Oracle’s April Security Update: Patches to Fix Critical Software Vulnerabilities

Listen to this Post

Introduction

Oracle has once again made headlines in the cybersecurity landscape with its April 2025 Critical Patch Update (CPU), unveiling a substantial 378 new security patches. These patches target a wide array of Oracle’s vast software ecosystem, addressing vulnerabilities that could pose serious risks to enterprises across industries. From database systems to cloud infrastructure, the update is not just routine maintenance—it’s a crucial security measure for any organization relying on Oracle products.

This update arrives at a time when cyber threats are increasingly sophisticated and frequently exploit unpatched vulnerabilities. By targeting both Oracle’s native code and third-party libraries integrated into its platforms, this release underscores Oracle’s proactive approach to cybersecurity. The company’s recommendation is clear: apply the patches without delay to prevent exploitation of these vulnerabilities, many of which can be exploited remotely without authentication.

Let’s dive into the main points of the update, what it covers, the severity of the vulnerabilities, and the broader implications for enterprise security.

Oracle April 2025 CPU: Key Highlights in

  • Released on April 15, 2025, the Critical Patch Update includes 378 new security fixes.

– Patches address vulnerabilities in

  • Oracle urges all users to apply updates immediately to avoid exposure to known exploits.
  • The update affects major Oracle product families including:

– Oracle Database, MySQL, NoSQL

– Fusion Middleware, Oracle Enterprise Manager

– E-Business Suite, JD Edwards, PeopleSoft, Siebel CRM

– Oracle Communications, Java SE, GraalVM

– Cloud, Retail, and Virtualization platforms

  • The Common Vulnerability Scoring System (CVSS) v3.1 is used to rank the risk level.

– Many vulnerabilities are remotely exploitable without authentication.

  • In Oracle Communications alone, 82 out of 103 flaws can be exploited over the network.
  • High-risk components include Apache Tomcat, OpenSSL, Apache Mina, and Spring Framework.
  • Several vulnerabilities affect both HTTP and secure protocols like HTTPS/TLS.
  • Risks extend to third-party libraries such as Apache Commons IO, libxml2, and Jetty.
  • Oracle now provides VEX (Vulnerability Exploitability eXchange) justifications for context.
  • Patches are only provided for systems under Premier or Extended Support.
  • Users running unsupported versions must upgrade or face unpatched security holes.
  • While workarounds exist (e.g., disabling protocols), they’re temporary and not replacements.

– Critical vulnerabilities include:

– CVE-2024-52046 (Apache Mina) — CVSS 9.8

– CVE-2024-56337 (Apache Tomcat) — CVSS 9.8

– CVE-2025-30727 (Oracle Scripting) — CVSS 9.8

  • Example: CVE-2024-11053 affects curl over HTTP/TLS — CVSS 9.1
  • Oracle Database Server receives 7 new patches, including unauthenticated RCE risks.
  • MySQL sees 43 new patches, several affecting the core server.

– Java

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image