Security Experts:

Connect with us

Hi, what are you looking for?



Oracle’s January 2021 CPU Contains 329 New Security Patches

Oracle this week announced the availability of its first cumulative set of security fixes for 2021, which includes a total of 329 new patches.

Oracle this week announced the availability of its first cumulative set of security fixes for 2021, which includes a total of 329 new patches.

The January 2021 Critical Patch Update (CPU) addresses issues in both Oracle products and third-party components that are included in the company’s products, with some of the patches meant to address multiple vulnerabilities, some reported more than a year ago.

The January 2021 CPU also includes fixes for CVE-2020-14750, an exploited vulnerability in WebLogic Server, which Oracle addressed with the release of an out-of-band update on November 1, 2020.

Oracle’s quarterly collection of patches brings fixes for more than 20 products across the tech giant’s portfolio, with Fusion Middleware being affected the most: it received 60 patches, with 47 of the resolved vulnerabilities being remotely exploitable, without authentication.

Financial Services Applications comes in second, with a total of 50 fixes and 41 vulnerabilities that unauthenticated attackers can exploit remotely, followed by MySQL at 43 patches and 5 remotely exploitable, without authentication.

Retail Applications, with 32 patches and 20 vulnerabilities that can be exploited remotely without authentication, and E-Business Suite, with 31 fixes and 29 bugs remotely exploitable by unauthenticated attackers, round up the top five most impacted products.

Virtualization received 17 patches this month, but none of the addressed vulnerabilities could be exploited remotely without authentication. However, all of those addressed by the 11 fixes released for Supply Chain could be.

Oracle also released patches for Communications (12 fixes – 7 flaws remotely exploitable without authentication), Enterprise Manager (8 – 8), PeopleSoft (8 – 6), Communications Applications (8 – 6), Database Server (8 – 1), Construction and Engineering (7 – 5), Hyperion (7 – 5), JD Edwards (5 – 5), Health Sciences Applications (5 – 3), Systems (4 – 3), Siebel CRM (4 – 1), Insurance Applications (3 – 1), GraalVM (2 – 2), Food and Beverage Applications (2 – 1), Java SE (1 – 1), and Utilities Applications (1 – 1).

The tech company says that it continues to receive reports of threat actors attempting to exploit patched vulnerabilities, and it has advised customers to install the available updates as soon as possible, to ensure they are protected from such attacks.

Oracle’s next set of quarterly patches will be released on April 20, 2021.

Related: Recent Oracle WebLogic Vulnerability Exploited to Deliver DarkIRC Malware

Related: Oracle’s October 2020 CPU Contains 402 New Security Patches

Related: Oracle’s July 2020 CPU Includes 443 New Patches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet