CISA reports two old Oracle product flaws actively exploited, time to patch or refactor
Take action: If you are running Oracle products and haven't been patching them, start reading, and start mildly panicking. This is a set of very dangerous flaws that are still not patched in enough environments that a government regulatory agency needs to report it. Review your products and patch ASAP. Because you will be hacked.
Learn More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two old critical vulnerabilities from Oracle products to its Known Exploited Vulnerabilities (KEV) Catalog.
Vulnerability details
- CVE-2022-21445 (CVSS score 9.8) - Flaw in Oracle Fusion Middleware (JDeveloper) – specifically the ADF Faces component. When disclosed in June 2022, it was described as a "mega vulnerability" due to its wide-ranging impact across Oracle applications. Researchers highlighted that it took Oracle six months to patch the flaw. This vulnerability can be exploited by unauthenticated attackers to achieve remote code execution (RCE) and compromise the targeted system. CVE-2022-21445 affects several key Oracle products, including:
- Oracle Business Intelligence,
- Enterprise Manager,
- Identity Management,
- SOA Suite,
- WebCenter Portal,
- Application Testing Suite,
- Transportation Management.
This vulnerability can also be chained with CVE-2020-14644 to fully compromise affected systems.
-
CVE-2020-14644 (CVSS score 9.8) - Flaw in Oracle WebLogic Server. Another RCE vulnerability in Oracle WebLogic Server. Exploiting this flaw does not require authentication, making it highly dangerous. It was initially identified two years before CVE-2022-21445 and has now been linked as part of a broader exploitation strategy for systems relying on Oracle's middleware components.
While these vulnerabilities were discovered years apart, they are connected through what researchers have dubbed "The Miracle Exploit". When CVE-2022-21445 was first disclosed, it was noted that it could be combined with CVE-2020-14644 to compromise Oracle systems, including its cloud services.
Products Impacted
- Oracle Fusion Middleware (via ADF Faces)
- Oracle WebLogic Server
- Oracle Business Intelligence
- Oracle Enterprise Manager
- Oracle Identity Management
- Oracle SOA Suite
- Oracle WebCenter Portal
- Oracle Application Testing Suite
- Oracle Transportation Management
Organizations using affected Oracle products should ensure that patches for both CVE-2022-21445 and CVE-2020-14644 are applied immediately to mitigate the risk of exploitation.
