Full Report
Oracle is urging customers to apply its January 2025 Critical Patch Update (CPU) to address 318 new security vulnerabilities spanning its products and services. The most severe of the flaws is a bug in the Oracle Agile Product Lifecycle Management (PLM) Framework (CVE-2025-21556, CVSS score: 9.9) that could allow an attacker to seize control of susceptible instances. "Easily exploitable
Analysis Summary
# Vulnerability: Critical Flaws in Oracle Products, Most Severe in Agile PLM Framework (January 2025 CPU)
## CVE Details
- CVE ID: CVE-2025-21556 (Most Severe)
- CVSS Score: 9.9 (Critical)
- CWE: Not explicitly mentioned for the most severe flaw, but details suggest potential Remote Code Execution or severe access control bypass.
Other notable CVEs mentioned:
- CVE-2024-21287 (CVSS: 7.5)
- CVE-2025-21524 (CVSS: 9.8)
- CVE-2023-3961 (CVSS: 9.8)
- CVE-2024-23807 (CVSS: 9.8)
- CVE-2023-46604 (CVSS: 9.8)
- CVE-2024-45492 (CVSS: 9.8)
- CVE-2024-56337 (CVSS: 9.8)
- CVE-2025-21535 (CVSS: 9.8)
- CVE-2016-1000027 (CVSS: 9.8)
- CVE-2023-29824 (CVSS: 9.8)
- CVE-2024-37371 (CVSS: 9.1)
## Affected Systems
- **Products:** Oracle Agile Product Lifecycle Management (PLM) Framework, JD Edwards EnterpriseOne Tools, Oracle Agile Engineering Data Management, Oracle Communications Diameter Signaling Router, Oracle Communications Network Analytics Data Director, Financial Services Behavior Detection Platform, Financial Services Trade-Based Anti Money Laundering Enterprise Edition, HTTP Server, Oracle Communications Policy Management, Oracle WebLogic Server, Oracle BI Publisher, Oracle Business Intelligence Enterprise Edition, Oracle Communications Billing and Revenue Management.
- **Versions:** Oracle Agile PLM Framework version 9.3.6 (for CVE-2025-21556 and CVE-2024-21287). Specific versions for other components are not detailed but are covered by the January 2025 CPU.
- **Configurations:** Specific conditions are not detailed, but the most critical flaw (CVE-2025-21556) is exploitable via HTTP network access.
## Vulnerability Description
The most critical vulnerability (CVE-2025-21556) in the **Oracle Agile PLM Framework** is described as an easily exploitable vulnerability allowing low-privileged attackers with network access via HTTP to compromise the framework, potentially leading to a complete seizure of control over susceptible instances.
Several other flaws rated 9.8 involve components like the Monitoring and Diagnostics SEC component in JD Edwards, Apache Xerces C++, Apache ActiveMQ, libexpat, Apache Tomcat server, and Oracle WebLogic Server Core. CVE-2025-21535 exists in WebLogic Server and is compared to CVE-2020-2883, which allowed exploitation via IIOP or T3. CVE-2024-37371 in Communications Billing and Revenue Management involves sending message tokens with invalid length fields, causing invalid memory reads.
## Exploitation
- **Status:** Oracle warned of **active exploitation attempts** against a *different* flaw in the same product (CVE-2024-21287) in November 2024. CVE-2025-21556 is described as "easily exploitable." One similar vulnerability, CVE-2020-2883 (affecting WebLogic), has been added to CISA's KEV catalog due to known in-the-wild exploitation.
- **Complexity:** Low (for CVE-2025-21556: "low privileged attackers with network access").
- **Attack Vector:** Network (For CVE-2025-21556 via HTTP; others may use different network vectors like IIOP/T3).
## Impact
- **Confidentiality:** High (Suggested by the ability to "seize control").
- **Integrity:** High (Suggested by the ability to "seize control").
- **Availability:** High (Potential for denial of service or system shutdown following compromise).
## Remediation
### Patches
- Customers must apply the **January 2025 Critical Patch Update (CPU)** from Oracle. This CPU includes patches for CVE-2025-21556 and CVE-2024-21287, among 316 others.
### Workarounds
- No specific workarounds were provided in the summary, emphasizing the strong advice to apply the patch immediately.
## Detection
- **Indicators of Compromise:** Potential network traffic anomalies related to HTTP interaction with Agile PLM endpoints, or exploitation attempts targeting known insecure vectors for WebLogic (IIOP/T3, if relevant).
- **Detection methods and tools:** Standard network intrusion detection systems monitoring high-severity CVSS traffic targeting these Oracle application tiers.
## References
- Vendor Advisories: Oracle January 2025 Critical Patch Update Advisory
- Relevant Links:
- oracle dot com slash security-alerts
- oracle dot com slash security-alerts slash cpujan2025 dot html
- nvd dot nist dot gov slash vuln / detail / CVE-2025-21556
- blogs dot oracle com slash security slash post slash january-2025-cpu-released