Oracle Critical Patch Update Advisory - April 2025

Overview

The Oracle Critical Patch Update (CPU) for April 2025 addresses 378 new security vulnerabilities across multiple Oracle product families. This CPU includes patches for vulnerabilities in Oracle code and third-party components included in Oracle products. The vulnerabilities addressed in this update impact several Oracle products, with varying levels of risk and potential exploitation vectors.

Oracle products receiving patches include Oracle Database Server, Oracle Fusion Middleware, Oracle Java SE, Oracle MySQL, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Retail Applications, and more.

Detailed Vulnerability Analysis

Notable Vulnerabilities and Exploits

1. CVE-2025-24813: A critical vulnerability in Oracle Commerce Guided Search, exploitable remotely via HTTP, with a CVSS score of 9.8. This vulnerability allows for complete compromise of affected systems.

2. CVE-2025-30694: An XML Database vulnerability with a CVSS score of 5.4, requiring user interaction for exploitation, affecting Oracle Database Server.

3. CVE-2025-30736: A Java VM vulnerability in Oracle Database Server with a CVSS score of 7.4, remotely exploitable without authentication.

4. CVE-2025-21578: A vulnerability in Oracle Secure Backup, locally exploitable with a CVSS score of 6.7, affecting data confidentiality, integrity, and availability.

5. CVE-2025-24970: Multiple vulnerabilities in Oracle Communications Applications with a CVSS score of 7.5, affecting products like Oracle Communications Billing and Revenue Management, exploitable via network protocols.

Exploitation in the Wild

Oracle has noted that attackers have successfully exploited some vulnerabilities for which patches were available but not applied by customers. This highlights the importance of timely patch application to mitigate potential risks.

Mitigation and Recommendations

• Immediate Patch Application: Customers are strongly advised to apply the patches included in this CPU to prevent potential exploitation.
• Network Protocols Management: Temporarily block network protocols required by specific attacks until patches can be applied.
• Privilege Management: Remove unnecessary privileges from users to mitigate risks of privilege escalation attacks.

Acknowledgements

Oracle acknowledges contributions from security researchers and organizations for reporting vulnerabilities addressed in this CPU. Notable contributors include Amazon Web Services, Google, Alibaba, NATO Cyber Security Centre, and several independent researchers.

References and Additional Resources

• Oracle Critical Patch Updates, Security Alerts and Bulletins
• NVD CVE Details
• Oracle Documentation for Patch Availability

This report is prepared for Rescana customers to provide a detailed understanding of the vulnerabilities, risks, and necessary mitigation strategies included in the Oracle CPU for April 2025. Customers are encouraged to review the full advisory and associated documentation to ensure comprehensive security posture enhancement.