core Binding Support Function Install (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0, 24.2.1  
CVE-2024-7885 Oracle Communications Cloud Native Core Console Configuration (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.1  
CVE-2024-7885 Oracle Communications Cloud Native Core Network Repository Function Install (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.2  
CVE-2024-49767 Oracle Communications Cloud Native Core Network Repository Function Install (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.2  
CVE-2024-38819 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 24.2.0-24.2.2  
CVE-2024-7885 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.2  
CVE-2024-49767 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.2  
CVE-2024-49767 Oracle Communications Cloud Native Core Security Edge Protection Proxy Automated Test Suite (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0  
CVE-2024-38819 Oracle Communications Cloud Native Core Security Edge Protection Proxy Signaling (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 24.2.0, 24.2.1, 24.2.2  
CVE-2024-7885 Oracle Communications Cloud Native Core Security Edge Protection Proxy Configuration (Undertow) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0, 24.2.1, 24.2.2  
CVE-2024-7885 Oracle Communications Cloud Native Core Service Communication Proxy Signaling (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0, 24.3.0  
CVE-2024-38819 Oracle Communications Cloud Native Core Unified Data Repository Install (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 24.3.0,24.2.3  
CVE-2024-7885 Oracle Communications Cloud Native Core Unified Data Repository Install (Undertow) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.3  
CVE-2024-49767 Oracle Communications Cloud Native Core Unified Data Repository Install (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.3.0, 24.2.3  
CVE-2024-34750 Oracle Communications Diameter Signaling Router Patches (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 8.6.0.4.0  
CVE-2024-34750 Oracle Communications EAGLE Element Management System Security (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 47.0.0.0.0  
CVE-2023-50868 Oracle SD-WAN Edge Platform (BIND) DNS Yes 7.5 Network Low None None Un-
changed
None None High 9.1.1.5-9.1.1.8  
CVE-2024-34750 Oracle SD-WAN Edge Platform (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 9.1.1.0-9.1.1.8  
CVE-2024-33602 Oracle Communications Diameter Signaling Router Automated Test Suite (glibc) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 9.0.0.0.0-9.0.2.0.0  
CVE-2024-28219 Oracle Communications Cloud Native Core Binding Support Function Install (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 24.2.0, 24.2.1  
CVE-2024-28219 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 24.2.0-24.2.2  
CVE-2024-28219 Oracle Communications Cloud Native Core Security Edge Protection Proxy Install (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 23.4.0  
CVE-2024-28219 Oracle Communications Operations Monitor Mediation Engine (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 5.1, 5.2  
CVE-2024-49767 Oracle Communications Cloud Native Core Network Function Cloud Native Environment Configuration (Werkzeug) HTTP Yes 6.5 Adjacent
Network
Low None None Un-
changed
None None High 24.2.0, 24.3.0  
CVE-2023-46218 Oracle Communications Diameter Signaling Router Automated Test Suite (curl) HTTP Yes 6.5 Network Low None None Un-
changed
Low Low None 9.0  
CVE-2024-38807 Oracle Communications Cloud Native Core Console Configuration (Spring Boot) None No 6.3 Local High Low None Un-
changed
High High None 24.2.1  
CVE-2024-0450 Oracle Communications Diameter Signaling Router Automated Test Suite (Python) None No 6.2 Local Low None None Un-
changed
None None High 9.0.0.0.0  
CVE-2024-50602 Oracle Communications Cloud Native Core Binding Support Function Alarms, KPI, and Measurements (LibExpat) HTTP Yes 5.9 Network High None None Un-
changed
None None High 24.2.0, 24.2.1  
CVE-2024-5535 Oracle Communications Cloud Native Core Console Configuration (OpenSSL) HTTPS Yes 5.9 Network High None None Un-
changed
None None High 24.2.1  
CVE-2024-6119 Oracle Communications Cloud Native Core Network Function Cloud Native Environment Configuration (Cryptography) HTTP Yes 5.9 Network High None None Un-
changed
None None High 24.3.0  
CVE-2024-50602 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (LibExpat) HTTP Yes 5.9 Network High None None Un-
changed
None None High 24.2.0-24.2.2  
CVE-2024-50602 Oracle Communications Cloud Native Core Unified Data Repository Install (LibExpat) HTTP Yes 5.9 Network High None None Un-
changed
None None High 24.3.0  
CVE-2024-35195 Oracle Communications Cloud Native Core DBTier Configuration (requests) None No 5.6 Local High High Required Un-
changed
High High None 24.1.0  
CVE-2024-35195 Oracle Communications Cloud Native Core Security Edge Protection Proxy ATS Framework (requests) None No 5.6 Local High High Required Un-
