CVE-2022-45378
published 2022-11-14CVE-2022-45378: In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.25%
80.7th percentile
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | soap | <= 2.3 | — |
| apache_software_foundation | apache_soap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The RPCRouterServlet endpoint is exposed without authentication in the default Apache SOAP configuration; monitor for unauthenticated HTTP requests targeting this servlet path. ↗
- →Exploitation occurs over HTTP remotely; monitor for suspicious inbound HTTP traffic invoking methods via the RPCRouterServlet that could trigger classpath method execution or RCE. ↗
- ·The vulnerability is present in the DEFAULT configuration of Apache SOAP — no special setup is required for the RPCRouterServlet to be exposed unauthenticated. ↗
- ·Exploitability and impact depend heavily on what classes are present on the server's classpath at the time of attack. ↗
- ·Oracle Fusion Middleware (Portal Core and Third Party components using Apache SOAP) is confirmed affected and was patched in APR 2024 and JUL 2024 CPU advisories. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Portal Core (Apache SOAP) — CVE-2022-45378
vendor_oracle·2024-07-15·CVSS 9.8
CVE-2022-45378 [CRITICAL] Oracle Oracle Fusion Middleware Risk Matrix: Portal Core (Apache SOAP) — CVE-2022-45378
Oracle Oracle Fusion Middleware Risk Matrix: Portal Core (Apache SOAP) vulnerability
CVE: CVE-2022-45378
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Apache SOAP) — CVE-2022-45378
vendor_oracle·2024-04-15·CVSS 9.8
CVE-2022-45378 [CRITICAL] Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Apache SOAP) — CVE-2022-45378
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Apache SOAP) vulnerability
CVE: CVE-2022-45378
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2024 (APR 2024)
GHSA
Apache SOAP contains unauthenticated RPCRouterServlet
ghsa·2022-11-14
CVE-2022-45378 [CRITICAL] CWE-287 Apache SOAP contains unauthenticated RPCRouterServlet
Apache SOAP contains unauthenticated RPCRouterServlet
** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
OSV
Apache SOAP contains unauthenticated RPCRouterServlet
osv·2022-11-14
CVE-2022-45378 [CRITICAL] Apache SOAP contains unauthenticated RPCRouterServlet
Apache SOAP contains unauthenticated RPCRouterServlet
** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
No detection rules found.
No public exploits indexed.
Qualys
Oracle Critical Patch Update, July 2024 Security Update Review
blogs_qualys·2024-07-17
Oracle Critical Patch Update, July 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middleware foll
Qualys
Oracle Critical Patch Security Update: July 2024 Review | Qualys
blogs_qualys·2024-07-17
Oracle Critical Patch Security Update: July 2024 Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middlewa
Qualys
Oracle Security Updates, April 2024: Critical Patch | Qualys
blogs_qualys·2024-04-17
Oracle Security Updates, April 2024: Critical Patch | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle released its second quarterly edition of Critical Patch Update, which contains patches for 441 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the second quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 93, constituting about 21% of the total patches released. Oracle Fusion Middleware and Oracle Financial Services Applicat
Qualys
Oracle Patch Update, April 2024 Security Update Review
blogs_qualys·2024-04-17
Oracle Patch Update, April 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle released its second quarterly edition of Critical Patch Update, which contains patches for 441 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the second quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 93, constituting about 21% of the total patches released. Oracle Fusion Middleware and Oracle Financial Services Applications fo
2022-11-14
Published