cbcvebase.
CVE-2022-21445
published 2022-04-19

CVE-2022-21445: Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-10-09
Exploited in the wild
EPSS
62.01%
99.1th percentile
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). Note: Oracle Application Development Framework (ADF) is downloaded via Oracle JDeveloper Product. Please refer to Fusion Middleware Patch Advisor for more details. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Affected

4 ranges
VendorProductVersion rangeFixed in
oracleapplication_development_framework
oracleapplication_development_framework
oracle_corporationapplication_development_framework
oracle_corporationapplication_development_framework

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2022-21445 is a deserialization of untrusted data vulnerability in Oracle ADF Faces (included with Oracle JDeveloper). Detection should focus on unauthenticated HTTP requests targeting ADF Faces deserialization endpoints, which can lead to remote code execution.
  • The vulnerability is exploitable over HTTP with no authentication and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). Monitor for anomalous unauthenticated HTTP traffic to ADF Faces endpoints on affected versions 12.2.1.3.0 and 12.2.1.4.0.
  • Successful exploitation results in full takeover (C/I/A all HIGH). Alert on any unexpected process spawning or outbound connections from Oracle ADF Faces / JDeveloper server processes following HTTP requests.
  • ·Affected versions are specifically 12.2.1.3.0 and 12.2.1.4.0 of Oracle ADF Faces. Scope detection rules to these versions to reduce false positives.
  • ·Oracle ADF Faces is distributed as part of Oracle JDeveloper, not as a standalone product. Inventory should check for JDeveloper installations that bundle the vulnerable ADF Faces library.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_oracle9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.