Oracle Releases April 2025 Critical Patch Update: 378 New Security Patches Address Wide-Ranging Vulnerabilities
On April 15, 2025, Oracle published its latest Critical Patch Update (CPU), delivering a sweeping set of 378 new security patches across its expansive product portfolio.
This quarterly update is vital for organizations relying on Oracle software, as it addresses vulnerabilities in Oracle’s code as well as in third-party components embedded within Oracle products.
The update highlights the persistent risk posed by unpatched systems, with Oracle reiterating its recommendation for customers to apply these updates without delay.
Scope of the April 2025 Critical Patch Update
The April 2025 CPU covers a broad array of Oracle product families, including:
- Oracle Database, MySQL, and NoSQL Database
- Fusion Middleware and Oracle Enterprise Manager
- Oracle E-Business Suite, JD Edwards, PeopleSoft, and Siebel CRM
- Oracle Communications, Financial Services, and Supply Chain Applications
- Java SE and GraalVM
- Oracle Cloud, Virtualization, Utilities, and Retail solutions1
Each product family’s risk matrix details newly addressed vulnerabilities, their Common Vulnerabilities and Exposures (CVE) identifiers, and their risk scores based on the Common Vulnerability Scoring System (CVSS) v3.1.
Key Technical Highlights
Remotely Exploitable Vulnerabilities: A significant number of the patched vulnerabilities can be exploited remotely without authentication.
For example, in Oracle Communications, 82 of the 103 vulnerabilities addressed may be exploited over a network without user credentials.
Similarly, Oracle Database, Fusion Middleware, and MySQL products also include multiple remotely exploitable flaws1.
High-Risk Components and Protocols: Critical vulnerabilities were found in widely used components such as Apache Tomcat, Apache Mina, OpenSSL, Netty, Spring Framework, and json-smart.
Many issues affect both HTTP and secure protocols like HTTPS and TLS, underscoring the importance of patching both secure and insecure variants1.
Third-Party Component Risks: Numerous vulnerabilities stem from third-party libraries (e.g., Apache Commons IO, libxml2, Google Protobuf-Java, Eclipse Jetty), some of which are not directly exploitable in the Oracle context but are patched as a precaution.
Oracle now provides VEX (Vulnerability Exploitability eXchange) justifications for such cases1.
Product Versions and Support: Patches are available only for versions under Premier or Extended Support. Oracle strongly advises upgrading unsupported versions, as older releases are likely vulnerable but do not receive new patches1.
Workarounds and Best Practices
While immediate patching is the only long-term solution, Oracle suggests temporary workarounds such as blocking network protocols required by an attack or removing unnecessary privileges.
However, these may disrupt application functionality and are not substitutes for applying official patches1.
Risk Factor Table: Sample of High-Risk Vulnerabilities
| CVE ID | Product/Component | Protocol | Remote Exploit | CVSS Base Score | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|---|---|
| CVE-2024-52046 | Apache Mina (Multiple) | HTTP | Yes | 9.8 | High | High | High |
| CVE-2024-56337 | Apache Tomcat (Multiple) | HTTP | Yes | 9.8 | High | High | High |
| CVE-2024-40896 | libxml2 | HTTP | Yes | 9.1 | None | High | High |
| CVE-2025-30727 | Oracle Scripting | HTTP | Yes | 9.8 | High | High | High |
| CVE-2024-11053 | curl | HTTP/TLS | Yes | 9.1 | High | High | None |
| CVE-2024-23807 | Apache Xerces-C++ (JD Edwards) | HTTP | Yes | 9.8 | High | High | High |
This table represents a subset of the highest-risk vulnerabilities from the April 2025 CPU. For a full risk matrix, refer to Oracle’s advisory documentation.
Notable CVEs and Affected Products
- Oracle Database Server: Seven new patches, three of which are remotely exploitable without authentication (e.g., CVE-2025-30736, Java VM).
- Oracle Communications: Multiple CVEs with base scores of 9.8, affecting core components like Management Cloud Engine and Unified Assurance.
- Oracle Fusion Middleware: High-severity vulnerabilities in Oracle Access Manager, Managed File Transfer, and HTTP Server.
- MySQL: 43 new security patches; some vulnerabilities affect core server components and connectors, with remote exploitation possible.
- Java SE: Six new patches, five of which are remotely exploitable; issues affect JavaFX, JSSE, and the 2D graphics subsystem.
Patch Management and Future Updates
Oracle CPUs are released quarterly, with the next date set for July 15, 2025, and subsequent quarters.
Organizations are urged to maintain up-to-date patching practices and leverage Oracle’s risk matrices to prioritize remediation efforts.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This quarterly update is vital for organizations relying on Oracle software, as it addresses vulnerabilities in Oracle’s code as well as in third-party components embedded within Oracle products.){kind=link}