Article

Oracle Critical Patch Update Analysis – URGENT ACTION REQUIRED

April 2025


Overview

The Oracle Critical Patch Update (CPU) for Q2 2025 fixes a total of 378 vulnerabilities, a 19% increase over January’s update. The CVSS risk scores of the CVEs range from 2.7 to 9.8 across 32 product suites with most of the vulnerabilities open to remote execution without user credentials. As is customary, Oracle did not comment on how many, if any, of the CVEs are under active exploitation, but the company strongly recommended that customers apply CPU patches as soon as possible.

For a full list of CVEs and products, refer to the full Oracle CPU news release available here.

Select Products with Critical Risk flaws (CVSS score (9.0+):

There are 16 new security patches for Oracle E-Business Suite. 11 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.
There are 31 new security patches for Oracle Fusion Middleware. 26 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.
There are 34 new security patches for Oracle Financial Services Applications in addition to 3rd party patches also made available by Oracle. 22 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.
There are 15 new security patches for Oracle Analytics. 11 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.
There are 3 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities are remotely exploitable without authentication. The CVSS score is 9.8.
There are 8 new security patches for Oracle JD Edwards. 5 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.
There are 43 new security patches for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.1.
There are 3new security patches for Oracle Supply Chain. 2 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 9.8.

Select Products with High Risk flaws (CVSS score (7.0 8.9):

There are 4 new security patches for Oracle PeopleSoft. 1 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 8.1.
There are 6 new security patches for Oracle Java SE in addition to 3rd party patches also made available by Oracle. 5 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 7.7.
There are 7 new security patches for Oracle Database Products. 3 of these vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 7.8.

Urgent Action Required

The latest Oracle Critical Patch Update Advisory for April 2025 reveals an increase of nearly 19% in the number ofbvulnerabilities compared to the January 2025 update. The advisory addresses several critical vulnerabilities requiring urgent patching, including a 300% increase in vulnerabilities for Oracle E-Business Suite and a 200% increase for JavaSE.

Among these is CVE‑2024‑52046, a critical vulnerability with a CVSS score of 9.8, introduced by Apache MINA’sObjectSerializationDecoder. This component insecurely performs native Java deserialization, enabling remote, unauthenticated attackers to send crafted serialized data and achieve arbitrary code execution (RCE). Exploitation of this vulnerability can lead to complete system compromise and facilitate lateral movement within an infrastructure.

Notably, ten Oracle products—including Oracle Communications Network Integrity, Oracle Communications UnifiedAssurance, Management Cloud Engine, Oracle Enterprise Manager Base Platform, Oracle Access Manager, OracleBusiness Process Management Suite, Oracle Managed File Transfer, Oracle Business Intelligence Enterprise Edition, OSS Support Tools DiagnosticAssistant, and OSS Support Tools Services Bundle—were affected by this issue and have since been patched. According to Apache guidelines, upgrading to the latest versions is not enough to provide appropriate protection. Customers must also explicitly define an allow list for the classes the decoder will accept using one of the three new accept methods provided.

In addition, another Java deserialization vulnerability, CVE‑2024‑47561, exists in Apache Avro, allowing remote code execution in Oracle SOA Suite and Oracle Business Process Management Suite when attackers exploit the special “java-class” attribute.

Waratek Secure customers remain inherently protected against the Java deserialization vulnerabilities by default via anoff-the-shelf deserialization rule that requires no further configuration, patching, or manual allow-listing of classes.

CVE-2024-50379 is a critical Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Apache Tomcat that can lead to remote code execution (RCE) . This vulnerability manifests during JSP compilation on case-insensitive file systems when the default servlet is configured with write permissions. An attacker can exploit this condition to upload a file that is interpreted and executed as a JSP, leading to remote code execution (RCE).

At least five Oracle products incorporate vulnerable versions of Tomcat: Oracle Management Cloud Engine, Oracle Communications Cloud Native Core Network Data Analytics Function, Oracle Financial Services Model Management and Governance, Oracle Managed File Transfer, and Oracle Agile Engineering Data Management.

Waratek Secure customers are protected by default against this vulnerability through built-in path traversal and command execution security rules, requiring no additional configuration or patching.

Java SE has addressed CVE202521587, which mitigates the Marvin Attack—a novel side-channel attack on RSA cryptographic implementations that depend on the RSAES-PKCS1-v1_5 padding. Error leakage in the implementation allows attackers to decrypt captured ciphertext by monitoring server response times to specially crafted messages and potentially forge signatures with the same key used for decryption.

For More Information

Waratek Customers should contact customersuccess@waratek.com for more specific information about how the April 2025 Oracle Critical Patch Update may impact your applications.

If you are interested in how Waratek can help patch and protect your applications with no downtime or source code changes, please contact sales@waratek.com.


ABOUT WARATEK


Waratek offers a Java security platform that helps businesses protect applications from known and unknown threats using advanced Software Defined Runtime Application Self-Protection (RASP) capabilities that enable real-time defense and remediation without requiring application code changes. Waratek specializes in defending against zero-day threats that often evade traditional signature-based detection methods, and remediating known vulnerabilities with no app downtime required. Its unique ability to intercept and neutralize malicious behaviors—such as unauthorized file access, code injection attempts, and insecure deserialization—has made Waratek a trusted partner for organizations in industries like finance, healthcare, and technology. Waratek has offices in Dublin, Ireland and Chicago, Illinois.

Related resources

How to Prevent Your Security Team from Suffering Burnout

Waratek Announces Rimini Street as Our Sole Pinnacle Partner

Compensating Controls for Java: How to Stay Compliant When You Can’t Patch

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.

Book a demo
Start tour