"Miracle Exploit" Vulnerabilities in Multiple Oracle Products

Security researchers disclose details of "Miracle Exploit" relating to previously released critical vulnerabilities

Threat ID:: CC-4119
Threat Severity:: Medium
Published:: 28 June 2022 10:18 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security researchers disclose details of "Miracle Exploit" relating to previously released critical vulnerabilities

Affected platforms

The following platforms are known to be affected:

Versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Oracle Middleware

Libraries and Tools

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle Business Process Management

Versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Oracle Coherence

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle Data Integrator

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle HTTP Server

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle Identity Management

Versions: 9.1.0

Oracle Identity Management Connector

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle Internet Directory

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle JDeveloper

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle Managed File Transfer

Versions: 8.5.5, 8.5.6

Oracle Outside In Technology

Versions: 12.2.2.0.0

Oracle Tuxedo

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle Web Services Manager

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle WebCenter Portal

Versions: 12.2.1.3.0, 12.2.1.4.0

Oracle WebCenter Sites

Versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Oracle WebLogic Server

Threat details

Introduction

Oracle released its Critical Patch Update for April 2022 to address 520 vulnerabilities across multiple products. Among these vulnerabilities were CVE-2022-21445 and CVE-2022-21497, which had been discovered by security researchers in October 2021.

The researchers named these vulnerabilities "Miracle Exploit" and released a technical report in June 2022. The report demonstrates that the vulnerabilities leverage ADF Faces, a framework that is used to build user interfaces for Java EE applications and integrate with the Oracle Fusion Middleware stack.

CVE-2022-21445 allows for remote code execution (RCE) on affected products. CVE-2022-21497 can be used to trigger server-side request forgery (SSRF) for lateral movement to other vulnerable Oracle systems. A remote, unauthenticated attacker could use these vulnerabilities to take control of a system.

Remediation advice

Affected organisations are encouraged as a matter of urgency to review the Oracle April 2022 Critical Patch Update and apply the necessary updates or workarounds.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2022–21445

Status Published

CVE-2022-21497

Last edited: 28 June 2022 10:18 am