Oracle’s Q1 2021 Critical Patch Update: 2021 begins with fewer patches in the quarterly update.

Customer Alert 20210119


The January 2021 Oracle Critical Patch Update (CPU) contains 25 percent fewer fixes than the October 2020 release. The CPU includes 329 software patches across the Oracle product portfolio with 12 out of 25 product suites containing flaws with a CVSS ratings as high as 9.8. The majority of CVEs can be remotely exploited without user credentials and have a low level of attack complexity.



The number of CVEs in the Q1 2021 Critical Patch Update has dropped from an all-time high in July 2020 by 115 CVEs, including the lowest number of Java SE patches in the past five years – a single CVE with a CVSS score of 5.3 that can be remotely executed.

Other highlights include:

  • 31 patches for Oracle E-Business Suite, 29 of which can be remotely executed. The highest CVSS score is 9.8.
  • 60 patches for Oracle Fusion Middleware, 47 of which can be remotely executed. Fifteen (15) of the CVEs have a CVSS score of 9.8 and can be easily exploited.
  • 8 patches for Oracle PeopleSoft, 6 of which can be remotely executed. The highest CVSS score is 8.4.
  • The single Java SE patch addresses flaws in versions 7u281 and 8u271.
  • This is the first CPU since April 2020 where there are no CVEs with a CVSS score of 10.0.

Read the full Oracle CPU news release here.


Next Steps

Non-Waratek customers should follow the guidelines from Oracle and that means going back to your dev test environment, pushing it through your dev test, and moving into production with all of the effort and cost and time that comes with that.

For Waratek customers, it’s a very, very different, lightweight process. Take the virtual patches, take the security controls, and frankly just press the button to deploy them there and then. You can be protected in five minutes.

Waratek Patch and Waratek Upgrade customers will receive runtime virtual patches that address the Oracle CPU CVEs as part of their agreements. Virtual Patches can be deployed with no downtime to achieve instant protection. Some CVEs are also addressed in Waratek’s built-in CWE rules that offer active zero-day protection with zero tuning or configuration.


About Waratek

Waratek is the winner of the 2020 Cyber Defense Magazine’s Cutting Edge Award for Application Security, the Cybersecurity Breakthrough Award’s 2019 Overall Web Security Solution of the Year, and is a previous winner of the RSA Innovation Sandbox Award along with more than a dozen other awards and recognitions. For more information, visit