CVE-2022-21445
Published: 19 April 2022
Summary
CVE-2022-21445 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Application Development Framework. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2022-21445 is a deserialization vulnerability in the ADF Faces component of Oracle Application Development Framework within Oracle Fusion Middleware. It affects versions 12.2.1.3.0 and 12.2.1.4.0, which are obtained through the Oracle JDeveloper product. The flaw carries a CVSS 3.1 base score of 9.8 and permits remote code execution that can fully compromise the ADF runtime.
An unauthenticated attacker with network access over HTTP can exploit the issue without user interaction. Successful exploitation grants complete control over the affected ADF instance, resulting in loss of confidentiality, integrity, and availability.
Oracle's April 2022 Critical Patch Update addresses the vulnerability and directs administrators to Fusion Middleware Patch Advisor for remediation details. The CVE is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score remains elevated near 0.92 with no material post-disclosure climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26669
Vulnerability details
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application…
more
Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). Note: Oracle Application Development Framework (ADF) is downloaded via Oracle JDeveloper Product. Please refer to Fusion Middleware Patch Advisor for more details. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
- KEV Date Added
- 18 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the April 2022 Oracle Critical Patch Update that eliminates the deserialization flaw in ADF Faces 12.2.1.3.0/4.0.
Requires validation of untrusted HTTP input before deserialization, blocking the unauthenticated attacker-supplied payload that leads to ADF takeover.
Enforces boundary protections (e.g., WAF rules or network ACLs) that can restrict or inspect unauthenticated HTTP traffic targeting the vulnerable ADF component.