changed
High High None 24.2.0  
CVE-2024-35195 Oracle Communications Cloud Native Core Service Communication Proxy ATS Framework (requests) None No 5.6 Local High High Required Un-
changed
High High None 24.2.0, 24.3.0  
CVE-2024-35195 Oracle Communications Cloud Native Core Unified Data Repository Install (requests) None No 5.6 Local High High Required Un-
changed
High High None 24.3.0, 24.2.2  
CVE-2024-35195 Oracle Communications Operations Monitor Mediation Engine (requests) None No 5.6 Local High High Required Un-
changed
High High None 5.1, 5.2  
CVE-2024-34064 Oracle Communications Cloud Native Core Binding Support Function Install (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 24.2.0, 24.2.1  
CVE-2023-40577 Oracle Communications Cloud Native Core Network Function Cloud Native Environment Configuration (Golang Go) HTTP No 5.4 Network Low Low Required Changed Low Low None 24.2.0, 24.3.0  
CVE-2024-34064 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 24.2.0-24.2.2  
CVE-2024-34064 Oracle Communications Cloud Native Core Security Edge Protection Proxy ATS Framework (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 24.2.0, 24.2.1  
CVE-2024-34064 Oracle Communications Cloud Native Core Service Communication Proxy ATS Framework (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 24.2.0, 24.3.0  
CVE-2024-34064 Oracle Communications Cloud Native Core Unified Data Repository ATS Framework (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 23.4.4, 24.1.1, 24.2.2, 24.3.0  
CVE-2024-34064 Oracle Communications Operations Monitor Mediation Engine (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 5.1, 5.2  
CVE-2024-34064 Oracle Communications User Data Repository Platform (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 14.0  
CVE-2024-28834 Oracle Communications Network Analytics Data Director Third Party (GnuTLS) HTTPS No 5.3 Network High Low None Un-
changed
High None None 24.1.0  
CVE-2023-5678 Oracle Communications Session Border Controller Third Party (OpenSSL) HTTPS Yes 5.3 Network Low None None Un-
changed
None None Low 9.2.0, 9.3.0  
CVE-2024-28834 Oracle Communications User Data Repository Platform (GnuTLS) HTTPS No 5.3 Network High Low None Un-
changed
High None None 12.11, 14.0  
CVE-2023-5678 Oracle Enterprise Communications Broker Third Party (OpenSSL) HTTPS Yes 5.3 Network Low None None Un-
changed
None None Low 4.1.0, 4.2.0  
CVE-2024-38827 Oracle Communications Cloud Native Core Binding Support Function Install (Spring Security) HTTPS Yes 4.8 Network High None None Un-
changed
Low Low None 24.2.0, 24.2.1  
CVE-2024-38827 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Spring Security) HTTPS Yes 4.8 Network High None None Un-
changed
Low Low None 24.2.0-24.2.2  
CVE-2024-38827 Oracle Communications Cloud Native Core Security Edge Protection Proxy Signaling (Spring Security) HTTPS Yes 4.8 Network High None None Un-
changed
Low Low None 24.2.0  
CVE-2024-37891 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 24.2.0-24.2.2  
CVE-2024-8006 Oracle Communications Cloud Native Core Security Edge Protection Proxy ATS Framework (libpcap) None No 4.4 Local Low High None Un-
changed
None None High 24.2.2  
CVE-2024-8006 Oracle Communications Operations Monitor Mediation Engine (libpcap) None No 4.4 Local Low High None Un-
changed
None None High 5.1, 5.2  
CVE-2024-37891 Oracle Communications Policy Management Configuration Management Platform (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 15.0.0.0.0  
CVE-2024-37891 Oracle Communications User Data Repository Platform (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 12.11, 14.0, 15.0  
CVE-2024-8006 Oracle SD-WAN Edge Internal Tools (libpcap) None No 4.4 Local Low High None Un-
changed
None None High 9.1.1.5-9.1.1.8  
CVE-2024-47804 Oracle Communications Cloud Native Core Automated Test Suite ATS Framework (Jenkins) HTTP No 4.3 Network Low Low None Un-
changed
None Low None 24.2.0  
CVE-2024-47804 Oracle Communications Cloud Native Core Binding Support Function Install (Jenkins) HTTP/2 No 4.3 Network Low Low None Un-
changed
None Low None 24.2.0, 24.2.1  
CVE-2024-49766 Oracle Communications Cloud Native Core DBTier Configuration (Werkzeug) HTTP Yes 4.3 Adjacent
Network
Low None None Un-
changed
None None Low 24.1.0, 24.2.0  
CVE-2024-47804 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Jenkins) HTTP No 4.3 Network Low Low None Un-
changed
None Low None 24.2.0-24.2.2  
CVE-2024-47804 Oracle Communications Cloud Native Core Security Edge Protection Proxy ATS Framework (Jenkins) HTTP No 4.3 Network Low Low None Un-
changed
None Low None 24.2.0, 24.2.1, 24.2.2  
CVE-2024-47804 Oracle Communications Cloud Native Core Service Communication Proxy ATS Framework (Jenkins) HTTP No 4.3 Network Low Low None Un-
changed
None Low None 24.2.0, 24.3.0  
CVE-2024-9143 Oracle Communications Cloud Native Core Certificate Management Configuration (OpenSSL) HTTPS Yes 3.7 Network High None None Un-
changed
None None Low 24.2.1  

