Updates from Oracle: 378 security patches but nothing to break into the cloud

The latest Critical Patch Update from Oracle means a lot of work for admins: a total of 378 updates need to be installed, most of which close gaps that can be exploited remotely and without logging in; 162 patches have a CVSS of 7.0 or higher, 42 even ≥ 9.0 (critical). Affected are databases, middleware, cloud services and communication applications, some of which are of central importance for global financial institutions, telecommunications providers and cloud-native platforms.

A complete overview is provided in the Oracle Critical Patch Update Advisory — April 2025, in which the manufacturer also emphasizes that according to reports of successful attacks, “the attackers were successful because the affected customers had failed to apply the available Oracle patches”. Whether Oracle also refers to itself and the apparently successfully compromised cloud servers unfortunately remains open. Oracle's communication on these incidents continues to be limited to misleading small talk; our inquiries remain unanswered. The next Oracle CPU is scheduled for July 15.

(ju)