Oracle released its first quarterly edition of this year’s Critical Patch Update, which received patches for 318 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 85 constituting about 27% of the total patches released. Oracle MySQL and Oracle Financial Services Applications followed, with 39 and 31 security patches.
230 of the 318 security patches provided by the January Critical Patch Update (about 72%) are for non-Oracle CVEs, such as open-source components included and exploitable in the context of their Oracle product distributions.
This batch of security patches received 10 updates for Oracle Database products. The following is the product-wise distribution:
- Five new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 7.5.
- None of these updates apply to client-only deployments of the Oracle Database.
- One new security update for Oracle Application Express with a maximum reported CVSS Base Score of 5.4.
- Two new security updates for Oracle GoldenGate with a maximum reported CVSS Base Score of 7.8.
- One new security update for Oracle REST Data Services with a maximum reported CVSS Base Score of 5.3.
- One new security update for Oracle Secure Backup with a maximum reported CVSS Base Score of 7.5.
In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Application Express, Oracle GoldenGate, Oracle REST Data Services, Oracle Secure Backup, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.
Notable Oracle Vulnerabilities Patched
Oracle Communications
This Critical Patch Update for Oracle Communications received 85 security patches. Out of these, 59 vulnerabilities can be exploited over a network without user credentials.
CVE-2023-46604, CVE-2024-45492, CVE-2024-56337, CVE-2024-37371, CVE-2024-3596, and CVE-2024-53677 in different Oracle Communications products have critical severity ratings. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.
Oracle MySQL
This Critical Patch Update for Oracle MySQL received 39 security patches. Four vulnerabilities can be exploited over a network without user credentials.
CVE-2024-11053 and CVE-2024-37371 in different Oracle MySQL products have critical severity ratings with a CVSS score of 9.1. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.
Oracle Financial Services Applications
This Critical Patch Update for Oracle Financial Services Applications received 31 security patches. Out of these, 24 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-45492 in Oracle Financial Services Behavior Detection Platform and Oracle Financial Services Trade-Based Anti-Money Laundering Enterprise Edition has a critical severity rating with a CVSS score of 9.8. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.
Oracle Communications Applications
This Critical Patch Update for Oracle Communications Applications received 28 security patches. Out of these, 15 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-37371 in Oracle Communications Billing and Revenue Management has a critical severity rating with a CVSS score of 9.1. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Oracle Analytics
This Critical Patch Update for Oracle Analytics received 26 security patches. Out of these, 21 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-5535, CVE-2021-23926, CVE-2023-29824, CVE-2016-1000027 in different products of Oracle Analytics have critical severity ratings. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Oracle JD Edwards
This Critical Patch Update for Oracle JD Edwards received 23 security patches. Out of these, 14 vulnerabilities can be exploited over a network without user credentials.
CVE-2023-3961 and CVE-2025-21524 in the JD Edwards EnterpriseOne Tools have critical severity ratings with a CVSS score of 9.8. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Oracle Fusion Middleware
This Critical Patch Update for Oracle Enterprise Manager received 22 security patches. Out of these, 18 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-45492, CVE-2025-21535, CVE-2024-38475, CVE-2024-5535, CVE-2024-37371, and CVE-2024-53677 in the different products of Oracle Fusion Middleware have critical severity ratings. A remote attacker may exploit this vulnerability without privileges in a low-complexity network attack.
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).
You can see all your impacted hosts by these vulnerabilities using the following QQL query:
vulnerabilities.vulnerability: ( qid: 382698 or qid: 382697 or qid: 87568 or qid: 20465 or qid: 20463 or qid: 20462 or qid: 20461 or qid: 20460 or qid: 20459 or qid: 20458 or qid: 296121 or qid: 382700 )
Rapid Response with Patch Management (PM)
VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.
The following QQL will return the missing patches for this Oracle Critical Patch Update:
( qid: 382698 or qid: 382697 or qid: 87568 or qid: 20465 or qid: 20463 or qid: 20462 or qid: 20461 or qid: 20460 or qid: 20459 or qid: 20458 or qid: 296121 or qid: 382700 )
Visit the Oracle Critical Patch Update January 2025 (CPUJAN2025) page to describe each vulnerability and the systems it affects.
Customers can scan their network with QIDs 382700, 382698, 382697, 87568, 20467, 20466, 20465, 20464, 20463, 20462, 20461, 20459, 20458, and 296121 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://www.oracle.com/security-alerts/cpujan2025.html
