Oracle on Tuesday announced the release of 318 new security patches as part of its January 2025 Critical Patch Update (CPU), including over 180 fixes for vulnerabilities that can be exploited remotely without authentication.
SecurityWeek has identified roughly 220 unique CVEs in Oracle’s January 2025 CPU. Approximately 30 of the new security patches resolve critical-severity flaws.
For the fourth time in a row, Oracle Communications received the highest number of new patches, at 85. Of the resolved vulnerabilities, 59 can be exploited remotely without authentication.
On Tuesday, Oracle also announced the release of 39 new security patches for MySQL, including fixes for four bugs that can be exploited by remote, unauthenticated attackers.
Significant numbers of patches were also announced for Financial Services Applications (31 new fixes – 24 for unauthenticated, remotely exploitable issues), Communications Applications (28 – 15), Analytics (26 – 21), JD Edwards (23 – 14), Fusion Middleware (22 – 18), and PeopleSoft (16 – 6).
Nearly two dozen Oracle products received small numbers of security patches, including Utilities Applications (6 – 4), Supply Chain (6 – 3), Database Server (5 – 2), Construction and Engineering (4 – 1), E-Business Suite (4 – 1), and Enterprise Manager (3 – 3).
Few security patches were released for Health Sciences Applications (2 fixes – 1 for a flaw that can be exploited remotely without authentication), Java SE (2 – 1), Siebel CRM (2 – 1), GoldenGate (2 – 0), Hyperion (2 – 0), Retail Applications (2 – 0), and Virtualization (2 – 0).
Application Express, REST Data Services, Secure Backup, Commerce, Hospitality Applications, and Systems received one new security patch each. The vulnerabilities in Application Express and Systems are not remotely exploitable without authentication.
For multiple products, including Big Data Spatial and Graph, Blockchain, Essbase, Graph Server and Client, TimesTen In-Memory Database, Insurance Applications, Policy Automation, Oracle released no new security patches for exploitable defects, but resolved non-exploitable third-party CVEs. The patches released for multiple other products also resolve additional CVEs and non-exploitable CVEs.
Oracle recommends applying the new patches as soon as possible, underlining that it often receives reports of threat actors successfully exploiting vulnerabilities for which patches have been released but not applied in a timely manner.
On Tuesday, the tech giant also announced 18 new patches for vulnerabilities in third-party software included in Oracle Solaris, including 11 for unauthenticated, remotely exploitable vulnerabilities.
A new Oracle Linux bulletin was also released, detailing 285 new security patches for Oracle Linux that were released over the past month. For the next two months, the bulletin will be updated to include newly released CVEs.
Related: Oracle Patches Over 200 Vulnerabilities With October 2024 CPU
Related: Chrome 132 Patches 16 Vulnerabilities
Related: Nvidia, Zoom, Zyxel Patch High-Severity Vulnerabilities
Related: Kaspersky Patches Vulnerability That Can Lead to Unbootable System
