CVE-2022-21445 (with a score of 9.8 on the CVSS scale) is a vulnerability of deserialization of untrusted data, which can be used to execute arbitrary code in the victim’s system. Researchers PeterJson from VNG Corporation and Nguyen Jang from VNPT in October 2021 discovered CVE-2022-21445 in the ADF Faces framework and reported it to Oracle. However, the company released the fix only six months later, as part of the April Critical Patch Update.
According to the researchers, the RCE vulnerability, which they called a “mega” vulnerability, affects all applications using the ADF Faces framework, including Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite and Transportation Management.
Researchers also managed to detect CVE-2022-21497 (with a score of 8.1 on the CVSS scale) – an SSRF vulnerability that can be used together with CVE-2022-21445 for remote code execution before authorization in Oracle Access Manager.
Using these vulnerabilities, the researchers developed an exploit, which they called the “Miracle Exploit”. According to them, all Oracle online systems and cloud services using ADF Faces are vulnerable.