Additional CVEs addressed are:

  • The patch for CVE-2024-9143 also addresses CVE-2024-5535.
  • The patch for CVE-2024-47804 also addresses CVE-2024-47803.
  • The patch for CVE-2024-28834 also addresses CVE-2023-5981.
  • The patch for CVE-2024-49766 also addresses CVE-2024-49767.
  • The patch for CVE-2024-56337 also addresses CVE-2024-50379 and CVE-2024-54677.
  • The patch for CVE-2024-28834 also addresses CVE-2024-28835.
  • The patch for CVE-2024-8006 also addresses CVE-2023-7256.
  • The patch for CVE-2023-40577 also addresses CVE-2024-24791.
  • The patch for CVE-2024-45492 also addresses CVE-2024-45490 and CVE-2024-45491.
  • The patch for CVE-2024-49767 also addresses CVE-2024-49766.
  • The patch for CVE-2024-38819 also addresses CVE-2024-38820.
  • The patch for CVE-2024-38827 also addresses CVE-2024-38809.
  • The patch for CVE-2024-34064 also addresses CVE-2024-22195.
  • The patch for CVE-2024-37371 also addresses CVE-2024-37370.
  • The patch for CVE-2024-33602 also addresses CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, and CVE-2024-33601.
  • The patch for CVE-2023-46218 also addresses CVE-2023-46219.
  • The patch for CVE-2023-50868 also addresses CVE-2023-4408.
  • The patch for CVE-2024-0450 also addresses CVE-2023-6597.
  • The patch for CVE-2024-38819 also addresses CVE-2024-38816.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Communications Cloud Native Core Binding Support Function
    • Install (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Install (Apache Tomcat): CVE-2024-34750 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle Communications Cloud Native Core Certificate Management
    • Configuration (Kerberos): CVE-2024-3596 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle Communications Cloud Native Core Policy
    • Alarms, KPI, and Measurements (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Alarms, KPI, and Measurements (Apache Tomcat): CVE-2024-34750 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle Communications Cloud Native Core Service Communication Proxy
    • Signaling (Spring Framework): CVE-2024-38819 and CVE-2024-38820 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications Diameter Signaling Router
    • Patches (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications Operations Monitor
    • Mediation Engine (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications User Data Repository
    • Platform (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Enterprise Communications Broker
    • Web UI (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Enterprise Session Border Controller
    • Web UI (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 4 new security patches, plus additional third party patches noted below, for Oracle Construction and Engineering.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-47554 Primavera Unifier Document Management (Apache Commons IO) HTTP No 6.8 Network Low High None Changed None None High 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.12, 24.12.0  
CVE-2025-21526 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 5.4 Network Low Low Required Changed Low Low None 20.12.1.0-20.12.21.5, 21.12.1.0-21.12.20.0, 22.12.1.0-22.12.16.0, 23.12.1.0-23.12.10.0  
CVE-2025-21558 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 5.4 Network Low Low Required Changed Low Low None 20.12.1.0-20.12.21.5, 21.12.1.0-21.12.20.0, 22.12.1.0  
CVE-2025-21528 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP Yes 4.3 Network Low None Required Un-
changed
None Low None 20.12.1.0-20.12.21.5, 21.12.1.0-21.12.20.0, 22.12.1.0-22.12.16.0, 23.12.1.0-23.12.10.0  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Primavera Gateway
    • Admin (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Primavera Unifier
    • Platform (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle E-Business Suite.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2025 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2025), My Oracle Support Note 2484000.1.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21516 Oracle Customer Care Service Requests HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.5-12.2.13  
CVE-2025-21506 Oracle Project Foundation Technology Foundation HTTP No 8.1 Network Low Low None Un-
changed
High High None 12.2.3-12.2.13  
CVE-2025-21489 Oracle Advanced Outbound Telephony Region Mapping HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.3-12.2.10  
CVE-2025-21541 Oracle Workflow Admin Screens and Grants UI HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 12.2.3-12.2.14  

 

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 3 new security patches, plus additional third party patches noted below, for Oracle Enterprise Manager.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2025 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2025 Patch Availability Document for Oracle Products, My Oracle Support Note 3056561.1.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-38819 Enterprise Manager for MySQL Database EM Plugin: General (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 13.5.2.0.0  
CVE-2024-29857 Oracle Enterprise Manager Base Platform Agent Next Gen (Bouncy Castle Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 13.5.0.0  
CVE-2023-51074 Oracle Application Testing Suite Load Testing for Web Apps (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 13.3.0.1  

Additional CVEs addressed are:

  • The patch for CVE-2024-38819 also addresses CVE-2024-38820.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Application Testing Suite
    • Load Testing for Web Apps (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 31 new security patches, plus additional third party patches noted below, for Oracle Financial Services Applications.  24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-45492 Oracle Financial Services Behavior Detection Platform Platform (LibExpat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.8.1, 8.1.2.7, 8.1.2.8  
CVE-2024-45492 Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition Platform (LibExpat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.8  
CVE-2023-52070 Oracle Financial Services Revenue Management and Billing Chatbot (JFreeChart) None No 8.4 Local Low None None Un-
changed
High High High 2.9.0.0.0-7.0.0.0.0  
CVE-2023-39410 Oracle Banking Corporate Lending Process Management Base (Apache Avro) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 14.4.0.0.0-14.7.0.0.0  
CVE-2023-39410 Oracle Banking Origination Maintenance (Apache Avro) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 14.5.0.0.0-14.7.0.0.0  
CVE-2024-38819 Oracle Financial Services Analytical Applications Infrastructure Platform (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 8.0.7.8, 8.0.8.6, 8.1.2.5  
CVE-2024-38819 Oracle Financial Services Behavior Detection Platform Platform (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 8.0.8.1, 8.1.2.7, 8.1.2.8  
CVE-2023-26031 Oracle Financial Services Compliance Studio Reports (Apache Hadoop) HTTP No 7.5 Network High Low None Un-
changed
High High High 8.1.2.5  
CVE-2022-34169 Oracle Financial Services Compliance Studio Reports (Apache Xalan-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 8.1.2.5  
CVE-2024-38819 Oracle Financial Services Compliance Studio Reports (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 8.1.2.6  
CVE-2023-39410 Oracle Financial Services Model Management and Governance Installer (Apache Avro) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.1.2.6, 8.1.2.7, 8.1.3.0  
CVE-2024-38819 Oracle Financial Services Model Management and Governance Installer (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 8.1.3.0  
CVE-2024-34750 Oracle Financial Services Model Management and Governance Installer (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 8.1.2.6, 8.1.2.7, 8.1.3.0  
CVE-2024-38819 Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition Platform (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 8.0.8  
CVE-2024-28219 Oracle Banking Liquidity Management Common (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 14.7.5.0.0  
CVE-2024-28219 Oracle Financial Services Compliance Studio Reports (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 8.1.2.6  
CVE-2023-44483 Oracle Financial Services Compliance Studio Reports (Apache Santuario XML Security For Java) HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.1.2.6  
CVE-2025-21550 Oracle Financial Services Behavior Detection Platform Web UI HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.8.1, 8.1.2.7, 8.1.2.8  
CVE-2023-48795 Oracle Financial Services Compliance Studio Reports (Apache Mina SSHD) SSH Yes 5.9 Network High None None Un-
changed
None High None 8.1.2.5  
CVE-2024-35195 Oracle Banking Liquidity Management Common (requests) HTTP No 5.7 Network High High Required Un-
changed
High High None 14.7.5.0.0  
CVE-2024-35195 Oracle Financial Services Compliance Studio Reports (requests) HTTP No 5.7 Network High High Required Un-
changed
High High None 8.1.2.6  
CVE-2024-34064 Oracle Banking Corporate Lending Process Management Base (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 14.4.0.0.0-14.7.0.0.0  
CVE-2024-34064 Oracle Banking Liquidity Management Common (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 14.7.5.0.0  
CVE-2024-34064 Oracle Banking Origination Maintenance (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 14.5.0.0.0-14.7.0.0.0  
CVE-2024-34064 Oracle Financial Services Compliance Studio Reports (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 8.1.2.6  
CVE-2023-51074 Oracle Financial Services Behavior Detection Platform Platform (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 8.0.8.1, 8.1.2.8, 8.1.2.7  
CVE-2023-51074 Oracle Financial Services Compliance Studio Reports (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 8.1.2.6  
CVE-2023-33201 Oracle Financial Services Model Management and Governance Installer (Bouncy Castle Java Library) HTTPS Yes 5.3 Network Low None None Un-
changed
Low None None 8.1.2.6, 8.1.2.7, 8.1.3.0  
CVE-2023-51074 Oracle Financial Services Regulatory Reporting Platform (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 8.1.2.7, 8.1.2.8  
CVE-2023-51074 Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition Platform (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 8.0.8  
CVE-2024-38827 Oracle Financial Services Compliance Studio Reports (Spring Security) HTTP Yes 4.8 Network High None None Un-
changed
Low Low None 8.1.2.6  

Additional CVEs addressed are:

  • The patch for CVE-2024-45492 also addresses CVE-2024-45490.
  • The patch for CVE-2024-45492 also addresses CVE-2024-45491.
  • The patch for CVE-2024-38819 also addresses CVE-2024-38820.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Financial Services Analytical Applications Infrastructure
    • Platform (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Financial Services Behavior Detection Platform
    • Platform (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Financial Services Enterprise Case Management
    • Platform (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Financial Services Model Management and Governance
    • Installer (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Financial Services Regulatory Reporting
    • Platform (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
    • Platform (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 22 new security patches, plus additional third party patches noted below, for Oracle Fusion Middleware.  18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

To get the full list of current and previously released Critical Patch Update patches for Oracle Fusion Middleware products, refer to My Oracle Support Doc ID 2806740.2.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-45492 Oracle HTTP Server Core (LibExpat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.4.0  
CVE-2025-21535 Oracle WebLogic Server Core T3, IIOP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.4.0, 14.1.1.0.0  
CVE-2024-38475 Oracle HTTP Server Mod_rewrite, Core (Apache HTTP Server) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.2.1.4.0  
CVE-2024-5535 Oracle HTTP Server Mod_Security (OpenSSL) TLS Yes 9.1 Network Low None None Un-
changed
High None High 12.2.1.4.0  
CVE-2024-37371 Oracle Security Service Security Toolkit (Kerberos) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 12.2.1.4.0  
CVE-2023-7272 Oracle WebLogic Server Centralized Thirdparty Jars (Eclipse Parsson) HTTP Yes 8.6 Network Low None None Changed None None High 12.2.1.4.0, 14.1.1.0.0  
CVE-2024-47072 Oracle Business Activity Monitoring BAM (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2024-38819 Oracle Identity Manager Installer (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.2.1.4.0  
CVE-2024-34750 Oracle Managed File Transfer MFT Runtime Server (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2024-38819 Oracle Middleware Common Libraries and Tools Third Party (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.2.1.4.0  
CVE-2024-47554 Oracle WebLogic Server Centralized Thirdparty Jars (Apache Commons IO) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0  
CVE-2025-21549 Oracle WebLogic Server Core HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 14.1.1.0.0  
CVE-2024-29857 Oracle WebLogic Server Centralized Thirdparty Jars (Bouncy Castle Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0, 14.1.1.0.0  
CVE-2024-47561 Oracle Business Process Management Suite Composer (Apache Avro) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 12.2.1.4.0  
CVE-2024-8096 Oracle HTTP Server Mod_Security (curl) TLS Yes 6.5 Network Low None None Un-
changed
Low Low None 12.2.1.4.0  
CVE-2023-51775 Oracle Middleware Common Libraries and Tools Third Party (jose4j) HTTP No 6.5 Network Low Low None Un-
changed
None None High 12.2.1.4.0  
CVE-2023-44483 Oracle Outside In Technology Outside In Clean Content SDK (Apache Santuario XML Security For Java) HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.5.7  
CVE-2024-23635 Oracle WebLogic Server Centralized Thirdparty Jars (AntiSamy) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.1.1.0.0  
CVE-2019-12415 Oracle Business Process Management Suite Runtime Engine (Apache POI) None No 5.5 Local Low Low None Un-
changed
High None None 12.2.1.4.0  
CVE-2023-49582 Oracle HTTP Server Core (Apache Portable Runtime) None No 5.5 Local Low Low None Un-
changed
High None None 12.2.1.4.0  
CVE-2025-21498 Oracle HTTP Server Core HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.2.1.4.0  
CVE-2024-47554 Oracle WebCenter Portal Security Framework (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 12.2.1.4.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-37371 also addresses CVE-2024-37370.
  • The patch for CVE-2024-29857 also addresses CVE-2024-30171, CVE-2024-30172, and CVE-2024-34447.
  • The patch for CVE-2024-5535 also addresses CVE-2024-6119.
  • The patch for CVE-2024-47561 also addresses CVE-2023-39410.
  • The patch for CVE-2024-38475 also addresses CVE-2023-38709, CVE-2024-38473, and CVE-2024-40898.
  • The patch for CVE-2024-45492 also addresses CVE-2024-45490 and CVE-2024-45491.
  • The patch for CVE-2024-38819 also addresses CVE-2024-38816.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Coherence
    • Third Party (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Fusion Middleware MapViewer
    • Install (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle WebCenter Portal
    • Security Framework (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Analytics Risk Matrix

