InfoSecBulletin Cybersecurity for mankind
On April 15, 2025, Oracle released a Critical Patch Update for 378 flaws for its products. The patch update covers databases, middleware, cloud services, and communication applications essential for global financial institutions, telecom providers, and cloud-native platforms.
Key Highlights:
Intel PC, laptop and server processors affected for 6 years: Report
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
Microsoft Patch Tuesday May 2025: 72 flaws, 5 Actively Exploited Zero-Day
OTP glitch disrupted NID services across the country
Google to pay Texas $1.4 billion for location tracking practices
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Oracle Communications Applications had 42 new security updates, including 35 vulnerabilities that can be exploited remotely without authentication.
Oracle Commerce released 6 new patches, including five critical remote code execution vulnerabilities, like CVE-2025-24813 (CVSS 9.8), which impact Apache Tomcat in the Guided Search component.
Oracle Database Server received 7 new patches, including 3 that are remotely exploitable, like CVE-2025-30736, which affects Java VM.
Oracle GoldenGate and TimesTen In-Memory Database both had several serious vulnerabilities, including CVEs related to Axios, Apache Commons IO, and Netty.
Critical Vulnerability Statistics:
Total vulnerabilities addressed: 378
Unique CVEs fixed (excluding duplicates across products): 171
Remotely exploitable without authentication: 255 vulnerabilities
High-severity issues (CVSS v3.1 score ≥ 7.0): 162 vulnerabilities
CVSS ≥ 9.0 (Critical): 40 vulnerabilities
CVSS 9.8 (very high severity): 30 vulnerabilities
No CVSS 10.0 vulnerabilities were reported
The CPU affects a wide swath of Oracle offerings, including:
Oracle Database Server (versions 19.3–23.7)
Oracle Communications Suite (Unified Assurance, Messaging Server, Network Integrity)
Oracle GoldenGate, Graph Server, Essbase, Secure Backup
Oracle Java SE, Fusion Middleware, SOA Suite, WebLogic Server
Retail, Financial Services, E-Business Suite, PeopleSoft, and more
Oracle reiterates in its advisory that “attackers have been successful because targeted customers had failed to apply available Oracle patches.” The company urges users to remain on actively supported versions and apply the updates without delay.
Oracle advises organizations that are behind on patch cycles to upgrade to supported versions, as older versions likely contain vulnerabilities.
