Oracle has delivered its regular quarterly collection of patches: 603 in total, 318 for its own products, and another 285 for Linux code it ships.
Big Red’s VP of security assurance Eric Maurice singled out one patch as worthy of particular attention: The fix addresses CVE-2025-21556, a CVSS 9.9-out-of-10-rated vulnerability in Oracle’s Agile Product Lifecycle Management (PLM) Framework which allows a low-privileged attacker with network access to compromise that tool, and through it other Oracle products.
Maurice urged action because in November 2024 Oracle published an out-of-band security alert for the Agile PLM Framework. He wrote that the patch delivered on Wednesday “includes patches for this alert as well as additional patches.”
Another catch-up concerns CVE-2024-45492, a flaw in the XML parsing library LibExpat that Oracle uses in several products. The flaw was tackled in August 2024 and rated 6.2 in severity, but in December was upgraded to 9.8. NIST’s page for the flaw states: “It is awaiting reanalysis which may result in further changes to the information provided.”
It’s probably not a major concern, as it only poses a threat on 32-bit systems under certain conditions. But it’s rated as having a low attack complexity, and the version 2.6.3 that fixed it was published in September 2024.
Libraries like this can often find their way into software and be all-but forgotten. At Oracle, it’s used in products for telcos, financial services orgs, and middleware.
Other fixes in the colossal collection address 85 issues in the Oracle Communications range offered to telcos. 59 of the flaws potentially allow remote code execution. Three of them – CVE-2023-46604, CVE-2024-45492, and CVE-2024-56337 – have a CVSS score of 9.8, and there are six more rated 9.1 or 9.0, four of them associated with the Kerberos authentication system.
31 patches target Financial Services products and 22 fix Oracle Middleware messes.
Oracle Analytics needs 26 patches. Four of them are rated higher than CVSS 9.1 and three of those are in the Business Intelligence enterprise edition. The two least severe, both rated 9.1, address issues in Apache XMLBeans and OpenSSL within the platform’s Business Intelligence security framework. Of the two CVSS 9.8 flaws, one involves a use-after-free bug in the platform’s SciPy library, while the other pertains to the Pivotal Spring Framework when used for Java deserialization of untrusted data.
Oracle Hospitality Applications need just one patch, but it’s a critical CVSS 9.1-rated fix targeting a flaw in the OPERA hotel management application versions 5.6.19.20 and later. The flaw can be exploited remotely to either crash vulnerable systems or grab all accessible data in the OPERA 5 management system.
JD Edwards gets 23 patches, two of them CVSS 9.8-rated. The first is in the monitoring and diagnostics tool for EnterpriseOne Tools that would allow a complete takeover of unpatched systems and the other issue is a path traversal vulnerability in Samba that is down to “inadequate sanitization of incoming client pipe names.”
There are 39 fixes for Oracle’s MySQL implementation, three of them with a CVSS 9.1 rating. Two are issues with the curl and Kerberos packaging system used by MySQL and one with the Enterprise Backup feature – again with curl.
While PeopleSoft only got 16 patches, there is a CVSS 9.1 out there for Enterprise PeopleTools versions 8.60 and 8.61. If exploited, the flaw would allow an attacker to copy all the data in the application and/or crash it in a denial of service attack.
We’ve already mentioned the CVSS 9.9 Agile flaw in Oracle’s Supply Chain platform, but among five additional patches, there’s another high-severity issue rated CVSS 9.8. This vulnerability in the Engineering Data Management system stems from a use-after-free error in the Apache Xerces C++ XML parser. Users are advised to upgrade to version 3.2.5 to address the issue.
Oracle Linux tells a slightly better story. While Big Red did release 285 patches, only two of those carry CVSS scores over 9. Both involve vulnerabilities in the gstreamer1-plugins-base library. The first is a stack-buffer overflow that could allow an attacker to overwrite memory, and the second is an out-of-bounds write error that could similarly result in memory corruption. ®