Warning: ORACLE PATCH BUNDLE COVERS MULTIPLE CRITICAL UPDATES, Patch Immediately!

Image
Decorative image
Gepubliceerd : 17/04/2025
  • Last update: 15/04/2025
  • Affected software:
    → Oracle Database Server
    → Oracle Autonomous Health Framework
    → Oracle Essbase
    → Oracle GoldenGate
    → Oracle Graph Server and Client
    → Oracle Secure Backup
    → Oracle TimesTen In-Memory Database
    → Oracle Commerce
    → Oracle Communications Applications
    → Oracle Communications
    → Oracle Construction and Engineering
    → Oracle E-Business Suite
    → Oracle Enterprise Manager
    → Oracle Financial Services Applications
    → Oracle Food and Beverage Applications
    → Oracle Fusion Middleware
    → Oracle Analytics
    → Oracle Hospitality Applications
    → Oracle Hyperion
    → Oracle Insurance Applications
    → Oracle Java SE
    → Oracle JD Edwards
    → Oracle MySQL
    → Oracle PeopleSoft
    → Oracle Policy Automation
    → Oracle Retail Applications
    → Oracle Siebel CRM
    → Oracle Supply Chain
    → Oracle Support Tools
    → Oracle Systems
    → Oracle Utilities Applications
    → Oracle Virtualization
  • Type: Multiple Product Advisory
  • CVE/CVSS
    → CVE-2025-30727: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2024-52046: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2025-21587: CVSS 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Sources

https://www.oracle.com/security-alerts/cpuapr2025.html
https://blogs.oracle.com/security/post/april-2025-cpu-released

Risks

Oracle released patches for multiple products addressing multiple critical vulnerabilities. Please check which vulnerabilities apply to your organization. Exploitation of these vulnerabilities may allow an attacker to gain access to a system or steal information.

These updates contain fixes for third party software on which some Oracle product depend, we do not cover those vulnerabilities in this advisory but recommend to check the Oracle advisory to determine which are relevant for your organization.

Note: We only highlight what we assess to be the most important vulnerabilities, please refer to the Oracle security alert for a detailed overview of all the vulnerabilities.

Description

CVE-2025-30727
A vulnerability in Oracle Scripting product of Oracle E-Business Suite, specifically in the iSurvey Module allows complete compromise of the Oracle Scripting system. An attacker can potentially: gain unauthorized access to sensitive system data, modify or delete critical information, completely take over the Oracle Scripting application.

CVE-2024-52046
The ObjectSerializationDecoder in Apache MINA uses Java's native deserialization protocol to process incoming serialized data but lacks necessary security checks and defenses. It allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks.

CVE-2025-21587
A vulnerability in Oracle Java SE and Oracle GraalVM affecting the JSSE (Java Secure Socket Extension) component. An unauthenticated attacker with network access could potentially: create, delete or modify of critical data.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://www.securityweek.com/oracle-patches-180-vulnerabilities-with-april-2025-cpu/