Oracle emailed Security Alert CVE-2025-61882 out on Oct 5, 2025 and published Doc ID 3106344.1 (Security Alert CVE-2025-61882 Patch Availability Document for Oracle E-Business Suite) for it. The document first strongly recommends a set of patches 38501230, 38501349, 38501757 as hotfixes. Then, Oracle modified the document and recommended October 2025 CPU patch set or 6 hotfix patches 38507994, 38518258, 38523311, 38523302, and 38510732, 38501757.
I applied October 2025 CPU patch and found it includes all individual patches mentioned above. So, it is a good and clean way to fix CVE-2025-61882 vulnerabilities. Below are EBS patches I applied to my instances
38298685 12.2.0 Oct 2025 CPU
38261405 R12.FWK.C Oracle Applications Framework
37450688 R12.OWF.C Oracle Workflow
38180394 R12.FND.C (prerequisite: OCT 2020 CPU: 31643029:12.2.0)
38510732 R12.XDO.C BI Publisher (formerly XML Publisher)
Note ECPUC.sql only lists patches that are required or recommended by a CPU patch release but does NOT list prerequisites by each patch. For example, October 2025 CPU patch 38298685 requires R12.AD.C.DELTA.15 & R12.TXK.C.DELTA.15 (or higher) and so I had first to apply below two patches in instances that had AD and TXK Delta 14:
36119925 (R12.AD.C.DELTA.16) Built: JUL-16-2024
36117775 (R12.TXK.C.DELTA.16) Built: JUL-16-2024
Run new adgrants.sql as SYSDBA using
SQL> @/path/to/adgrants.sql <APPS schema name>
$ adop phase=apply apply_mode=downtime patches=36119925,36303698,36989014,37988551 merge=yes patchtop=/path/to/Oct2025_CPU/AD workers=16 wait_on_failed_job=yes
$ adop phase=apply apply_mode=downtime patches=36117775,36641685,37500697 merge=yes patchtop=/path/to/Oct2025_CPU/TXK workers=16 wait_on_failed_job=yes
Detailed steps in applying patches in October 2025 CPU release are almost the same as in applying January 2025 patches.
To get the list of CVEs addressed by each CPU patchset, go to https://www.oracle.com/security-alerts and then click on the individual CPU release.
No comments:
Post a Comment