Oracle Critical Patch Update Advisory - April 2025

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 378 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2025 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions Patch Availability Document
Autonomous Health Framework, versions 23.8.0-23.11.0, 24.1.0-24.11.0, 25.1.0, 25.2.0 Oracle Autonomous Health Framework
GoldenGate Stream Analytics, versions 19.1.0.0.0-19.1.0.0.10 Database
JD Edwards EnterpriseOne Tools, versions 9.2.0.0-9.2.9.2 JD Edwards
Management Cloud Engine, version 24.3.0 Management Cloud Engine
MySQL Client, versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0 MySQL
MySQL Cluster, versions 7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0 MySQL
MySQL Connectors, versions 9.0.0-9.2.0 MySQL
MySQL Enterprise Backup, versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0 MySQL
MySQL Server, versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0 MySQL
MySQL Shell, versions 8.0.32-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0 MySQL
MySQL Workbench, versions 8.0.0-8.0.41 MySQL
Oracle Access Manager, version 12.2.1.4.0 Fusion Middleware
Oracle Agile Engineering Data Management, version 6.2.1 Oracle Supply Chain Products
Oracle Application Express, versions 23.2.15, 23.2.16, 24.1.9, 24.1.10, 24.2.3, 24.2.4 Database
Oracle Application Testing Suite, version 13.3.0.1 Oracle Enterprise Manager
Oracle Banking APIs, versions 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0 Contact Support
Oracle Banking Corporate Lending Process Management, versions 14.5.0.0.0-14.7.0.0.0 Contact Support
Oracle Banking Digital Experience, versions 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0 Contact Support
Oracle Banking Liquidity Management, version 14.7.0.7.0 Contact Support
Oracle Banking Origination, versions 14.5.0.0.0-14.7.0.0.0 Contact Support
Oracle BI Publisher, versions 7.6.0.0.0, 12.2.1.4.0 Oracle Analytics
Oracle Business Activity Monitoring, version 14.1.2.0.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 7.6.0.0.0, 12.2.1.4.0 Oracle Analytics
Oracle Business Process Management Suite, versions 12.2.1.4.0, 14.1.2.0.0 Fusion Middleware
Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 Fusion Middleware
Oracle Commerce Guided Search, versions 11.3.2, 11.4.0 Oracle Commerce
Oracle Commerce Merchandising, versions 11.3.0, 11.3.1, 11.3.2 Oracle Commerce
Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2, 11.4.0 Oracle Commerce
Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0-15.0.1.0.0 Oracle Communications Billing and Revenue Management
Oracle Communications Cloud Native Core Binding Support Function, versions 24.2.0-24.2.2 Oracle Communications Cloud Native Core Binding Support Function
Oracle Communications Cloud Native Core Certificate Management, version 24.2.2 Oracle Communications Cloud Native Core Certificate Management
Oracle Communications Cloud Native Core Console, version 24.2.2 Oracle Communications Cloud Native Core Console
Oracle Communications Cloud Native Core DBTier, versions 24.2.3, 24.2.4, 24.3.0 Oracle Communications Cloud Native Core DBTier
Oracle Communications Cloud Native Core Network Data Analytics Function, version 24.2.0 Oracle Communications Cloud Native Core Network Data Analytics Function
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 24.2.5, 25.1.100 Oracle Communications Cloud Native Core Network Function Cloud Native Environment
Oracle Communications Cloud Native Core Network Repository Function, version 24.2.3 Oracle Communications Cloud Native Core Network Repository Function
Oracle Communications Cloud Native Core Policy, versions 24.2.0-24.2.4 Oracle Communications Cloud Native Core Policy
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 24.2.2, 24.2.3, 24.3.0 Oracle Communications Cloud Native Core Security Edge Protection Proxy
Oracle Communications Cloud Native Core Service Communication Proxy, versions 24.2.0, 24.2.3, 24.3.0, 25.1.100 Oracle Communications Cloud Native Core Service Communication Proxy
Oracle Communications Cloud Native Core Unified Data Repository, versions 22.4.0, 23.1.0-23.4.0, 24.2.3, 25.1.100 Oracle Communications Cloud Native Core Unified Data Repository
Oracle Communications Diameter Signaling Router, version 9.0.0.0 Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Element Management System, version 46.6 Oracle Communications EAGLE Element Management System
Oracle Communications Element Manager, versions 9.0.0-9.0.3 Oracle Communications Element Manager
Oracle Communications Messaging Server, version 8.1.0.26.0 Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, version 6.3.1 Oracle Communications MetaSolv Solution
Oracle Communications Network Analytics Data Director, versions 24.1.0-24.3.0 Oracle Communications Network Analytics Data Director
Oracle Communications Network Charging and Control, versions 12.0.6.0.0, 15.0.0.0.0, 15.0.1.0.0 Oracle Communications Network Charging and Control
Oracle Communications Network Integrity, versions 7.3.6, 7.4.0, 7.5.0 Oracle Communications Network Integrity
Oracle Communications Operations Monitor, version 5.2 Oracle Communications Operations Monitor
Oracle Communications Order and Service Management, versions 7.4.0, 7.4.1, 7.5.0 Oracle Communications Order and Service Management
Oracle Communications Policy Management, version 15.0.0.0.0 Oracle Communications Policy Management
Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0, 15.0.1.0.0 Oracle Communications Pricing Design Center
Oracle Communications Service Catalog and Design, versions 8.0.0.4.0, 8.1.0.2.0 Oracle Communications Service Catalog and Design
Oracle Communications Session Border Controller, versions 9.2.0, 9.3.0, 10.0.0 Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 9.0.0-9.0.3 Oracle Communications Session Report Manager
Oracle Communications Unified Assurance, versions 6.0-6.1 Oracle Communications Unified Assurance
Oracle Communications Unified Inventory Management, versions 7.4.0-7.4.2, 7.5.0-7.5.1, 7.6.0, 7.7.0 Oracle Communications Unified Inventory Management
Oracle Communications User Data Repository, versions 14.0.0, 15.0.0, 15.0.1, 15.0.2 Oracle Communications User Data Repository
Oracle Data Integrator, version 12.2.1.4.0 Fusion Middleware
Oracle Database Server, versions 19.3-19.26, 21.3-21.17, 23.4-23.7 Database
Oracle Demantra Demand Management, versions 12.2.6-12.2.14 Oracle Supply Chain Products
Oracle Documaker, versions 12.7.1.6, 12.7.2.3, 13.0.0.1 Oracle Insurance Applications
Oracle E-Business Suite, versions 12.2.3-12.2.14, [ECC] 12-13 Oracle E-Business Suite
Oracle Enterprise Communications Broker, versions 4.1.0, 4.2.0 Oracle Enterprise Communications Broker
Oracle Enterprise Manager Base Platform, versions 13.5.0.0.0, 24.1.0.0.0 Oracle Enterprise Manager
Oracle Essbase, version 21.7.1.0.0 Database
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.8, 8.0.8.6, 8.1.1.4, 8.1.2.5 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.2.8, 8.1.2.9 Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Compliance Studio, version 8.1.2.9 Oracle Financial Services Compliance Studio
Oracle Financial Services Model Management and Governance, version 8.1.2.7.0 Oracle Financial Services Model Management and Governance
Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0.0-7.0.0.0.0 Oracle Financial Services Revenue Management and Billing
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8 Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0 Fusion Middleware
Oracle GoldenGate, versions 19.1.0.0.0-19.26.0.0.250219, 21.3-21.17, 23.4-23.7 Database
Oracle GoldenGate Veridata, versions 12.2.1.4.0-12.2.1.4.241210 Database
Oracle GraalVM Enterprise Edition, versions 20.3.17, 21.3.13 Java SE
Oracle GraalVM for JDK, versions 17.0.14, 21.0.6, 24 Java SE
Oracle Graph Server and Client, versions 23.4.3, 23.4.4, 24.3.0, 24.4.0 Database
Oracle Hospitality Cruise Shipboard Property Management System, version 23.2.1 Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Reporting and Analytics, versions 9.1.34-9.1.36 Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, versions 19.1-19.7 Oracle Hospitality Simphony
Oracle HTTP Server, versions 12.2.1.4.0, 14.1.2.0.0 Fusion Middleware
Oracle Hyperion Financial Reporting, version 11.2.19.0.0 Oracle Enterprise Performance Management
Oracle Hyperion Infrastructure Technology, version 11.2.19.0.0 Oracle Enterprise Performance Management
Oracle Java SE, versions 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24 Java SE
Oracle JDeveloper, version 12.2.1.4.0 Fusion Middleware
Oracle Managed File Transfer, versions 12.2.1.4.0, 14.1.2.0.0 Fusion Middleware
Oracle NoSQL Database, versions 1.5.0, 1.6.0, 1.6.1 NoSQL Database
Oracle Outside In Technology, version 8.5.7 Fusion Middleware
Oracle Policy Automation, versions 12.2.0-12.2.36 Oracle Policy Automation
Oracle Policy Modeling, versions 12.2.0-12.2.36 Oracle Policy Automation
Oracle REST Data Services, versions 23.1, 23.2, 23.3, 23.4 Database
Oracle Retail Order Broker, version 19.1 Retail Applications
Oracle Retail Store Inventory Management, version 16.0.3.16 Retail Applications
Oracle Retail Xstore Point of Service, versions 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1 Retail Applications
Oracle SD-WAN Aware, version 9.0.1.11 Oracle SD-WAN Aware
Oracle SD-WAN Edge, version 9.1.1.9 Oracle SD-WAN Edge
Oracle Secure Backup, versions 12.1.0.1, 12.1.0.2, 12.1.0.3, 18.1.0.0, 18.1.0.1, 18.1.0.2, 19.1.0.0 Oracle Secure Backup
Oracle Service Bus, version 12.2.1.4.0 Fusion Middleware
Oracle Smart View for Office, version 24.200 Oracle Enterprise Performance Management
Oracle SOA Suite, versions 12.2.1.4.0, 14.1.2.0.0 Fusion Middleware
Oracle Solaris, version 11 Systems
Oracle SQL Developer, version 24.3.1.347.1826 Database
Oracle TimesTen In-Memory Database, versions 22.1.1.1.0-22.1.1.30.0 Database
Oracle Utilities Application Framework, versions 4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 24.1.0.0.0-24.3.0.0.0 Oracle Utilities Applications
Oracle VM VirtualBox, version 7.1.6 Virtualization
Oracle WebCenter Forms Recognition, version 14.1.1.0.0 Fusion Middleware
Oracle WebCenter Portal, version 12.2.1.4.0 Fusion Middleware
Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
OSS Support Tools, versions 2.11.0-2.12.46, 8.0-8.18, 18.1-18.4, 19.1-19.4, 20.1-20.4, 22.2, 23.1-23.4, 24.1-24.4, 25.1 Oracle Support Tools
PeopleSoft Enterprise CC Common Application Objects, version 9.2 PeopleSoft
PeopleSoft Enterprise HCM Talent Acquisition Manager, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.60, 8.61, 8.62 PeopleSoft
Primavera Gateway, versions 20.12.0-20.12.17, 21.12.0-21.12.15 Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 22.12.0-22.12.18, 23.12.0-23.12.13, 24.12.0-24.12.2 Oracle Construction and Engineering Suite
Primavera Unifier, versions 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.13, 24.12.0-24.12.3 Oracle Construction and Engineering Suite
Siebel Applications, versions 17.0-25.2 Siebel

