Overview
This Oracle Critical Patch Update (CPU) for Q1 2025 fixes a total of 318 vulnerabilities across more than two dozen product suites. The risk scores of the CVEs range from 1.8 to 9.9 with most of the vulnerabilities open to remote execution without user credentials. As is customary, Oracle did not comment on how many, if any, of the CVEs are under active exploitation, but the company strongly recommended that customers apply Critical Patch Update patches as soon as possible.
Patches for 33 Oracle product suites are included in today’s Critical Patch Update. For a full list of CVEs and products, refer to the full Oracle CPU news release available here.
Patches for 33 Oracle product suites are included in today’s Critical Patch Update. For a full list of CVEs and products, refer to the full Oracle CPU news release available here.
Select Products with Critical Risk flaws (CVSS score (9.0+):
● There are 22 new security patches for Oracle Fusion Middleware. 18 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.
● There are 31 new security patches for Oracle Financial Services Applications. 24 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.
● There are 26 new security patches for Oracle Analytics. 21 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.
● There is 1 new security patch for Oracle Hospitality Applications. This vulnerability is remotely exploitable without authentication. The CVSS score is 9.1.
● There are 23 new security patches for Oracle JD Edwards. 14 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.
● There are 39 new security patches for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.1.
● There are 16 new security patches for Oracle PeopleSoft. 6 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.1.
● There are 6 new security patches for Oracle Supply Chain. 3 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.9.
Select Products with High Risk flaws (CVSS score (7.0 – 8.9):
● There are 4 new security patches for Oracle E-Business Suite. 1 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 8.1.
● There are 10 new security patches for Oracle Database Products. 5 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 7.8.
Potential Impacts for Waratek Customers
The January 2025 Critical Patch Update from Oracle implements JEP 486, permanently disabling the Java Security Manager in Java SE. The Security Manager is no longer usable, either at startup or dynamically, and Oracle has no plans to replace its functionality.
For years, the Security Manager saw little use in real-world applications. While some developers leveraged it to intercept calls to the Java Platform API—e.g., blocking System::exit—its effectiveness against malicious code was limited. Oracle evaluated alternatives for API interception but found the use cases too diverse to support within the JDK. Instead, Oracle suggests that interception needs can be addressed through external approaches like source code modification or agent-based bytecode rewriting.
This change highlights the value of Runtime Application Self-Protection (RASP) solutions, most of which are based on instrumentation agents to harden the runtime environment and dynamically monitor and secure code execution against attacks in real time at the bytecode level.
Notes on Select CVEs
CVE-2023-7272 (Oracle WebLogic Server)
CVSS Base Score: 8.6
A flaw was found in Eclipse Parsson. A document containing a large depth of nested objects may allow an attacker to cause a Java stack overflow exception, potentially leading to a denial of service. Waratek can provide a virtual patch for this CVE.
CVE-2024-47072 (Oracle Business Activity Monitoring)
CVSS Base Score: 7.5
The BAM component is based on XStream, a library that performs Java to XML Serialization, and back again. XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream. Waratek can provide a virtual patch for this CVE.
CVE-2024-38819 (Oracle Identity Manager & Oracle Middleware Common Libraries and Tools)
CVSS Base Score: 7.5
This flaw enables attackers to craft malicious HTTP requests and perform path traversal attacks that allow unauthorized access to arbitrary files on the server. Exploiting this flaw could expose sensitive information such as application configuration files, authentication credentials, or environment secrets, potentially compromising the entire system. Moreover, if the application process has elevated privileges, an attacker could access system files or even gain further control over the server. Waratek Secure customers with the Path Traversal rule enabled are already protected by default.
CVE-2024-34750 (Oracle Managed File Transfer and Apache Tomcat)
CVSS Base Score: 7.5
When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. Waratek can provide a virtual patch for this CVE.
CVE-2024-47554 (Oracle WebLogic Server)
CVSS Base Score: 7.5
A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed. Waratek can provide a virtual patch for this CVE.
CVE-2024-29857 (Oracle WebLogic Server)
CVSS Base Score: 7.5
A vulnerability was found in Bouncy Castle. The issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java). Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters. Waratek can provide a virtual patch for this CVE.
For More Information
Waratek Customers should contact customersuccess@waratek.com for more specific information about how the January 2025 Oracle Critical Patch Update may impact your applications.
If you are interested in how Waratek can help patch and protect your applications with no downtime or source code changes, please contact sales@waratek.com.
ABOUT WARATEK
Waratek offers a Java security platform that helps businesses protect applications from known and unknown threats using advanced Software Defined Runtime Application Self-Protection (RASP) capabilities that enable real-time defense and remediation without requiring application code changes. Waratek specializes in defending against zero-day threats that often evade traditional signature-based detection methods, and remediating known vulnerabilities with no app downtime required. Its unique ability to intercept and neutralize malicious behaviors—such as unauthorized file access, code injection attempts, and insecure deserialization—has made Waratek a trusted partner for organizations in industries like finance, healthcare, and technology. Waratek has offices in Dublin, Ireland and Chicago, Illinois.