Oracle January 2025 Critical Patch Update Addresses 186 CVEs
Oracle addresses 186 CVEs in its first quarterly update of 2025 with 318 patches, including 30 critical updates.
Background
On January 21, Oracle released its Critical Patch Update (CPU) for January 2025, the first quarterly update of the year. This CPU contains fixes for 186 CVEs in 318 security updates across 27 Oracle product families. Out of the 318 security updates published this quarter, 9.4% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 56.6%, followed by high severity patches at 32.4%.
This quarter’s update includes 30 critical patches across 18 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 30 | 18 |
| High | 103 | 55 |
| Medium | 180 | 109 |
| Low | 5 | 4 |
| Total | 318 | 186 |
Analysis
This quarter, the Oracle REST Data Services product family contained the highest number of patches at 85, accounting for 26.7% of the total patches, followed by Oracle Health Sciences Applications at 39 patches, which accounted for 12.3% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle REST Data Services | 85 | 59 |
| Oracle Health Sciences Applications | 39 | 4 |
| Oracle Communications Applications | 31 | 24 |
| Oracle Graph Server and Client | 28 | 15 |
| Oracle Construction and Engineering | 26 | 21 |
| Oracle Analytics | 23 | 14 |
| Oracle Communications | 22 | 18 |
| Oracle Hospitality Applications | 16 | 6 |
| Oracle Java SE | 6 | 3 |
| Oracle MySQL | 6 | 4 |
| Oracle Database Server | 5 | 2 |
| Oracle Secure Backup | 4 | 1 |
| Oracle TimesTen In-Memory Database | 4 | 1 |
| Oracle Commerce | 3 | 3 |
| Oracle Big Data Spatial and Graph | 2 | 0 |
| Oracle E-Business Suite | 2 | 1 |
| Oracle Financial Services Applications | 2 | 0 |
| Oracle Fusion Middleware | 2 | 1 |
| Oracle Hyperion | 2 | 2 |
| Oracle Insurance Applications | 2 | 1 |
| Oracle PeopleSoft | 2 | 0 |
| Oracle Application Express | 1 | 0 |
| Oracle Blockchain Platform | 1 | 1 |
| Oracle Essbase | 1 | 1 |
| Oracle GoldenGate | 1 | 1 |
| Oracle Enterprise Manager | 1 | 1 |
| Oracle JD Edwards | 1 | 0 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2025 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - January 2025
- Oracle January 2025 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Security Response team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Related articles
New Cybersecurity Executive Order: What It Means for Federal Agencies
The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity includes guidance on third-party risk management and the need to adopt proven security practices to gain visibility of security threats across network and cloud infrastructure. Here we highlight six key provi...
5 Things Government Agencies Need to Know About Zero Trust
Zero trust as a concept is simple to grasp. Implementing a zero trust architecture, on the other hand, is complex because it involves addressing a unique mix of process, procedure, technology and user education. Here are some considerations to keep in mind as you begin your journey....
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024....
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management