This Critical Patch Update contains 26 new security patches for Oracle Analytics.  21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-1000027 Oracle BI Publisher Development Operations (Spring Framework) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.0.0.0.0, 7.6.0.0.0  
CVE-2023-29824 Oracle Business Intelligence Enterprise Edition Analytics Server (SciPy) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.0.0.0.0, 7.6.0.0.0  
CVE-2021-23926 Oracle Business Intelligence Enterprise Edition BI Platform Security (Apache XMLBeans) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 12.2.1.4.0  
CVE-2024-5535 Oracle Business Intelligence Enterprise Edition Platform Security (OpenSSL) TLS Yes 9.1 Network Low None None Un-
changed
High None High 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0  
CVE-2024-36114 Oracle Business Intelligence Enterprise Edition Analytics Server (Aircompressor) HTTP Yes 8.6 Network Low None None Un-
changed
Low Low High 7.0.0.0.0, 7.6.0.0.0  
CVE-2023-7272 Oracle Business Intelligence Enterprise Edition Analytics Server (Eclipse Parsson) HTTP Yes 8.6 Network Low None None Changed None None High 7.0.0.0.0  
CVE-2025-21532 Oracle Analytics Desktop Install None No 7.8 Local Low Low None Un-
changed
High High High Prior to 8.1.0  
CVE-2023-24998 Oracle Business Intelligence Enterprise Edition Analytics Server (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2023-33953 Oracle Business Intelligence Enterprise Edition Analytics Server (Google Guava) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.0.0.0.0  
CVE-2020-28975 Oracle Business Intelligence Enterprise Edition Analytics Server (scikit-learn) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.0.0.0.0  
CVE-2024-7254 Oracle Business Intelligence Enterprise Edition Analytics Server, Map viewer (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.0.0.0.0  
CVE-2022-40150 Oracle Business Intelligence Enterprise Edition BI Platform Security (Jettison) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2020-7760 Oracle Business Intelligence Enterprise Edition Content Storage Service (CodeMirror) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.0.0.0.0  
CVE-2024-1135 Oracle Business Intelligence Enterprise Edition Pipeline Test Failures (Gunicorn) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 7.0.0.0.0  
CVE-2021-33813 Oracle Business Intelligence Enterprise Edition Web Catalog (JDOM) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2023-4785 Oracle Business Intelligence Enterprise Edition Analytics Server (gRPC) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 7.0.0.0.0  
CVE-2024-26130 Oracle Business Intelligence Enterprise Edition Analytics Server (OpenSSL) TLS Yes 7.5 Network Low None None Un-
changed
High None None 7.0.0.0.0  
CVE-2024-47561 Oracle Business Intelligence Enterprise Edition Platform Security (Apache Avro) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 7.0.0.0.0, 7.6.0.0.0  
CVE-2024-29131 Oracle Business Intelligence Enterprise Edition Platform Security (Apache Commons Configuration) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 7.0.0.0.0, 7.6.0.0.0  
CVE-2024-43382 Oracle BI Publisher XML Services (Snowflake JDBC) HTTP No 5.9 Network High High None Un-
changed
High High None 7.0.0.0.0, 7.6.0.0.0  
CVE-2024-35195 Oracle Business Intelligence Enterprise Edition Analytics Server (requests) None No 5.6 Local High High Required Un-
changed
High High None 7.0.0.0.0  
CVE-2023-33202 Oracle Business Intelligence Enterprise Edition Analytics Server (Bouncy Castle Java Library) None No 5.5 Local Low None Required Un-
changed
None None High 7.0.0.0.0  
CVE-2024-34064 Oracle Business Intelligence Enterprise Edition Analytics Server (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 7.0.0.0.0  
CVE-2020-13956 Oracle Business Intelligence Enterprise Edition Analytics Server (Apache HttpClient) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 7.0.0.0.0, 12.2.1.4.0  
CVE-2024-38809 Oracle Business Intelligence Enterprise Edition Analytics Server, Pipeline Test Failures, Installation (Spring Framework) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0  
CVE-2024-37891 Oracle Business Intelligence Enterprise Edition Analytics Server (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 7.0.0.0.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-43382 also addresses CVE-2024-29025 and CVE-2024-7254.
  • The patch for CVE-2024-34064 also addresses CVE-2020-2849 and CVE-2024-22195.
  • The patch for CVE-2024-26130 also addresses CVE-2023-50782 and CVE-2024-0727.
  • The patch for CVE-2024-37891 also addresses CVE-2023-43804 and CVE-2023-45803.
  • The patch for CVE-2016-1000027 also addresses CVE-2024-38820.
  • The patch for CVE-2024-5535 also addresses CVE-2024-4741.
  • The patch for CVE-2023-4785 also addresses CVE-2023-32732, CVE-2023-33953, and CVE-2023-44487.
  • The patch for CVE-2023-29824 also addresses CVE-2023-25399.
  • The patch for CVE-2023-33953 also addresses CVE-2023-2976.

 

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 2 new security patches, plus additional third party patches noted below, for Oracle Health Sciences Applications.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21570 Oracle Life Sciences Argus Safety Login HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.2.3  
CVE-2024-26308 Oracle Life Sciences Empirica Signal Platform (Apache Commons Compress) None No 5.0 Local Low Low Required Un-
changed
None None High Prior to 9.2.3  

Additional CVEs addressed are:

  • The patch for CVE-2024-26308 also addresses CVE-2024-25710.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Life Sciences Empirica Signal
    • UI (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Hospitality Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21547 Oracle Hospitality OPERA 5 Opera Servlet HTTP Yes 9.1 Network Low None None Un-
changed
High None High 5.6.19.20, 5.6.25.8, 5.6.26.6, 5.6.27.1  

 

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Hyperion.  Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21569 Oracle Hyperion Data Relationship Management Web Services HTTP No 6.6 Network High High None Un-
changed
High High High 11.2.19.0.000  
CVE-2025-21568 Oracle Hyperion Data Relationship Management Access and Security HTTP No 4.5 Network Low High Required Un-
changed
High None None 11.2.19.0.000  

 

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Insurance Applications.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Insurance Applications.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Documaker
    • Enterprise Edition (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Java SE Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Java SE.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-0509 Oracle Java SE Install (Sparkle) Multiple No 7.3 Adjacent
Network
High High Required Changed High High High Oracle Java SE: 8u431 See Note 1
CVE-2025-21502 Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition Hotspot Multiple Yes 4.8 Network High None None Un-
changed
Low Low None Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16, 21.3.12 See Note 2

Notes:

  1. Only applies to the macOS autoupdater.
  2. This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.


 

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 23 new security patches, plus additional third party patches noted below, for Oracle JD Edwards.  14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21524 JD Edwards EnterpriseOne Tools Monitoring and Diagnostics SEC HTTP Yes 9.8 Network Low None None Un-
changed
High High High Prior to 9.2.9.0  
CVE-2023-3961 JD Edwards EnterpriseOne Tools E1 Dev Platform Tech - Cloud (Samba) SMB Yes 9.8 Network Low None None Un-
changed
High High High Prior to 9.2.9.2  
CVE-2025-21515 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP No 8.8 Network Low Low None Un-
changed
High High High Prior to 9.2.9.0  
CVE-2024-27983 JD Edwards EnterpriseOne Tools E1 Dev Platform Tech - Cloud (Node.js) HTTP Yes 8.2 Network Low None None Un-
changed
None Low High Prior to 9.2.9.2  
CVE-2023-4782 JD Edwards EnterpriseOne Tools E1 Dev Platform Tech - Cloud (Terraform) None No 7.8 Local Low Low None Un-
changed
High High High Prior to 9.2.9.2  
CVE-2025-21510 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP Yes 7.5 Network Low None None Un-
changed
High None None Prior to 9.2.9.0  
CVE-2025-21511 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP Yes 7.5 Network Low None None Un-
changed
High None None Prior to 9.2.9.0  
CVE-2023-2976 JD Edwards EnterpriseOne Tools Monitoring and Diagnostics SEC (Google Guava) None No 7.1 Local Low Low None Un-
changed
High High None Prior to 9.2.9.0  
CVE-2025-21552 JD Edwards EnterpriseOne Orchestrator E1 IOT Orchestrator Security HTTP No 6.5 Network Low Low None Un-
changed
High None None Prior to 9.2.9.2  
CVE-2025-21508 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP No 6.5 Network Low Low None Un-
changed
None None High Prior to 9.2.9.0  
CVE-2025-21509 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP No 6.5 Network Low Low None Un-
changed
None None High Prior to 9.2.9.0  
CVE-2023-6129 JD Edwards EnterpriseOne Tools Enterprise Infrastructure SEC (OpenSSL) HTTPS Yes 6.5 Network High None None Un-
changed
None Low High Prior to 9.2.9.0  
CVE-2025-21527 JD Edwards EnterpriseOne Tools Design Tools SEC HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 9.2.9.0  
CVE-2024-29041 JD Edwards EnterpriseOne Tools E1 Dev Platform Tech - Cloud (Express.js) HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 9.2.9.2  
CVE-2025-21512 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 9.2.9.0  
CVE-2025-21513 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 9.2.9.0  
CVE-2025-21538 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 9.2.9.2  
CVE-2023-48795 JD Edwards EnterpriseOne Tools Enterprise Infrastructure SEC (Apache Mina SSHD) SSH Yes 5.9 Network High None None Un-
changed
None High None Prior to 9.2.9.0  
CVE-2024-21245 JD Edwards EnterpriseOne Tools Business Logic Infra SEC HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 9.2.9.0  
CVE-2025-21507 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 9.2.9.0  
CVE-2024-27280 JD Edwards EnterpriseOne Tools E1 Dev Platform Tech - Cloud (Ruby) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low Prior to 9.2.9.2  
CVE-2025-21514 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP Yes 5.3 Network Low None None Un-
changed
Low None None Prior to 9.2.9.0  
CVE-2025-21517 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP No 4.3 Network Low Low None Un-
changed
None Low None Prior to 9.2.9.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-27280 also addresses CVE-2024-27281 and CVE-2024-27282.
  • The patch for CVE-2023-6129 also addresses CVE-2023-5678 and CVE-2024-0727.
  • The patch for CVE-2023-3961 also addresses CVE-2023-4091 and CVE-2023-42669.
  • The patch for CVE-2024-27983 also addresses CVE-2023-38552, CVE-2024-22019, and CVE-2024-22020.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • JD Edwards EnterpriseOne Orchestrator
    • E1 IOT Orchestrator Security (Quartz): CVE-2023-39017 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle MySQL Risk Matrix

This Critical Patch Update contains 39 new security patches, plus additional third party patches noted below, for Oracle MySQL.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-11053 MySQL Enterprise Backup Enterprise Backup (curl) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2024-37371 MySQL Server Server: Packaging (Kerberos) MySQL Protocol Yes 9.1 Network Low None None Un-
changed
High None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2024-11053 MySQL Server Server: Packaging (curl) MySQL Protocol Yes 9.1 Network Low None None Un-
changed
High High None 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21521 MySQL Server Server: Thread Pooling MySQL Protocol Yes 7.5 Network Low None None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2025-21518 MySQL Cluster Cluster: General Multiple No 6.5 Network Low Low None Un-
changed
None None High 7.6.32 and prior, 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21500 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21501 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21518 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21566 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 9.1.0 and prior  
CVE-2025-21522 MySQL Server Server: Parser MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21548 MySQL Connectors Connector/Python MySQL Protocol No 6.4 Network Low High Required Un-
changed
Low High High 9.1.0 and prior  
CVE-2025-21497 MySQL Server InnoDB MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21555 MySQL Server InnoDB MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21559 MySQL Server InnoDB MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21540 MySQL Server Server: Security: Privileges MySQL Protocol No 5.4 Network Low Low None Un-
changed
Low Low None 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21531 MySQL Cluster Cluster: General Multiple No 4.9 Network Low High None Un-
changed
None None High 7.6.32 and prior, 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21543 MySQL Cluster Cluster: Packaging Multiple No 4.9 Network Low High None Un-
changed
None None High 7.6.32 and prior, 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21490 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21491 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21503 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21523 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21531 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21505 MySQL Server Server: Components Services MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21499 MySQL Server Server: DDL MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21525 MySQL Server Server: DDL MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2025-21529 MySQL Server Server: Information Schema MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21492 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.36 and prior, 8.4.0  
CVE-2025-21504 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2025-21536 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2025-21543 MySQL Server Server: Packaging MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21534 MySQL Server Server: Performance Schema MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2025-21495 MySQL Enterprise Firewall Firewall MySQL Protocol No 4.4 Network High High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21493 MySQL Server Server: Security: Privileges MySQL Protocol No 4.4 Network High High None Un-
changed
None None High 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21519 MySQL Server Server: Security: Privileges MySQL Protocol No 4.4 Network High High None Un-
changed
None None High 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21567 MySQL Server Server: Security: Privileges MySQL Protocol No 4.3 Network Low Low None Un-
changed
Low None None 9.1.0 and prior  
CVE-2025-21494 MySQL Server Server: Security: Privileges None No 4.1 Local High High None Un-
changed
None None High 8.0.39 and prior, 8.4.2 and prior, 9.0.1 and prior  
CVE-2025-21546 MySQL Server Server: Security: Privileges MySQL Protocol No 3.8 Network Low High None Un-
changed
Low Low None 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21520 MySQL Cluster Cluster: General None No 1.8 Local High High Required Un-
changed
Low None None 7.6.32 and prior, 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  
CVE-2025-21520 MySQL Server Server: Options None No 1.8 Local High High Required Un-
changed
Low None None 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior  

Additional CVEs addressed are:

  • The patch for CVE-2024-37371 also addresses CVE-2024-37370.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • MySQL Server
    • Server: Packaging (memcached): CVE-2021-37519 [VEX Justification: vulnerable_code_not_present].
  • MySQL Shell
    • Shell General / Core Client (requests): CVE-2024-35195 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 16 new security patches, plus additional third party patches noted below, for Oracle PeopleSoft.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-5535 PeopleSoft Enterprise PeopleTools Security, Porting, Cloud Deployment Architecture (OpenSSL) HTTPS Yes 9.1 Network Low None None Un-
changed
High None High 8.60, 8.61  
CVE-2020-22218 PeopleSoft Enterprise PeopleTools File Processing (libssh2) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.60, 8.61  
CVE-2025-21545 PeopleSoft Enterprise PeopleTools OpenSearch HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.60, 8.61  
CVE-2024-7592 PeopleSoft Enterprise PeopleTools Porting (Python) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.60, 8.61  
CVE-2024-28849 PeopleSoft Enterprise PeopleTools OpenSearch Dashboards (follow-redirects) HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.60, 8.61  
CVE-2024-22020 PeopleSoft Enterprise PeopleTools OpenSearch (Node.js) None No 6.5 Local High None Required Un-
changed
Low High High 8.60, 8.61  
CVE-2024-35195 PeopleSoft Enterprise PeopleTools Porting (requests) None No 5.6 Local High High Required Un-
changed
High High None 8.60, 8.61  
CVE-2025-21537 PeopleSoft Enterprise FIN Cash Management Cash Management HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 9.2  
CVE-2025-21539 PeopleSoft Enterprise FIN eSettlements eSettlements HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 9.2  
CVE-2025-21561 PeopleSoft Enterprise SCM Purchasing Purchasing HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 9.2  
CVE-2024-27280 PeopleSoft Enterprise PeopleTools Cloud Deployment Architecture, Logstash (Ruby) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 8.60, 8.61  
CVE-2024-29025 PeopleSoft Enterprise PeopleTools OpenSearch (Netty) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 8.60, 8.61  
CVE-2024-37891 PeopleSoft Enterprise PeopleTools Porting (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 8.60, 8.61  
CVE-2025-21562 PeopleSoft Enterprise CC Common Application Objects Run Control Management HTTP No 4.3 Network Low Low None Un-
changed
Low None None 9.2  
CVE-2025-21563 PeopleSoft Enterprise CC Common Application Objects Run Control Management HTTP No 4.3 Network Low Low None Un-
changed
None Low None 9.2  
CVE-2025-21530 PeopleSoft Enterprise PeopleTools Panel Processor HTTP No 4.3 Network Low Low None Un-
changed
Low None None 8.60, 8.61  

Additional CVEs addressed are:

  • The patch for CVE-2024-27280 also addresses CVE-2024-27281 and CVE-2024-27282.
  • The patch for CVE-2020-22218 also addresses CVE-2023-48795.
  • The patch for CVE-2024-7592 also addresses CVE-2024-0397, CVE-2024-4030, CVE-2024-4032, and CVE-2024-6232.
  • The patch for CVE-2024-22020 also addresses CVE-2024-22018, CVE-2024-22019, CVE-2024-36137, CVE-2024-36138, and CVE-2024-37372.
  • The patch for CVE-2024-5535 also addresses CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, and CVE-2024-6119.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • PeopleSoft Enterprise PeopleTools
    • Charting (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Policy Automation.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Policy Automation.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Policy Automation
    • Determinations Engine (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Retail Applications.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-38819 Oracle Retail Financial Integration PeopleSoft Integration Bugs (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 14.1.3.2, 15.0.3.1, 16.0.3.0, 19.0.1.0  
CVE-2024-38819 Oracle Retail Integration Bus RIB Kernal (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 14.1.3.2, 15.0.3.1, 16.0.3.0, 19.0.1.0  

 

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Siebel CRM.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-38526 Siebel CRM End User EAI, UI (Oxygen XML WebHelp) HTTP Yes 7.2 Network Low None None Changed Low None Low 24.11 and prior  
CVE-2023-44387 Siebel CRM End User Open UI (Gradle) None No 6.5 Local Low Low None Changed High None None 24.11 and prior  

Additional CVEs addressed are:

  • The patch for CVE-2023-44387 also addresses CVE-2019-11065, CVE-2019-15052, CVE-2019-16370, CVE-2020-11979, CVE-2021-29428, CVE-2021-29429, CVE-2021-32751, CVE-2023-35946, CVE-2023-35947, and CVE-2023-42445.

 

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Supply Chain.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21556 Oracle Agile PLM Framework Agile Integration Services HTTP No 9.9 Network Low Low None Changed High High High 9.3.6  
CVE-2024-23807 Oracle Agile Engineering Data Management Core (Apache Xerces-C++) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 6.2.1  
CVE-2025-21564 Oracle Agile PLM Framework Agile Integration Services HTTP No 8.1 Network Low Low None Un-
changed
High None High 9.3.6  
CVE-2024-34750 Oracle Agile Engineering Data Management Document Management (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 6.2.1  
CVE-2025-21565 Oracle Agile PLM Framework Install HTTP Yes 7.5 Network Low None None Un-
changed
High None None 9.3.6  
CVE-2025-21560 Oracle Agile PLM Framework SDK-Software Development Kit HTTP No 6.5 Network Low Low None Un-
changed
High None None 9.3.6  

Additional CVEs addressed are:

  • The patch for CVE-2024-34750 also addresses CVE-2024-23672 and CVE-2024-24549.

 

Oracle Systems Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Systems.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21551 Oracle Solaris File system None No 6.0 Local Low High None Un-
changed
None High High 11  

 

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 6 new security patches, plus additional third party patches noted below, for Oracle Utilities Applications.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-38819 Oracle Utilities Testing Accelerator Tools (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 6.0.0.1.0-6.0.0.3.0, 7.0.0.0.0-7.0.0.1.0  
CVE-2024-34750 Oracle Utilities Testing Accelerator Tools (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 6.0.0.1.0-6.0.0.3.0, 7.0.0.0.0-7.0.0.1.0  
CVE-2024-45801 Oracle Utilities Application Framework General (DOMPurify) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 24.1.0.0.0-24.3.0.0.0  
CVE-2024-35195 Oracle Utilities Network Management System Third Party (requests) None No 5.6 Local High High Required Un-
changed
High High None 2.5.0.1.14, 2.5.0.2.9, 2.6.0.1.5  
CVE-2024-29025 Oracle Utilities Testing Accelerator Tools (Netty) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 6.0.0.1.0-6.0.0.3.0  
CVE-2024-37891 Oracle Utilities Network Management System Third Party (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 2.5.0.1.15, 2.5.0.2.9, 2.6.0.1.7  

Additional CVEs addressed are:

  • The patch for CVE-2024-38819 also addresses CVE-2024-38820.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Utilities Application Framework
    • Security (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Utilities Network Management System
    • Third Party (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Utilities Testing Accelerator
    • Tools (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Virtualization.  Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21571 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low High Low Prior to 7.0.24, prior to 7.1.6  
CVE-2025-21533 Oracle VM VirtualBox Core None No 5.5 Local Low Low None Un-
changed
High None None Prior to 7.0.24, prior to 7.1.6