Analysis Summary

Oracle's January 2025 Critical Patch Update (CPU) addresses 318 newly identified security vulnerabilities across its product suite, underscoring the importance of applying these updates to prevent potential exploitation. Among the most severe is CVE-2025-21556, a critical flaw in the Oracle Agile Product Lifecycle Management (PLM) Framework with a CVSS score of 9.9. This vulnerability allows attackers with low privileges and network access via HTTP to compromise susceptible instances. Oracle also highlighted CVE-2024-21287, an older flaw in the same framework actively exploited in November 2024, which emphasizes the importance of deploying this update to address both issues comprehensively.

According to the Researcher, additional critical vulnerabilities patched include CVE-2025-21524 and CVE-2024-56337, which target JD Edwards EnterpriseOne Tools and Oracle Communications Policy Management, respectively. Flaws in the Apache Xerces C++ XML parser, Apache ActiveMQ, and Apache Tomcat server also received attention, reflecting Oracle's focus on securing widely used open-source components in its products. Notably, CVE-2025-21535, a critical issue in Oracle WebLogic Server with similarities to the previously exploited CVE-2020-2883, highlights the persistent risks tied to vulnerabilities in this platform.

Furthermore, Oracle addressed CVE-2024-37371, a critical Kerberos 5 flaw in its Communications Billing and Revenue Management system. This vulnerability could lead to invalid memory reads via malformed message tokens further illustrating the range of products affected by this CPU. In addition, vulnerabilities in Oracle BI Publisher, Oracle Agile Engineering Data Management, and Oracle Business Intelligence Enterprise Edition, among others, demonstrate the extensive scope of the update covering both proprietary and integrated third-party software.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2020-2883 to its Known Exploited Vulnerabilities (KEV) catalog reinforcing the urgency of these updates. Oracle's vice president of Security Assurance, Eric Maurice, strongly advised customers to apply the patches immediately, particularly for the Agile PLM Framework and WebLogic Server. By addressing these flaws, users can mitigate risks of exploitation, safeguard sensitive systems, and maintain operational resilience against emerging threats.

Impact

• Privilege Escalation
• Code Execution
• Gain Access

Affected Vendors

Remediation

• Ensure all Oracle products are updated with the latest patches to address 318 vulnerabilities, including critical flaws in Oracle Agile PLM Framework, WebLogic Server, and others.
• Focus on remediating CVE-2025-21556 (Agile PLM Framework, CVSS 9.9), CVE-2025-21535 (WebLogic Server, CVSS 9.8), and other critical vulnerabilities such as CVE-2024-37371 (Kerberos 5 flaw in Communications Billing and Revenue Management).
• Address vulnerabilities in integrated open-source libraries such as Apache Xerces C++, Apache ActiveMQ, Apache Tomcat, and Spring Framework.
• Be aware of active exploitation attempts, particularly for CVE-2024-21287 (Agile PLM Framework, CVSS 7.5) and CVE-2020-2883 (WebLogic Server, CVSS 9.8), and ensure these are patched immediately.
• Enhance network monitoring to detect suspicious activity exploiting these vulnerabilities, especially in publicly accessible systems.
• Regularly consult CISA’s KEV catalog to track actively exploited Oracle vulnerabilities and ensure timely remediation.
• Identify Oracle products reliant on vulnerable third-party components and verify that patches are applied to mitigate associated risks.
• Perform comprehensive system audits post-patch deployment to confirm successful remediation and detect any lingering vulnerabilities.
• Consult Oracle’s security advisories and support channels for further guidance on applying patches and mitigating risks effectively.