Oracle has released its April 2025 Critical Patch Update (CPU), addressing 378 new security vulnerabilities across its extensive product portfolio. This quarterly update includes patches for numerous high-risk flaws, many of which could potentially allow remote exploitation without authentication.
Vulnerability Overview
The April 2025 CPU encompasses a total of 378 vulnerabilities, with 255 identified as remotely exploitable without authentication. Among these, 40 vulnerabilities have been classified as critical, possessing a Common Vulnerability Scoring System (CVSS) score of 9.0 or higher. Notably, 30 vulnerabilities have been assigned a CVSS score of 9.8, indicating a very high severity level. Additionally, 162 vulnerabilities are rated as high severity, with CVSS scores of 7.0 or above.
Critical Vulnerabilities Across Multiple Products
This update impacts a wide range of Oracle products and services, including Oracle Database Server, Java SE, MySQL, Fusion Middleware, E-Business Suite, and Communications products. Some of the most concerning vulnerabilities affect Oracle’s core enterprise products, which are widely deployed globally.
Oracle Database Server
Versions 19.3-19.26, 21.3-21.17, and 23.4-23.7 of Oracle Database Server have received patches for multiple security issues. These updates are crucial for maintaining the integrity and security of database systems, which are often central to organizational operations.
Java SE
Java SE, one of Oracle’s most widely distributed technologies, has been updated to address vulnerabilities in versions 8u441, 11.0.26, 17.0.14, 21.0.6, and 24. Given Java’s extensive use in various applications and systems, these patches are vital for preventing potential exploits that could impact millions of systems worldwide.
Notable Vulnerabilities
Several critical vulnerabilities addressed in this update include:
– CVE-2025-24813: A vulnerability in Oracle Commerce’s Guided Search component, with a CVSS score of 9.8, allowing remote code execution via Apache Tomcat without authentication.
– CVE-2025-21535: A flaw in WebLogic Server’s Core component, also with a CVSS score of 9.8, enabling remote code execution through T3 and IIOP protocols without authentication.
– CVE-2024-45492: A critical issue in Oracle HTTP Server’s LibExpat component, with a CVSS score of 9.8, permitting remote code execution via HTTP without authentication.
– CVE-2025-30736: A vulnerability in Oracle Database’s Java VM, rated as high severity, allowing remote database compromise without authentication.
– Multiple Communications Applications: Various high-severity vulnerabilities affecting core telecom infrastructure components, exploitable remotely without authentication.
Remote Exploitation Concerns
A significant aspect of this update is the high number of vulnerabilities that can be exploited remotely without requiring user credentials. Oracle has emphasized the importance of timely patching, noting that attackers have previously succeeded in compromising systems where available patches were not applied. The company strongly recommends that customers remain on actively supported versions and apply Critical Patch Update security patches without delay.
Security Community Contributions
The vulnerabilities addressed in this update were reported by numerous security researchers and organizations, including Google, Amazon AWS Security, Alibaba, Tsinghua University, and various independent security experts. Oracle acknowledges these contributions, which play a vital role in enhancing the security of its products.
CVSS Scoring and Prioritization
Oracle utilizes the Common Vulnerability Scoring System (CVSS) version 3.1 to assess the severity of each vulnerability. This standardized approach aids organizations in prioritizing which patches to implement first based on potential impact and exploitability.
Affected Products and Recommendations
The April 2025 CPU spans Oracle’s entire product ecosystem. Major affected products include:
– MySQL Server: Versions 8.0.0-8.0.41, 8.4.0-8.4.4, and 9.0.0-9.2.0.
– Oracle WebLogic Server: Versions 12.2.1.4.0 and 14.1.1.0.0.
– Oracle Communications Products: Multiple versions.
– Oracle Financial Services Applications: Various versions.
– Oracle Retail Applications: Various versions.
– Oracle E-Business Suite: Versions 12.2.3-12.2.14.
– PeopleSoft Enterprise Products: Various versions.
Oracle emphasizes that patches are only provided for product versions under the Premier Support or Extended Support phases of the Lifetime Support Policy. Organizations using older versions are advised to upgrade to supported versions to receive security updates.
Conclusion
The April 2025 Critical Patch Update from Oracle addresses a substantial number of vulnerabilities across a wide range of products. Given the severity and potential for remote exploitation of many of these flaws, it is imperative for organizations to apply these patches promptly. Maintaining up-to-date systems is crucial in safeguarding against potential security threats and ensuring the integrity of organizational data and operations.