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE ID. A vulnerability that affects multiple products will appear with the same CVE ID in all risk matrices.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about conditions required to exploit the vulnerability and the potential impact of a successful exploit. Oracle provides this information so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Vulnerabilities in third party components that are not exploitable through their inclusion in Oracle products are listed below the respective Oracle product's risk matrix. Starting with the July 2023 Critical Patch Update, a VEX justification is also provided.

The protocol in the risk matrix implies that all of its secure variants are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy that further supplements the Lifetime Support Policy as explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • Aamir Rehman Yousafzai: CVE-2025-30707, CVE-2025-30708
  • Abhijit Gaikwad: CVE-2025-30737
  • Ahmed Abbas: CVE-2025-30716, CVE-2025-30717
  • Alaa Kachouh: CVE-2025-30737
  • Alberto Arganese of TIM S.p.A.: CVE-2025-30694
  • Alexandre Aubut of Centre Gouvernementale de cyberdéfense du Québec: CVE-2025-30730, CVE-2025-30731, CVE-2025-30732
  • Alicja Kario: CVE-2025-21587
  • Athul Jayaram: CVE-2025-21576
  • AWS Security of Amazon: CVE-2025-30722
  • Brandon Cox of 3D Systems: CVE-2025-30692
  • Brandon Stamm: CVE-2025-30709
  • Craig at driftnet.io: CVE-2025-30733
  • Cristian Castrechini of TIM S.p.A.: CVE-2025-30694
  • CVR of Google: CVE-2025-30712
  • Dominique RIGHETTO of Excellium Cyber Solution By Thales: CVE-2025-30713
  • Federico Draghelli of TIM S.p.A.: CVE-2025-30694
  • François Longchamps of Centre Gouvernementale de cyberdéfense du Québec: CVE-2025-30730, CVE-2025-30731, CVE-2025-30732
  • Giulio Schiavone: CVE-2025-21586, CVE-2025-30740
  • IuHrm: CVE-2025-30726, CVE-2025-30727, CVE-2025-30728
  • Jakub Barton: CVE-2025-30714
  • Jean-Michel Huguet of NATO Cyber Security Centre (NCSC): CVE-2025-30723, CVE-2025-30724
  • JiAn Zhou of Alibaba: CVE-2025-30706
  • Jie Liang of WingTecher Lab of Tsinghua University: CVE-2025-30681, CVE-2025-30682, CVE-2025-30683, CVE-2025-30684, CVE-2025-30685, CVE-2025-30687, CVE-2025-30688
  • Jingzhou Fu of WingTecher Lab of Tsinghua University: CVE-2025-30681, CVE-2025-30682, CVE-2025-30683, CVE-2025-30684, CVE-2025-30685, CVE-2025-30687, CVE-2025-30688
  • Juan José López Jaimez of Google: CVE-2025-30712
  • Kush Jijania: CVE-2025-30709
  • Massimiliano Brolli of TIM S.p.A.: CVE-2025-30694
  • Michael Kutz: CVE-2025-30701
  • Mochamad Akbar Anggamaulana: CVE-2025-30718
  • Théo GOBINET of ENGIE IT Offensive Cybersecurity Team: CVE-2025-30711
  • Ying Zhu of Alibaba: CVE-2025-30706
  • Zhiyong Wu of WingTecher Lab of Tsinghua University: CVE-2025-30681, CVE-2025-30682, CVE-2025-30683, CVE-2025-30684, CVE-2025-30685, CVE-2025-30687, CVE-2025-30688
  • Ziyang Li of Alibaba: CVE-2025-30706
  • Zong Cao: CVE-2025-30719
  • Zong Cao of Cyber Security Lab of NTU: CVE-2025-30725
  • Zongrui Peng of WingTecher Lab of Tsinghua University: CVE-2025-30687, CVE-2025-30688

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program:

  • Amichai Rothman
  • Markus Loewe of Onapsis
  • Orange Tsai
  • Rowan Crane
  • Splitline Huang of DEVCORE Research Team
  • Yakov Shafranovich of Amazon Web Services [4 reports]

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

  • Abdulaziz Alzahrani [2 reports]
  • Ahmed Al-Saleem
  • Andr. Ess [4 reports]
  • David Krause of HCA Healthcare
  • Dung Nguyen Anh
  • Firewallresearch
  • Herry Poter
  • Jashim Uddin Bhuiyan
  • Jeffrey Bencteux of Improsec
  • Kyle Burbank
  • Le Ngoc Anh
  • Milan Katwal
  • Miracles
  • Mohaned Ahmed
  • Muhammad Usama Arshad
  • Packy Jones
  • Praveen Das
  • Sanjith Roshan
  • Shivam Dhingra
  • Syed Sohaib Karim
  • Turbolego Fiberkanin
  • Yasser Alhazmi of Thawd.io [2 reports]
  • YiKun Zhao

Critical Patch Update Schedule

Critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 15 July 2025
  • 21 October 2025
  • 20 January 2026
  • 21 April 2026

References

 

Modification History

Date Note
2025-April-21 Rev 2. Java version chages and Document number change
2025-April-15 Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 17 new security patches for Oracle Database Products divided as follows:

  • 7 new security patches for Oracle Database Products
  • No new security patches for Oracle Application Express, but third party patches are provided
  • 1 new security patch for Oracle Autonomous Health Framework
  • 1 new security patch for Oracle Essbase
  • 4 new security patches for Oracle GoldenGate
  • 1 new security patch for Oracle Graph Server and Client
  • No new security patches for Oracle NoSQL Database, but third party patches are provided
  • No new security patches for Oracle REST Data Services, but third party patches are provided
  • 1 new security patch for Oracle Secure Backup
  • No new security patches for Oracle SQL Developer, but third party patches are provided
  • 2 new security patches for Oracle TimesTen In-Memory Database

Oracle Database Server Risk Matrix

This Critical Patch Update contains 7 new security patches, plus additional third party patches noted below, for Oracle Database Products.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  2 of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE ID Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-30736 Java VM None Multiple Yes 7.4 Network High None None Un-
changed
High High None 19.3-19.26, 21.3-21.17, 23.4-23.7  
CVE-2025-30701 RAS Security User Account Oracle Net No 7.3 Network Low Low Required Un-
changed
High High None 19.3-19.26, 21.3-21.17, 23.4-23.7  
CVE-2025-30733 RDBMS Listener None Oracle Net Yes 6.5 Network Low None Required Un-
changed
High None None 19.3-19.26, 21.3-21.17, 23.4-23.7  
CVE-2025-30694 XML Database User Account HTTP No 5.4 Network Low Low Required Changed Low Low None 19.3-19.26, 21.3-21.17, 23.4-23.7  
CVE-2025-30702 Fleet Patching and Provisioning None HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 19.3-19.26  
CVE-2024-13176 Oracle Database (OpenSSL) None None No 4.3 Physical Low None None Un-
changed
Low Low Low 23.4-23.7  
CVE-2020-36843 Oracle Database SQLCl (EdDSA) None SSH No 4.3 Local Low None None Changed None Low None 23.4-23.7  

Additional CVEs addressed are:

  • The patch for CVE-2024-13176 also addresses CVE-2022-3786 and CVE-2024-9143.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Database Grid (Apache Tomcat): CVE-2025-24813 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
  • Oracle Database Workload Manager (Eclipse Jetty): CVE-2024-8184 and CVE-2024-6763 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Spatial and Graph Mapviewer (Curl): CVE-2024-11053 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Perl (Libexpat): CVE-2024-8176 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

Oracle Database Server Client-Only Installations

  • The following Oracle Database Server vulnerabilities included in this Critical Patch Update affect client-only installations: CVE-2024-13176 and CVE-2020-36843.

 

Oracle Application Express Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle Application Express.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Application Express.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Application Express
    • General (DOMPurify): CVE-2025-26791 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • General (PrismJS): CVE-2024-53382 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle Autonomous Health Framework Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle Autonomous Health Framework.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-24549 Autonomous Health Framework Trace File Analyzer (Apache Tomcat) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 23.8.0-23.11.0, 24.1.0-24.11.0, 25.1.0,25.2.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-24549 also addresses CVE-2020-11996, CVE-2020-13935, CVE-2020-13943, CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2021-24122, CVE-2021-25122, CVE-2021-25329, CVE-2021-30640, CVE-2021-33037, CVE-2021-41079, CVE-2021-43980, CVE-2022-25762, CVE-2022-42252, CVE-2023-28708, CVE-2023-41080, CVE-2023-42795, CVE-2023-44487, CVE-2023-45648, CVE-2023-46589, and CVE-2024-23672.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Autonomous Health Framework
    • Trace File Analyzer (json-smart): CVE-2024-57699 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Essbase Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle Essbase.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-13176 Oracle Essbase Web Platform (OpenSSL) None No 4.1 Physical Low Low None Un-
changed
Low Low Low 21.7.1.0.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-13176 also addresses CVE-2024-9143.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Essbase
    • Marketplace (jackson-databind): CVE-2021-42575 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Web Platform (RequireJS): CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 4 new security patches, plus additional third party patches noted below, for Oracle GoldenGate.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-39338 Oracle GoldenGate Internal Framework (Axios) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 21.3-21.17, 23.4-23.7  
CVE-2024-36114 GoldenGate Stream Analytics Stream Analytics (Aircompressor) HTTP No 5.3 Network High High Required Un-
changed
Low Low High 19.1.0.0.0-19.1.0.0.10  
CVE-2021-41184 Oracle GoldenGate Embedded Web UI for Services (jQueryUI) HTTP Yes 4.0 Network High None None Changed None None Low 19.1.0.0.0-19.26.0.0.250219, 21.3-21.17  
CVE-2024-47561 GoldenGate Stream Analytics Stream Analytics (Apache Avro) HTTP No 3.8 Adjacent
Network
High High Required Un-
changed
Low Low Low 19.1.0.0.0-19.1.0.0.10  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • GoldenGate Stream Analytics
    • General Issues (urllib3): CVE-2024-37891 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Security (Spring Framework): CVE-2023-34053 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle GoldenGate Veridata
    • Veridata (Spring Framework): CVE-2024-38819 and CVE-2024-38820 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Graph Server and Client Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle Graph Server and Client.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-6763 Graph Server and Client Install (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 23.4.4, 24.4.0  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Graph Server and Client
    • Install (Apache Commons IO): CVE-2024-47554 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle NoSQL Database Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle NoSQL Database.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle NoSQL Database.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle NoSQL Database
    • Administration (Aircompressor): CVE-2024-36114 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Administration (Apache Commons IO): CVE-2024-47554 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle REST Data Services.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle REST Data Services.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle REST Data Services
    • General (Apache Commons IO): CVE-2024-47554 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains 1 new security patch, plus additional third party patches noted below, for Oracle Secure Backup.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-21578 Oracle Secure Backup General None No 6.7 Local Low High None Un-
changed
High High High 12.1.0.1, 12.1.0.2, 12.1.0.3, 18.1.0.0, 18.1.0.1, 18.1.0.2  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Secure Backup
    • Oracle Secure Backup (PHP): CVE-2024-11236, CVE-2024-11233 and CVE-2024-11234 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle SQL Developer Risk Matrix

This Critical Patch Update contains no new security patches for exploitable vulnerabilities but does include third party patches, noted below, for the following non-exploitable third party CVEs for Oracle SQL Developer.  Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle SQL Developer.  The English text form of this Risk Matrix can be found here.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle SQL Developer
    • Install (Apache Commons IO): CVE-2024-47554 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle TimesTen In-Memory Database.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-24970 Oracle TimesTen In-Memory Database EM TimesTen plug-in (Netty) TLS Yes 7.5 Network Low None None Un-
changed
None None High 22.1.1.1.0-22.1.1.30.0  
CVE-2024-47554 Oracle TimesTen In-Memory Database EM TimesTen plug-in (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 22.1.1.1.0-22.1.1.30.0  

Additional CVEs addressed are:

  • The patch for CVE-2025-24970 also addresses CVE-2025-25193.

 

Oracle Commerce Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Commerce.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-24813 Oracle Commerce Guided Search Content Acquisition System (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.3.2, 11.4.0  
CVE-2021-23450 Oracle Commerce Merchandising Asset Manager (dojo) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.3.0, 11.3.1, 11.3.2  
CVE-2024-38819 Oracle Commerce Guided Search Content Acquisition System (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 11.3.2, 11.4.0  
CVE-2024-45613 Oracle Commerce Platform Platform (CKEditor) HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.3.0, 11.3.1, 11.3.2, 11.4.0  
CVE-2025-21576 Oracle Commerce Platform Dynamo Personalization Server HTTP No 5.4 Network Low Low Required Changed Low Low None 11.3.0, 11.3.1, 11.3.2  
CVE-2023-51074 Oracle Commerce Guided Search Content Acquisition System (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 11.3.2, 11.4.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-38819 also addresses CVE-2024-38820.

 

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 42 new security patches for Oracle Communications Applications.  35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-52046 Oracle Communications Network Integrity FileTransferJCA, VPLS Cartridge, TL1 Cartridge (Apache Mina) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.3.6, 7.4.0, 7.5.0  
CVE-2024-52046 Oracle Communications Unified Assurance Core (Apache Mina) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 6.0-6.1  
CVE-2025-24813 Oracle Communications Unified Assurance Core (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 6.0-6.1  
CVE-2024-40896 Oracle Communications Unified Assurance Core (libxml2) HTTP Yes 9.1 Network Low None None Un-
changed
None High High 6.0-6.1  
CVE-2025-24970 Oracle Communications Billing and Revenue Management Security (Netty) TCP Yes 7.5 Network Low None None Un-
changed
None None High 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0-15.0.1.0.0  
CVE-2025-24970 Oracle Communications Messaging Server Security (Netty) TCP Yes 7.5 Network Low None None Un-
changed
None None High 8.1.0.26.0  
CVE-2024-28168 Oracle Communications MetaSolv Solution Print Preview (Apache FOP) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 6.3.1  
CVE-2025-24970 Oracle Communications Network Charging and Control REST (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.0.6.0.0, 15.0.0.0.0, 15.0.1.0.0  
CVE-2025-24970 Oracle Communications Order and Service Management Security (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.5.0  
CVE-2024-57699 Oracle Communications Order and Service Management Security (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.5.0  
CVE-2025-24970 Oracle Communications Pricing Design Center REST Services Manager (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0, 15.0.1.0.0  
CVE-2025-24970 Oracle Communications Service Catalog and Design Solution Designer (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.0.0.4.0, 8.1.0.2.0  
CVE-2024-43709 Oracle Communications Unified Assurance Core (Elasticsearch) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 6.0  
CVE-2025-24970 Oracle Communications Unified Assurance Core (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 6.0-6.1  
CVE-2024-38819 Oracle Communications Unified Assurance Core (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 6.0-6.1  
CVE-2024-7254 Oracle Communications Unified Inventory Management Security (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.4.0-7.4.2, 7.5.0-7.5.1  
CVE-2024-47072 Oracle Communications Unified Inventory Management Security (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.4.0-7.4.2, 7.5.0, 7.5.1, 7.6.0, 7.7.0  
CVE-2024-57699 Oracle Communications Unified Inventory Management Security (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.5.1, 7.6.0, 7.7.0  
CVE-2024-12798 Oracle Communications Service Catalog and Design Solution Designer (logback) None No 6.6 Local High Low Required Changed Low High Low 8.0.0.4.0, 8.1.0.2.0  
CVE-2023-5388 Oracle Communications Messaging Server Security (NSS) HTTPS Yes 6.5 Network Low None None Un-
changed
Low None Low 8.1.0.26.0  
CVE-2024-31141 Oracle Communications Unified Assurance Microservices (Apache Kafka) HTTP No 6.5 Network Low Low None Un-
changed
High None None 6.0-6.1  
CVE-2023-5388 Oracle Communications Unified Assurance Core (NSS) HTTPS Yes 6.5 Network Low None None Un-
changed
Low None Low 6.0-6.1  
CVE-2024-50602 Oracle Communications Unified Assurance Core (LibExpat) HTTP Yes 5.9 Network High None None Un-
changed
None None High 6.0-6.1  
CVE-2024-35195 Oracle Communications Billing and Revenue Management Platform (requests) None No 5.6 Local High High Required Un-
changed
High High None 12.0.0.8.0, 15.0.0.0.0-15.0.1.0.0  
CVE-2025-23084 Oracle Communications Unified Assurance Core (Node.js) None No 5.6 Local Low Low Required Un-
changed
High Low None 6.0-6.1  
CVE-2024-53122 Oracle Communications Billing and Revenue Management Connection Manager (Python) None No 5.5 Local Low Low None Un-
changed
None None High 15.0.1.0.0  
CVE-2025-30729 Oracle Communications Order and Service Management Security HTTP No 5.5 Network Low Low Required Un-
changed
Low Low Low 7.4.0, 7.4.1, 7.5.0  
CVE-2023-49582 Oracle Communications Unified Assurance Core (Apache Portable Runtime) None No 5.5 Local Low Low None Un-
changed
High None None 6.0-6.1  
CVE-2024-34064 Oracle Communications Unified Assurance Core (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 6.0-6.1  
CVE-2024-56128 Oracle Communications Billing and Revenue Management Platform (Apache Kafka) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0, 15.0.1.0.0  
CVE-2023-51074 Oracle Communications Order and Service Management Security (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 7.5.0  
CVE-2023-51074 Oracle Communications Unified Inventory Management Infrastructure (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 7.5.1  
CVE-2024-56128 Oracle Communications Unified Inventory Management Security (Apache Kafka) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 7.5.1, 7.6.0, 7.7.0  
CVE-2024-43796 Oracle Communications Unified Assurance User Interface (Express.js) HTTP Yes 4.7 Network High None Required Changed Low Low None 6.0-6.1  
CVE-2024-47554 Oracle Communications Billing and Revenue Management Security (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0-15.0.1.0.0  
CVE-2024-47554 Oracle Communications Messaging Server Security (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 8.1.0.26.0  
CVE-2024-47554 Oracle Communications MetaSolv Solution JSP Pages (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 6.3.1  
CVE-2024-47554 Oracle Communications Order and Service Management Security (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 7.5.0, 7.4.1, 7.4.0  
CVE-2024-47554 Oracle Communications Pricing Design Center On-premise Deployment (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0, 15.0.1.0.0  
CVE-2024-47554 Oracle Communications Unified Assurance Core (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 6.0-6.1  
CVE-2024-47554 Oracle Communications Unified Inventory Management Security (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 7.4.1, 7.4.2, 7.5.0, 7.5.1  
CVE-2024-11053 Oracle Communications Unified Assurance Core (curl) HTTP Yes 3.4 Network High None Required Changed Low None None 6.0-6.1  

Additional CVEs addressed are:

  • The patch for CVE-2024-12798 also addresses CVE-2024-12801.
  • The patch for CVE-2025-24970 also addresses CVE-2025-25193.
  • The patch for CVE-2025-23084 also addresses CVE-2025-23083 and CVE-2025-23085.
  • The patch for CVE-2024-38819 also addresses CVE-2024-38820.

 

Oracle Communications Risk Matrix

This Critical Patch Update contains 103 new security patches, plus additional third party patches noted below, for Oracle Communications.  82 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-56337 Management Cloud Engine BEServer (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 24.3.0  
CVE-2024-52046 Management Cloud Engine BEServer (Apache Mina SSHD) SSH Yes 9.8 Network Low None None Un-
changed
High High High 24.3.0  
CVE-2024-56337 Oracle Communications Cloud Native Core Network Data Analytics Function Automated Test Suite (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 24.2.0  
CVE-2025-1974 Oracle Communications Cloud Native Core Network Function Cloud Native Environment Configuration (Ingress NGINX Controller) TCP Yes 9.8 Network Low None None Un-
changed
High High High 24.2.5  
CVE-2025-24813 Oracle Communications Element Manager Web UI (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 9.0.0-9.0.3  
CVE-2025-24813 Oracle Communications Policy Management Configuration Management Platform (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0.0.0.0  
CVE-2025-24813 Oracle Communications Session Report Manager Web UI (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 9.0.0-9.0.3  
CVE-2025-24813 Oracle SD-WAN Edge Internal Tools (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 9.1.1.9  
CVE-2024-40896 Oracle Communications Cloud Native Core Network Data Analytics Function Automated Test Suite (libxml2) HTTP Yes 9.1 Network Low None None Un-
changed
None High High 24.2.0  
CVE-2024-40896 Oracle Communications Cloud Native Core Unified Data Repository Install (libxml2) HTTP Yes 9.1 Network Low None None Un-
changed
None High High 25.1.100  
CVE-2024-5535 Oracle Communications Session Border Controller Routing (OpenSSL) HTTPS Yes 9.1 Network Low None None Un-
changed
High None High 9.2.0, 9.3.0, 10.0.0  
CVE-2024-5535 Oracle Enterprise Communications Broker Routing (OpenSSL) TLS Yes 9.1 Network Low None None Un-
changed
High None High 4.1.0, 4.2.0  
CVE-2024-25638 Oracle Communications Network Analytics Data Director Automated Test Suite Framework (dnsjava) HTTP Yes 8.9 Network High None None Changed High High Low 24.1.0  
CVE-2024-43044 Oracle Communications Policy Management Configuration Management Platform (Jenkins) HTTP No 8.8 Network Low Low None Un-
changed
High High High 15.0.0.0.0  
CVE-2025-27516 Oracle Communications Cloud Native Core Binding Support Function Alarms, KPI, and Measurements (Jinja) None No 7.8 Local Low Low None Un-
changed
High High High 24.2.0-24.2.2  
CVE-2025-24928 Oracle Communications Cloud Native Core DBTier Configuration (libxml2) None No 7.8 Local High None None Changed High High None 24.2.4  
CVE-2025-27516 Oracle Communications Cloud Native Core Network Function Cloud Native Environment Configuration (Jinja) None No 7.8 Local Low Low None Un-
changed
High High High 24.2.5  
CVE-2025-27516 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Jinja) None No 7.8 Local Low Low None Un-
changed
High High High 24.2.0-24.2.4  
CVE-2024-7254 Oracle Communications Cloud Native Core Binding Support Function Install (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.2  
CVE-2024-1135 Oracle Communications Cloud Native Core Binding Support Function Install (Gunicorn) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 24.2.0-24.2.2  
CVE-2025-24970 Oracle Communications Cloud Native Core Binding Support Function Install (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.2  
CVE-2024-47072 Oracle Communications Cloud Native Core Binding Support Function Install (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.2  
CVE-2024-57699 Oracle Communications Cloud Native Core Binding Support Function Install (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.2  
CVE-2025-24970 Oracle Communications Cloud Native Core Certificate Management Configuration (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.2  
CVE-2025-24970 Oracle Communications Cloud Native Core Console Configuration (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.2  
CVE-2024-52303 Oracle Communications Cloud Native Core Network Data Analytics Function Automated Test Suite (AIOHTTP) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0  
CVE-2024-38819 Oracle Communications Cloud Native Core Network Data Analytics Function Automated Test Suite (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 24.2.0  
CVE-2024-47072 Oracle Communications Cloud Native Core Network Data Analytics Function Automated Test Suite (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0  
CVE-2024-7254 Oracle Communications Cloud Native Core Network Repository Function Configuration (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.3  
CVE-2025-24970 Oracle Communications Cloud Native Core Network Repository Function Configuration (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.3  
CVE-2023-5685 Oracle Communications Cloud Native Core Network Repository Function Configuration (XNIO) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.3  
CVE-2024-47072 Oracle Communications Cloud Native Core Network Repository Function Configuration (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.3  
CVE-2024-1135 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Gunicorn) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 24.2.0-24.2.4  
CVE-2025-24970 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.4  
CVE-2024-47072 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.4  
CVE-2024-21538 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (cross-spawn) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.4  
CVE-2024-57699 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0-24.2.4  
CVE-2024-7254 Oracle Communications Cloud Native Core Security Edge Protection Proxy Configuration (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.2, 24.3.0  
CVE-2024-57699 Oracle Communications Cloud Native Core Security Edge Protection Proxy Signaling (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.3  
CVE-2025-24970 Oracle Communications Cloud Native Core Security Edge Protection Proxy Signaling (Netty) HTTP/2 Yes 7.5 Network Low None None Un-
changed
None None High 24.2.3  
CVE-2024-49767 Oracle Communications Cloud Native Core Service Communication Proxy Signaling (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.0, 24.3.0  
CVE-2024-57699 Oracle Communications Cloud Native Core Service Communication Proxy Signaling (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.3, 25.1.100  
CVE-2024-47072 Oracle Communications Cloud Native Core Unified Data Repository Automated Test Suite Framework (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 25.1.100  
CVE-2025-24970 Oracle Communications Cloud Native Core Unified Data Repository Install (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.2.3, 25.1.100  
CVE-2025-23184 Oracle Communications Cloud Native Core Unified Data Repository Signaling (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 25.1.100  
CVE-2024-28168 Oracle Communications EAGLE Element Management System Security (Apache FOP) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 46.6  
CVE-2024-38819 Oracle Communications Element Manager Security (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 9.0.0, 9.0.1, 9.0.2, 9.0.3  
CVE-2024-49767 Oracle Communications Network Analytics Data Director Automated Test Suite Framework (Werkzeug) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.1.0-24.3.0  
CVE-2024-47072 Oracle Communications Network Analytics Data Director Automated Test Suite Framework (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.1.0-24.3.0  
CVE-2024-57699 Oracle Communications Network Analytics Data Director Automated Test Suite Framework (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 24.1.0-24.3.0  
CVE-2024-52303 Oracle Communications Operations Monitor Mediation Engine (AIOHTTP) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 5.2  
CVE-2024-28168 Oracle Communications Policy Management Configuration Management Platform (Apache FOP) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 15.0.0.0.0  
CVE-2024-47072 Oracle Communications Policy Management Configuration Management Platform (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 15.0.0.0.0  
CVE-2024-4227 Oracle Communications Policy Management Configuration Management Platform (gSOAP) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 15.0.0.0.0  
CVE-2024-4227 Oracle Communications User Data Repository Platform (gSOAP) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 15.0.0, 15.0.1, 15.0.2  
CVE-2024-7254 Oracle Communications User Data Repository Security (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 15.0.0, 15.0.1, 15.0.2  
CVE-2024-38819 Oracle SD-WAN Edge Internal Tools (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 9.1.1.9  
CVE-2024-28219 Oracle Communications Policy Management Configuration Management Platform (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 15.0.0.0.0  
CVE-2023-5388 Oracle Communications Cloud Native Core Binding Support Function Install (NSS) HTTPS Yes 6.5 Network Low None None Un-
changed
Low None Low 24.2.0-24.2.2  
CVE-2023-5388 Oracle Communications Cloud Native Core Network Repository Function Configuration (NSS) HTTPS Yes 6.5 Network Low None None Un-
changed
Low None Low 24.2.3  
CVE-2023-5388 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (NSS) HTTPS Yes 6.5 Network Low None None Un-
changed
Low None Low 24.2.0-24.2.4  
CVE-2023-5388 Oracle Communications Network Analytics Data Director Automated Test Suite Framework (NSS) HTTPS Yes 6.5 Network Low None None Un-
changed
Low None Low 24.1.0-24.3.0  
CVE-2023-5388 Oracle Communications Policy Management Configuration Management Platform (NSS) HTTPS Yes 6.5 Network Low None None Un-
changed
Low None Low 15.0.0.0.0  
CVE-2024-12797 Oracle Communications Cloud Native Core DBTier Configuration (Cryptography) HTTP Yes 6.3 Network Low None Required Un-
changed
Low Low Low 24.2.3, 24.3.0  
CVE-2024-12797 Oracle Communications Cloud Native Core Security Edge Protection Proxy Signaling (Cryptography) HTTP Yes 6.3 Network Low None Required Un-
changed
Low Low Low 24.2.3  
CVE-2025-27789 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Babel) None No 6.2 Local Low None None Un-
changed
None None High 24.2.0-24.2.4  
CVE-2024-50602 Oracle Communications Cloud Native Core Service Communication Proxy Signaling (LibExpat) HTTP Yes 5.9 Network High None None Un-
changed
None None High 24.2.0, 25.1.100  
CVE-2024-50602 Oracle Communications Network Analytics Data Director Configuration (LibExpat) HTTP Yes 5.9 Network High None None Un-
changed
None None High 24.1.0-24.3.0  
CVE-2024-50602 Oracle Communications User Data Repository Platform (LibExpat) HTTP Yes 5.9 Network High None None Un-
changed
None None High 14.0.0, 15.0.0, 15.0.1  
CVE-2024-35195 Oracle Communications Cloud Native Core Network Repository Function Configuration (requests) None No 5.6 Local High High Required Un-
changed
High High None 24.2.3  
CVE-2024-35195 Oracle Communications Policy Management Configuration Management Platform (requests) None No 5.6 Local High High Required Un-
changed
High High None 15.0.0.0.0  
CVE-2023-49582 Oracle Communications Cloud Native Core Network Repository Function Configuration (Apache Portable Runtime) None No 5.5 Local Low Low None Un-
changed
High None None 24.2.3  
CVE-2023-49582 Oracle Communications Cloud Native Core Security Edge Protection Proxy Automated Test Suite Framework (Apache Portable Runtime) None No 5.5 Local Low Low None Un-
changed
High None None 24.2.3  
CVE-2023-49582 Oracle Communications Cloud Native Core Service Communication Proxy Signaling (Apache Portable Runtime) None No 5.5 Local Low Low None Un-
changed
High None None 24.2.0, 24.3.0  
CVE-2023-49582 Oracle Communications Cloud Native Core Unified Data Repository Automated Test Suite Framework (Apache Portable Runtime) None No 5.5 Local Low Low None Un-
changed
High None None 25.1.100  
CVE-2024-34064 Oracle Communications Cloud Native Core Network Repository Function Configuration (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 24.2.3  
CVE-2024-34064 Oracle Communications Diameter Signaling Router Web UI (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 9.0.0.0  
CVE-2024-34064 Oracle Communications Network Analytics Data Director Automated Test Suite Framework (Jinja) HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 24.1.0  
CVE-2024-28834 Management Cloud Engine BEServer (GnuTLS) HTTP No 5.3 Network High Low None Un-
changed
High None None 24.3.0  
CVE-2023-51074 Oracle Communications Cloud Native Core Network Repository Function Configuration (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 24.2.3  
CVE-2023-51074 Oracle Communications Cloud Native Core Security Edge Protection Proxy Configuration (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 24.2.2  
CVE-2023-51074 Oracle Communications Cloud Native Core Service Communication Proxy Signaling (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 24.2.0, 24.3.0  
CVE-2024-6763 Oracle Communications Element Manager Security (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 9.0.0, 9.0.1, 9.0.2, 9.0.3  
CVE-2023-51074 Oracle Communications Network Analytics Data Director Automated Test Suite Framework (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 24.1.0-24.3.0  
CVE-2024-56128 Oracle Communications Network Analytics Data Director Security (Apache Kafka) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 24.1.0-24.3.0  
CVE-2024-28834 Oracle Communications Policy Management Configuration Management Platform (GnuTLS) HTTP No 5.3 Network High Low None Un-
changed
High None None 15.0.0.0.0  
CVE-2024-6763 Oracle Communications Session Report Manager Security (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 9.0.0, 9.0.1, 9.0.2, 9.0.3  
CVE-2024-38827 Oracle Communications Cloud Native Core Network Repository Function Configuration (Spring Security) HTTP Yes 4.8 Network High None None Un-
changed
Low Low None 24.2.3  
CVE-2024-38827 Oracle SD-WAN Edge Internal Tools (Spring Security) HTTP Yes 4.8 Network High None None Un-
changed
Low Low None 9.1.1.9  
CVE-2024-37891 Oracle Communications Cloud Native Core Network Repository Function Configuration (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 24.2.3  
CVE-2024-37891 Oracle Communications Cloud Native Core Security Edge Protection Proxy Automated Test Suite Framework (urllib3) TCP No 4.4 Network High High None Un-
changed
High None None 24.2.3  
CVE-2024-37891 Oracle Communications Cloud Native Core Service Communication Proxy Install (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 24.2.0, 24.3.0  
CVE-2024-37891 Oracle Communications Diameter Signaling Router Automated Test Suite Framework (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 9.0.0.0  
CVE-2024-47554 Oracle Communications Cloud Native Core Binding Support Function Install (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 24.2.0-24.2.2  
CVE-2024-47554 Oracle Communications Cloud Native Core Console Configuration (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 24.2.2  
CVE-2024-47554 Oracle Communications Cloud Native Core Network Repository Function Configuration (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 24.2.3  
CVE-2025-31721 Oracle Communications Cloud Native Core Network Repository Function Configuration (Jenkins) HTTP No 4.3 Network Low Low None Un-
changed
Low None None 24.2.3  
CVE-2024-47554 Oracle Communications Cloud Native Core Policy Alarms, KPI, and Measurements (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 24.2.0-24.2.4  
CVE-2024-47554 Oracle Communications Cloud Native Core Security Edge Protection Proxy Install (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 24.2.3  
CVE-2025-31721 Oracle Communications Cloud Native Core Unified Data Repository Signaling (Jenkins) HTTP No 4.3 Network Low Low None Un-
changed
Low None None 22.4.0, 23.1.0-23.4.0  
CVE-2024-47554 Oracle Communications Diameter Signaling Router Automated Test Suite (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 9.0.0.0  
CVE-2024-47554 Oracle Communications Network Analytics Data Director Automated Test Suite Framework (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 24.1.0, 24.2.0, 24.3.0  
CVE-2024-47554 Oracle Communications Policy Management Configuration Management Platform (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 15.0.0.0.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-56337 also addresses CVE-2024-50379.
  • The patch for CVE-2024-43044 also addresses CVE-2024-43045.
  • The patch for CVE-2025-24928 also addresses CVE-2024-56171 and CVE-2025-27113.
  • The patch for CVE-2024-28834 also addresses CVE-2024-28835.
  • The patch for CVE-2025-27516 also addresses CVE-2024-56326.
  • The patch for CVE-2025-24970 also addresses CVE-2025-25193.
  • The patch for CVE-2025-27516 also addresses CVE-2024-56201.
  • The patch for CVE-2025-31721 also addresses CVE-2025-31720.
  • The patch for CVE-2025-24970 also addresses CVE-2024-47535.
  • The patch for CVE-2024-38819 also addresses CVE-2024-38820.
  • The patch for CVE-2024-5535 also addresses CVE-2024-6119.
  • The patch for CVE-2024-56337 also addresses CVE-2024-54677.
  • The patch for CVE-2024-38819 also addresses CVE-2024-38816.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Management Cloud Engine
    • BEServer (Spring Framework): CVE-2024-38819 and CVE-2024-38816 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications Cloud Native Core Binding Support Function
    • Alarms, KPI, and Measurements (Apache Tomcat): CVE-2024-56337 and CVE-2024-50379 [VEX Justification: inline_mitigations_already_exist].
  • Oracle Communications Cloud Native Core DBTier
    • Configuration (Apache Tomcat): CVE-2025-24813 [VEX Justification: inline_mitigations_already_exist].
    • Configuration (Netty): CVE-2025-24970 and CVE-2025-25193 [VEX Justification: inline_mitigations_already_exist].
    • Configuration (Spring Security): CVE-2025-22228 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment
    • Configuration (Golang Go): CVE-2024-45337 and CVE-2024-45338 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications Cloud Native Core Policy
    • Alarms, KPI, and Measurements (Apache Tomcat): CVE-2024-56337 and CVE-2024-50379 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].
    • Alarms, KPI, and Measurements (Apache Xalan-Java): CVE-2022-34169 [VEX Justification: vulnerable_code_not_in_execute_path].
  • Oracle Communications Element Manager
    • Oracle Java SE: CVE-2025-21502 [VEX Justification: vulnerable_code_not_present].
  • Oracle SD-WAN Aware
    • Internal Tools (PHP): CVE-2024-11236, CVE-2024-11233 and CVE-2024-11234 [VEX Justification: vulnerable_code_not_present].
  • Oracle SD-WAN Edge
    • Internal Tools (urllib3): CVE-2024-37891 [VEX Justification: vulnerable_code_not_in_execute_path].
    • Internal Tools (NSS): CVE-2023-5388 [VEX Justification: vulnerable_code_not_present].
    • Internal Tools (OpenSSH): CVE-2025-26465 and CVE-2025-26466 [VEX Justification: vulnerable_code_not_present].
    • Internal Tools (Apache Portable Runtime): CVE-2023-49582 [VEX Justification: vulnerable_code_not_present].

 

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Construction and Engineering.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-7254 Primavera Gateway Admin (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 20.12.0-20.12.17, 21.12.0-21.12.15  
CVE-2024-57699 Primavera Gateway Admin (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 20.12.0-20.12.17, 21.12.0-21.12.15  
CVE-2024-38819 Primavera Unifier Document Management (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 22.12.0-22.12.15, 23.12.0-23.12.13, 24.12.0-24.12.3  
CVE-2024-57699 Primavera Unifier Platform (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.13, 24.12.0-24.12.3  
CVE-2025-23184 Primavera P6 Enterprise Project Portfolio Management Integrators (Apache CXF) HTTP No 6.5 Network Low Low None Un-
changed
None None High 22.12.0-22.12.18, 23.12.0-23.12.13, 24.12.0-24.12.2  
CVE-2024-49771 Primavera Unifier Platform (MPXJ) HTTPS Yes 5.3 Network Low None None Un-
changed
None Low None 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.13, 24.12.0-24.12.3  
CVE-2024-47554 Primavera Gateway Admin (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 20.12.0-20.12.17, 21.12.0-21.12.15  

Additional CVEs addressed are:

  • The patch for CVE-2024-38819 also addresses CVE-2024-38820.

 

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 16 new security patches for Oracle E-Business Suite.  11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2025 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (April 2025), My Oracle Support Note 2484000.1.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-30727 Oracle Scripting iSurvey Module HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.3-12.2.14  
CVE-2025-30730 Oracle Application Object Library Core HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.5-12.2.14  
CVE-2025-30716 Oracle Common Applications CRM User Management Framework HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.2.3-12.2.14  
CVE-2025-30728 Oracle Configurator Core HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.2.3-12.2.14  
CVE-2025-30707 Oracle iStore User Management HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.2.3-12.2.14  
CVE-2025-30708 Oracle User Management Search and Register Users HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.2.4-12.2.14  
CVE-2025-30692 Oracle iSupplier Portal Attachments HTTP No 6.5 Network Low Low None Un-
changed
High None None 12.2.7-12.2.14  
CVE-2025-30717 Oracle Teleservice Service Diagnostics Scripts HTTP No 6.5 Network Low Low None Un-
changed
High None None 12.2.3-12.2.14  
CVE-2025-30732 Oracle Application Object Library Core HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.3-12.2.14  
CVE-2025-30720 Oracle Configurator Orders HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.3-12.2.14  
CVE-2025-21582 Oracle CRM Technical Foundation Preferences HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.3-12.2.14  
CVE-2025-30711 Oracle Applications Framework Attachments, File Upload HTTP No 5.4 Network Low Low Required Changed Low Low None 12.2.3-12.2.14  
CVE-2025-30718 Oracle Applications Framework Attachments, File Upload HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 12.2.3-12.2.14  
CVE-2025-30726 Oracle Application Object Library Core HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.2.3-12.2.14  
CVE-2024-38828 Oracle Enterprise Command Center Framework ECC Core (Spring MVC) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low ECC:12-13  
CVE-2025-30731 Oracle Applications Technology Stack Configuration None No 3.6 Local High None Required Un-
changed
Low Low None 12.2.3-12.2.14  

 

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Enterprise Manager.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2025 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2025 Patch Availability Document for Oracle Products, My Oracle Support Note 3070733.1.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-45047 Oracle Enterprise Manager Base Platform Agent Next Gen (Apache Mina SSHD) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 13.5.0.0.0, 24.1.0.0.0  
CVE-2024-52046 Oracle Enterprise Manager Base Platform Agent Next Gen (Apache Mina) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 13.5.0.0.0, 24.1.0.0.0  
CVE-2024-57699 Oracle Application Testing Suite Load Testing for Web Apps (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 13.3.0.1  
CVE-2023-1370 Oracle Enterprise Manager Base Platform Agent Next Gen (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 13.5.0.0.0, 24.1.0.0.0  

Additional CVEs addressed are:

  • The patch for CVE-2023-1370 also addresses CVE-2021-31684.
  • The patch for CVE-2024-52046 also addresses CVE-2023-35887.

 

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 34 new security patches, plus additional third party patches noted below, for Oracle Financial Services Applications.  22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-56337 Oracle Financial Services Model Management and Governance Installer (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.1.2.7.0  
CVE-2023-39410 Oracle Banking APIs IDM Authentication (Apache Avro) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-28168 Oracle Banking APIs IDM Authentication (Apache FOP) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2025-24970 Oracle Banking APIs IDM Authentication (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-47072 Oracle Banking APIs IDM Authentication (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-57699 Oracle Banking APIs IDM Authentication (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-28168 Oracle Banking Digital Experience User Interface (Apache FOP) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2025-24970 Oracle Banking Digital Experience User Interface (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-57699 Oracle Banking Digital Experience User Interface (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-38819 Oracle Financial Services Analytical Applications Infrastructure Platform (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 8.1.2.5, 8.1.1.4, 8.0.8.6, 8.0.7.8  
CVE-2024-57699 Oracle Financial Services Analytical Applications Infrastructure Platform (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.1.2.5, 8.1.1.4, 8.0.8.6, 8.0.7.8  
CVE-2024-28168 Oracle Financial Services Revenue Management and Billing Installer (Apache FOP) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 2.9.0.0.0-7.0.0.0.0  
CVE-2024-28219 Oracle Banking Corporate Lending Process Management Base (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 14.5.0.0.0-14.7.0.0.0  
CVE-2024-28219 Oracle Banking Origination Maintenance (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 14.5.0.0.0-14.7.0.0.0  
CVE-2024-28219 Oracle Banking Origination Onboarding Batch Processes (Pillow) None No 6.7 Local High Low Required Un-
changed
High High High 14.5.0.0.0-14.7.0.0.0  
CVE-2025-21573 Oracle Financial Services Revenue Management and Billing Chatbot HTTP No 6.0 Network High High Required Un-
changed
High High Low 5.1.0.0.0, 6.1.0.0.0, 7.0.0.0.0  
CVE-2025-23184 Oracle Banking Digital Experience User Interface (Apache CXF) HTTP Yes 5.9 Network High None None Un-
changed
None None High 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-35195 Oracle Banking Corporate Lending Process Management Base (requests) HTTP No 5.7 Network High High Required Un-
changed
High High None 14.5.0.0.0-14.7.0.0.0  
CVE-2024-35195 Oracle Banking Origination Maintenance (requests) HTTP No 5.7 Network High High Required Un-
changed
High High None 14.5.0.0.0-14.7.0.0.0  
CVE-2023-49582 Oracle Financial Services Behavior Detection Platform Platform (Apache Portable Runtime) None No 5.5 Local Low Low None Un-
changed
High None None 8.1.2.8, 8.1.2.9, 8.0.8.1  
CVE-2023-49582 Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition Platform (Apache Portable Runtime) None No 5.5 Local Low Low None Un-
changed
High None None 8.0.8  
CVE-2024-56128 Oracle Banking APIs IDM Authentication (Apache Kafka) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-56128 Oracle Banking Digital Experience User Interface (Apache Kafka) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 22.1.0.0.0, 22.2.0.0.0  
CVE-2021-28170 Oracle Banking Liquidity Management Common Core (Jakarta Expression Language) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 14.7.0.7.0  
CVE-2024-38820 Oracle Banking Liquidity Management Infrastructure (Spring Framework) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 14.7.0.7.0  
CVE-2024-38827 Oracle Financial Services Model Management and Governance Installer (Spring Security) HTTP Yes 4.8 Network High None None Un-
changed
Low Low None 8.1.2.7.0  
CVE-2024-5206 Oracle Financial Services Compliance Studio Reports (scikit-learn) None No 4.7 Local High Low None Un-
changed
High None None 8.1.2.9  
CVE-2024-37891 Oracle Banking Corporate Lending Process Management Base (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 14.5.0.0.0-14.7.0.0.0  
CVE-2024-37891 Oracle Banking Origination Configuration and Maintenance (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 14.5.0.0.0-14.7.0.0.0  
CVE-2024-37891 Oracle Financial Services Compliance Studio Reports (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 8.1.2.9  
CVE-2024-47554 Oracle Banking APIs IDM Authentication (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-47554 Oracle Banking Digital Experience User Interface (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0  
CVE-2024-47554 Oracle Financial Services Analytical Applications Infrastructure Platform (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 8.1.2.5, 8.1.1.4, 8.0.8.6, 8.0.7.8  
CVE-2024-47554 Oracle Financial Services Model Management and Governance Installer (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 8.1.2.7.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-56337 also addresses CVE-2024-50379 and CVE-2024-54677.
  • The patch for CVE-2025-24970 also addresses CVE-2025-25193.
  • The patch for CVE-2024-38820 also addresses CVE-2024-38816.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Banking APIs
    • IDM Authentication (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Food and Beverage Applications.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-30686 Oracle Hospitality Simphony EMC HTTP No 7.6 Network Low Low None Un-
changed
High Low Low 19.1-19.7  
CVE-2023-26464 Oracle Hospitality Reporting and Analytics Installation (Apache Log4j) HTTP Yes 6.5 Network Low None Required Un-
changed
None None High 9.1.34-9.1.36  
CVE-2023-51441 Oracle Hospitality Reporting and Analytics Reporting (Apache Axis) HTTP Yes 6.5 Network Low None None Un-
changed
Low Low None 9.1.34-9.1.36  

Additional CVEs addressed are:

  • The patch for CVE-2023-51441 also addresses CVE-2023-40743.

 

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 31 new security patches for Oracle Fusion Middleware.  26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

To get the full list of current and previously released Critical Patch Update patches for Oracle Fusion Middleware products, refer to My Oracle Support Doc ID 2806740.2.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-52046 Oracle Access Manager Proxy (Apache Mina) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.4.0  
CVE-2024-52046 Oracle Business Process Management Suite Runtime Engine (Apache Mina) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.4.0, 14.1.2.0.0  
CVE-2024-38476 Oracle HTTP Server Core (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.4.0  
CVE-2024-52046 Oracle Managed File Transfer Runtime Server (Apache Mina) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.4.0, 14.1.2.0.0  
CVE-2024-56337 Oracle Managed File Transfer Runtime Server (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.4.0  
CVE-2024-47561 Oracle SOA Suite Rest Converters (Apache Avro) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 14.1.2.0.0  
CVE-2024-40896 Oracle HTTP Server Core (libxml2) HTTP Yes 9.1 Network Low None None Un-
changed
None High High 12.2.1.4.0, 14.1.2.0.0  
CVE-2024-11053 Oracle HTTP Server Mod_Security (curl) TLS Yes 9.1 Network Low None None Un-
changed
High High None 12.2.1.4.0, 14.1.2.0.0  
CVE-2020-13936 Oracle WebLogic Server Centralized Thirdparty Jars (Apache Velocity Engine) Multiple No 8.8 Network Low Low None Un-
changed
High High High 12.2.1.4.0, 14.1.1.0.0  
CVE-2025-27363 Oracle Outside In Technology DC-Specific Component (FreeType) HTTP Yes 8.1 Network High None None Un-
changed
High High High 8.5.7  
CVE-2024-28168 Oracle Business Process Management Suite Plugins (Apache FOP) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.2.1.4.0, 14.1.2.0.0  
CVE-2025-24970 Oracle Coherence Third Party (Netty) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0  
CVE-2024-7254 Oracle Fusion Middleware MapViewer Install (Google Protobuf-Java) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2023-26464 Oracle JDeveloper Generic (Apache Log4j) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2020-25649 Oracle Managed File Transfer Runtime Server (jackson-databind) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 12.2.1.4.0  
CVE-2024-29857 Oracle SOA Suite Adapters (Bouncy Castle Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0, 14.1.2.0.0  
CVE-2025-23184 Oracle WebCenter Forms Recognition Learnset Manager (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 14.1.1.0.0  
CVE-2024-47072 Oracle WebCenter Portal Discussion Forums (XStream) Multiple Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2024-47561 Oracle Business Process Management Suite Composer, Third Party (Apache Avro) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low 12.2.1.4.0  
CVE-2024-11612 Oracle Outside In Technology Build (7-Zip) HTTP Yes 6.5 Network Low None Required Un-
changed
None None High 8.5.7  
CVE-2024-50602 Oracle HTTP Server Mod_Security (LibExpat) TLS Yes 5.9 Network High None None Un-
changed
None None High 12.2.1.4.0, 14.1.2.0.0  
CVE-2024-50602 Oracle Outside In Technology DC-Specific Component (LibExpat) HTTP Yes 5.9 Network High None None Un-
changed
None None High 8.5.7  
CVE-2024-25710 Oracle Business Process Management Suite Composer, Common (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 12.2.1.4.0  
CVE-2024-25710 Oracle Data Integrator Security (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 12.2.1.4.0  
CVE-2024-25710 Oracle JDeveloper Generic (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 12.2.1.4.0  
CVE-2024-47554 Oracle Business Activity Monitoring Server, Composer (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 14.1.2.0.0  
CVE-2024-47554 Oracle Fusion Middleware MapViewer Core (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 12.2.1.4.0  
CVE-2024-9143 Oracle HTTP Server Mod_Security (OpenSSL) TLS No 4.3 Network Low Low None Un-
changed
None Low None 12.2.1.4.0, 14.1.2.0.0  
CVE-2024-47554 Oracle Service Bus Workshop (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 12.2.1.4.0  
CVE-2024-47554 Oracle SOA Suite Rest Converters (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 12.2.1.4.0, 14.1.2.0.0  
CVE-2024-47554 Oracle WebCenter Forms Recognition Learnset Manager (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 14.1.1.0.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-25710 also addresses CVE-2024-26308.
  • The patch for CVE-2024-9143 also addresses CVE-2024-13176.
  • The patch for CVE-2024-11053 also addresses CVE-2024-9681.
  • The patch for CVE-2024-56337 also addresses CVE-2024-50379 and CVE-2024-54677.
  • The patch for CVE-2024-38476 also addresses CVE-2024-38474, CVE-2024-39573, CVE-2024-39884, and CVE-2024-40725.
  • The patch for CVE-2025-27363 also addresses CVE-2025-23022.
  • The patch for CVE-2025-24970 also addresses CVE-2025-25193.
  • The patch for CVE-2020-25649 also addresses CVE-2020-36518, CVE-2021-46877, CVE-2022-42003, CVE-2022-42004, and CVE-2023-35116.

 

Oracle Analytics Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle Analytics.  11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-52046 Oracle Business Intelligence Enterprise Edition Platform Security (Apache Mina) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.4.0  
CVE-2023-24998 Oracle BI Publisher Development Operations (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.6.0.0.0, 12.2.1.4.0  
CVE-2025-30724 Oracle BI Publisher XML Services HTTP Yes 7.5 Network Low None None Un-
changed
High None None 7.6.0.0.0, 12.2.1.4.0  
CVE-2024-32007 Oracle Business Intelligence Enterprise Edition Analytics Server, Client Installer (Apache CXF) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 7.6.0.0.0, 12.2.1.4.0  
CVE-2023-52428 Oracle Business Intelligence Enterprise Edition Analytics Server (Nimbus JOSE+JWT) Multiple Yes 7.5 Network Low None None Un-
changed
None None High 7.6.0.0.0  
CVE-2024-30172 Oracle Business Intelligence Enterprise Edition Platform Security (Bouncy Castle Java Library) Multiple Yes 7.5 Network Low None None Un-
changed
None None High 7.6.0.0.0  
CVE-2024-7264 Oracle Business Intelligence Enterprise Edition Platform Security (curl) Multiple Yes 6.5 Network Low None Required Un-
changed
None None High 7.6.0.0.0  
CVE-2022-36033 Oracle Business Intelligence Enterprise Edition Platform Security (jsoup) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.4.0  
CVE-2023-25399 Oracle Business Intelligence Enterprise Edition Pipeline Test Failures (SciPy) None No 5.5 Local Low Low None Un-
changed
None None High 7.6.0.0.0  
CVE-2025-30723 Oracle BI Publisher XML Services HTTP No 5.4 Network Low Low None Un-
changed
None Low Low 7.6.0.0.0, 12.2.1.4.0  
CVE-2024-38820 Oracle BI Publisher Development Operations (Spring Framework) Multiple Yes 5.3 Network Low None None Un-
changed
None Low None 7.6.0.0.0  
CVE-2024-38827 Oracle Business Intelligence Enterprise Edition Analytics Server, Pipeline Test Failures, Installation (Spring Framework) Multiple Yes 4.8 Network High None None Un-
changed
Low Low None 12.2.1.4.0  
CVE-2024-37891 Oracle Business Intelligence Enterprise Edition Machine Learning (urllib3) HTTP No 4.4 Network High High None Un-
changed
High None None 7.6.0.0.0  
CVE-2024-9143 Oracle Business Intelligence Enterprise Edition FNDN (OpenSSL) TLS No 4.3 Network Low Low None Un-
changed
None Low None 7.6.0.0.0, 12.2.1.4.0  
CVE-2023-38546 Oracle Business Intelligence Enterprise Edition Platform Security (libcurl) HTTP Yes 3.7 Network High None None Un-
changed
None Low None 12.2.1.4.0  

Additional CVEs addressed are:

  • The patch for CVE-2022-36033 also addresses CVE-2021-37714.
  • The patch for CVE-2024-32007 also addresses CVE-2024-29736.
  • The patch for CVE-2023-52428 also addresses CVE-2023-44487.
  • The patch for CVE-2024-52046 also addresses CVE-2021-41973.

 

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hospitality Applications.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-52316 Oracle Hospitality Cruise Shipboard Property Management System Next-Gen SPMS (Apache Tomcat) HTTPS Yes 9.8 Network Low None None Un-
changed
High High High 23.2.1  
CVE-2024-47535 Oracle Hospitality Cruise Shipboard Property Management System Next-Gen SPMS (Netty) None No 5.5 Local Low Low None Un-
changed
None None High 23.2.1  
CVE-2024-47554 Oracle Hospitality Cruise Shipboard Property Management System Next-Gen SPMS (Apache Commons IO) HTTPS Yes 4.3 Network Low None Required Un-
changed
None None Low 23.2.1  

Additional CVEs addressed are:

  • The patch for CVE-2024-52316 also addresses CVE-2024-52317.

 

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches, plus additional third party patches noted below, for Oracle Hyperion.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-11053 Oracle Hyperion Infrastructure Technology Installation and Configuration (curl) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 11.2.19.0.000  
CVE-2025-30737 Oracle Smart View for Office Core Smart View HTTP No 5.7 Network High High Required Un-
changed
High High None 24.200  
CVE-2024-47554 Oracle Hyperion Infrastructure Technology Installation and Configuration (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 11.2.19.0.000  

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Hyperion Financial Reporting
    • Installation (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Insurance Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-38819 Oracle Documaker Docupresentment IDS Server (Spring Framework) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 12.7.1.6, 12.7.2.3, 13.0.0.1  

Additional CVEs addressed are:

  • The patch for CVE-2024-38819 also addresses CVE-2024-38820.

 

Oracle Java SE Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Java SE.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-23083 Oracle GraalVM for JDK Node (Node.js) None No 7.7 Local Low None None Un-
changed
High High None Oracle GraalVM for JDK: 17.0.14, 21.0.6  
CVE-2024-54534 Oracle Java SE, Oracle GraalVM Enterprise Edition JavaFX (WebKitGTK) Multiple Yes 7.5 Network High None Required Un-
changed
High High High Oracle Java SE: 8u441; Oracle GraalVM Enterprise Edition: 20.3.17, 21.3.13 See Note 1
CVE-2024-47606 Oracle Java SE, Oracle GraalVM Enterprise Edition JavaFX (gstreamer) Multiple Yes 7.5 Network High None Required Un-
changed
High High High Oracle Java SE: 8u441; Oracle GraalVM Enterprise Edition: 20.3.17, 21.3.13 See Note 1
CVE-2025-21587 Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition JSSE Multiple Yes 7.4 Network High None None Un-
changed
High High None Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition:20.3.17, 21.3.13 See Note 2
CVE-2025-30698 Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition 2D Multiple Yes 5.6 Network High None None Un-
changed
Low Low Low Oracle Java SE: 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17, 21.3.13 See Note 1
CVE-2025-30691 Oracle Java SE Compiler Multiple Yes 4.8 Network High None None Un-
changed
Low Low None Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK: 21.0.6, 24 See Note 2

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
 

Additional CVEs addressed are:

  • The patch for CVE-2024-54534 also addresses CVE-2024-27856, CVE-2024-40866, CVE-2024-44185, CVE-2024-44187, CVE-2024-44244, CVE-2024-44296, CVE-2024-44308, CVE-2024-44309, CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54543, CVE-2025-24143, CVE-2025-24150, CVE-2025-24158, and CVE-2025-24162.
  • The patch for CVE-2024-47606 also addresses CVE-2024-47544, CVE-2024-47545, CVE-2024-47546, CVE-2024-47596, CVE-2024-47597, CVE-2024-47775, CVE-2024-47776, CVE-2024-47777, and CVE-2024-47778.
  • The patch for CVE-2025-23083 also addresses CVE-2025-23084 and CVE-2025-23085.

 

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle JD Edwards.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-23807 JD Edwards EnterpriseOne Tools Interoperability SEC (Apache Xerces-C++) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 9.2.0.0-9.2.9.2  
CVE-2024-5535 JD Edwards EnterpriseOne Tools Enterprise Infrastructure SEC (OpenSSL) TLS Yes 9.1 Network Low None None Un-
changed
High None High 9.2.0.0-9.2.9.2  
CVE-2025-30740 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP No 6.5 Network Low Low None Un-
changed
High None None 9.2.0.0-9.2.9.2  
CVE-2025-30709 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.2.0.0-9.2.9.2  
CVE-2024-45613 JD Edwards EnterpriseOne Tools Web Runtime SEC (CKEditor) HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.2.0.0-9.2.9.2  
CVE-2024-25710 JD Edwards EnterpriseOne Tools Web Runtime SEC (Apache Commons Compress) None No 5.5 Local Low None Required Un-
changed
None None High 9.2.0.0-9.2.9.2  
CVE-2025-21586 JD Edwards EnterpriseOne Tools Web Runtime SEC HTTP No 5.4 Network Low Low Required Changed Low Low None 9.2.0.0-9.2.9.2  
CVE-2024-47554 JD Edwards EnterpriseOne Tools Web Runtime SEC (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 9.2.0.0-9.2.9.2  

Additional CVEs addressed are:

  • The patch for CVE-2024-25710 also addresses CVE-2024-26308.
  • The patch for CVE-2024-5535 also addresses CVE-2024-6119.

 

Oracle MySQL Risk Matrix

This Critical Patch Update contains 43 new security patches, plus additional third party patches noted below, for Oracle MySQL.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-40896 MySQL Workbench MySQL Workbench (libxml2) MySQL Workbench Yes 9.1 Network Low None None Un-
changed
None High High 8.0.0-8.0.41  
CVE-2025-30706 MySQL Connectors Connector/J MySQL Protocol No 7.5 Network High Low None Un-
changed
High High High 9.0.0-9.2.0  
CVE-2024-7254 MySQL Connectors Connector/J (Google Protobuf-Java) MySQL Protocol Yes 7.5 Network Low None None Un-
changed
None None High 9.0.0-9.1.0  
CVE-2025-21574 MySQL Cluster Cluster: General Multiple No 6.5 Network Low Low None Un-
changed
None None High 7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21575 MySQL Cluster Cluster: General Multiple No 6.5 Network Low Low None Un-
changed
None None High 7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21577 MySQL Server InnoDB MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30682 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30687 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30688 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21574 MySQL Server Server: Parser MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21575 MySQL Server Server: Parser MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30722 MySQL Client Client: mysqldump MySQL Protocol No 5.9 Network High Low None Un-
changed
High Low None 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30693 MySQL Cluster Cluster: General Multiple No 5.5 Network Low High None Un-
changed
None Low High 7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30693 MySQL Server InnoDB MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30695 MySQL Server InnoDB MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30722 MySQL Cluster Cluster: General Multiple No 5.3 Network High Low None Un-
changed
High None None 7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30710 MySQL Cluster Cluster: NDBCluster Plugin Multiple No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30715 MySQL Server Server: Components Services MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21583 MySQL Server Server: DDL MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.4.0, 9.0.0  
CVE-2025-21584 MySQL Server Server: DDL MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21580 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21588 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21581 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21585 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30689 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-21579 MySQL Server Server: Options MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30696 MySQL Server Server: PS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30705 MySQL Server Server: PS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30683 MySQL Server Server: Replication MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30684 MySQL Server Server: Replication MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30685 MySQL Server Server: Replication MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30699 MySQL Server Server: Stored Procedure MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30714 MySQL Connectors Connector/Python MySQL Protocol No 4.8 Network High Low Required Un-
changed
High None None 9.0.0-9.2.0  
CVE-2025-30704 MySQL Server Server: Components Services MySQL Protocol No 4.4 Network High High None Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2024-13176 MySQL Connectors Connector/C++ (OpenSSL) None No 4.1 Physical Low Low None Un-
changed
Low Low Low 9.0.0-9.2.0  
CVE-2024-13176 MySQL Connectors Connector/ODBC (OpenSSL) None No 4.1 Physical Low Low None Un-
changed
Low Low Low 9.0.0-9.2.0  
CVE-2024-13176 MySQL Enterprise Backup Enterprise Backup (OpenSSL) None No 4.1 Physical Low Low None Un-
changed
Low Low Low 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2024-13176 MySQL Server Server: Packaging (OpenSSL) MySQL Protocol No 4.1 Physical Low Low None Un-
changed
Low Low Low 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2024-13176 MySQL Workbench MySQL Workbench (OpenSSL) None No 4.1 Physical Low Low None Un-
changed
Low Low Low 8.0.0-8.0.41  
CVE-2025-30721 MySQL Server Server: UDF None No 4.0 Local High High Required Un-
changed
None None High 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30681 MySQL Cluster Cluster: General Multiple No 2.7 Network Low High None Un-
changed
None None Low 7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30703 MySQL Server InnoDB MySQL Protocol No 2.7 Network Low High None Un-
changed
None Low None 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  
CVE-2025-30681 MySQL Server Server: Replication MySQL Protocol No 2.7 Network Low High None Un-
changed
None None Low 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0  

Additional CVEs addressed are:

  • The patch for CVE-2024-13176 also addresses CVE-2024-9143.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • MySQL Shell
    • Shell General / Core Client (OpenSSL): CVE-2024-6119 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle PeopleSoft.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-30735 PeopleSoft Enterprise CC Common Application Objects Page and Field Configuration HTTP No 8.1 Network Low Low None Un-
changed
High High None 9.2  
CVE-2023-52428 PeopleSoft Enterprise PeopleTools Security (Nimbus JOSE+JWT) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.60, 8.61, 8.62  
CVE-2025-30713 PeopleSoft Enterprise HCM Talent Acquisition Manager Job Opening HTTP No 5.4 Network Low Low Required Changed Low Low None 9.2  
CVE-2025-30697 PeopleSoft Enterprise PeopleTools Panel Processor HTTP No 5.4 Network Low Low Required Changed Low Low None 8.60, 8.61, 8.62  

 

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Policy Automation.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-57699 Oracle Policy Automation Determinations Engine (json-smart) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.0-12.2.36  
CVE-2024-47554 Oracle Policy Automation Determinations Engine (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 12.2.0-12.2.36  
CVE-2024-47554 Oracle Policy Modeling Generic (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 12.2.0-12.2.36  

 

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 11 new security patches, plus additional third party patches noted below, for Oracle Retail Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-34381 Oracle Retail Store Inventory Management Core (BSAFE Crypto-J) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 16.0.3.16  
CVE-2024-22243 Oracle Retail Xstore Point of Service Point of Sale (Spring Framework) HTTP Yes 8.1 Network Low None Required Un-
changed
High High None 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1  
CVE-2023-24998 Oracle Retail Store Inventory Management Core (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 16.0.3.16  
CVE-2023-46589 Oracle Retail Xstore Point of Service Xenvironment (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None High None 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1  
CVE-2023-48795 Oracle Retail Xstore Point of Service Xenvironment (Apache Mina SSHD) HTTP Yes 5.9 Network High None None Un-
changed
None High None 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1  
CVE-2023-40167 Oracle Retail Xstore Point of Service Point of Sale (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed
None Low None 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1  
CVE-2023-51074 Oracle Retail Xstore Point of Service Xenvironment (JsonPath) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1  
CVE-2024-29025 Oracle Retail Xstore Point of Service Xenvironment (Netty) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1  
CVE-2024-47554 Oracle Retail Order Broker Order Broker Foundation - OBF (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 19.1  
CVE-2024-47554 Oracle Retail Store Inventory Management Core (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 16.0.3.16  
CVE-2024-47554 Oracle Retail Xstore Point of Service Xenvironment (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 19.0.6, 20.0.5, 21.0.4, 22.0.2, 23.0.2, 24.0.1  

Additional CVEs addressed are:

  • The patch for CVE-2023-48795 also addresses CVE-2023-35887.
  • The patch for CVE-2024-22243 also addresses CVE-2016-1000027, CVE-2024-38819, and CVE-2024-38820.
  • The patch for CVE-2023-40167 also addresses CVE-2023-36479.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Retail Xstore Point of Service
    • Xenvironment (Apache Commons Configuration): CVE-2024-29133 and CVE-2024-29131 [VEX Justification: vulnerable_code_cannot_be_controlled_by_adversary].

 

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Siebel CRM.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-47197 Siebel CRM Deployment Application Interface (Apache Maven Shared Utils) HTTP Yes 7.5 Network Low None None Un-
changed
High None None 17.0-25.2  
CVE-2024-9902 Siebel CRM Cloud Applications Siebel Cloud Manager (Ansible) None No 6.3 Local High Low Required Un-
changed
High High Low 17.0-24.12  
CVE-2024-42367 Siebel CRM Cloud Applications Siebel Cloud Manager (AIOHTTP) HTTP Yes 4.8 Network High None None Un-
changed
Low Low None 17.0-24.11  
CVE-2024-38357 Siebel CRM End User EAI, UI (TinyMCE) None No 3.1 Local Low High Required Un-
changed
Low Low None 24.7-25.2  

Additional CVEs addressed are:

  • The patch for CVE-2024-9902 also addresses CVE-2024-8775.

 

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 3 new security patches, plus additional third party patches noted below, for Oracle Supply Chain.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-56337 Oracle Agile Engineering Data Management Document Management (Apache Tomcat) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 6.2.1  
CVE-2023-37536 Oracle Demantra Demand Management Forecast Engine (Apache Xerces-C++) HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.2.6-12.2.14  
CVE-2024-47554 Oracle Agile Engineering Data Management Document Management (Apache Commons IO) Multiple Yes 4.3 Network Low None Required Un-
changed
None None Low 6.2.1  

Additional CVEs addressed are:

  • The patch for CVE-2024-56337 also addresses CVE-2024-50379 and CVE-2024-54677.

Additional patches included in this Critical Patch Update for the following non-exploitable CVEs for this Oracle product family:

  • Oracle Demantra Demand Management
    • Security (RequireJS): CVE-2024-38998 and CVE-2024-38999 [VEX Justification: vulnerable_code_not_in_execute_path].

 

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Support Tools.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-52046 OSS Support Tools Diagnostic Assistant (Apache Mina) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.11.0-2.12.46  
CVE-2024-52046 OSS Support Tools Services Tools Bundle (Apache Mina) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.00-8.18, 18.1-18.4, 19.1-19.4, 20.1-20.4, 22.2, 23.1-23.4, 24.1-24.4, 25.1  
CVE-2024-47554 OSS Support Tools Diagnostic Assistant (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 2.11.0-2.12.46  
CVE-2024-47554 OSS Support Tools Services Tools Bundle (Apache Commons IO) HTTP Yes 4.3 Network Low None Required Un-
changed
None None Low 8.00-8.18, 18.1-18.4, 19.1-19.4, 20.1-20.4, 22.2, 23.1-23.4, 24.1-24.4, 25.1  

 

Oracle Systems Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Systems.  Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-30690 Oracle Solaris Filesystem None No 7.2 Local High High Required Changed High High High 11  
CVE-2025-30700 Oracle Solaris Pluggable authentication module HTTP No 3.5 Network Low Low Required Un-
changed
Low None None 11  

 

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Utilities Applications.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2024-47072 Oracle Utilities Application Framework General (XStream) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 24.1.0.0.0-24.3.0.0.0  
CVE-2024-47554 Oracle Utilities Application Framework General (Apache Commons IO) HTTP Yes 3.7 Network High None None Un-
changed
None None Low 4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3  

 

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Virtualization.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE ID Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2025-30712 Oracle VM VirtualBox Core None No 8.1 Local Low High None Changed High High Low 7.1.6  
CVE-2025-30725 Oracle VM VirtualBox Core None No 6.7 Local High High None Changed Low Low High 7.1.6  
CVE-2025-30719 Oracle VM VirtualBox Core None No 6.1 Local Low Low None Un-
changed
Low None High 7.1.6