CISA: Oracle Vulnerabilities From ‘Miracle Exploit’ Targeted in Attacks

Share This Post

CISA this week added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including two Oracle product flaws for which there do not appear to be any previous reports of exploitation. 

The two Oracle product vulnerabilities added to the cybersecurity agency’s KEV list are tracked as CVE-2022-21445 and CVE-2020-14644. 

CVE-2022-21445 impacts the JDeveloper product of the Oracle Fusion Middleware platform, specifically a component named ADF Faces. CVE-2020-14644 impacts WebLogic Server. Both security holes have been rated ‘critical’ and they can be exploited by an unauthenticated attacker for remote code execution and to take over the targeted system. 

While CVE-2022-21445 and CVE-2020-14644 were discovered two years apart, they are connected. 

When CVE-2022-21445 was disclosed in June 2022, the researchers who found it described it as a ‘mega’ vulnerability that Oracle took six months to patch. 

They warned at the time that the flaw affected all applications that rely on the ADF Faces component, including Oracle Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management.

At the time, they showed how CVE-2022-21445 could be chained with another vulnerability to compromise impacted systems, specifically CVE-2020-14644, which Oracle just added to the KEV catalog. 

The researchers warned at the time that the exploit, which they dubbed ‘The Miracle Exploit’, affected all of Oracle’s online systems and cloud services that relied on ADF Faces. 

Advertisement. Scroll to continue reading.

The experts said they had reported their findings to major organizations such as Dell, BestBuy, Starbucks, and several others that had been impacted.

SecurityWeek has not seen any public reports describing attacks involving CVE-2022-21445 and CVE-2020-14644, but CISA does occasionally add vulnerabilities to its KEV catalog based on privately received reports. 

Related: CISA Warns of Progress Telerik Vulnerability Exploitation

Related: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products

Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign 

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .