Unauthenticated Network Access Vulnerability in Oracle Application Development Framework
CVE-2022-21445

9.8CRITICAL

Key Information:

Vendor: Oracle
Status: Application Development Framework (adf)
Vendor: CVE Published:; 19 April 2022

Badges

👾 Exploit Exists🦅 CISA Reported

Summary

This vulnerability exists in the Oracle Application Development Framework (ADF) within the Oracle Fusion Middleware. It allows unauthenticated attackers with network access via HTTP to exploit ADF, potentially leading to a complete takeover of the affected framework. The vulnerability, which affects specific versions of ADF, poses a significant risk as it can compromise the confidentiality, integrity, and availability of the application. Users should consult the Fusion Middleware Patch Advisor for mitigation steps.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Application Development Framework (ADF) 12.2.1.3.0

Application Development Framework (ADF) 12.2.1.4.0

References

https://www.oracle.com/security-alerts/cpuapr2022.html

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🦅
CISA Reported
Sep 18, 2024
🟡
Public PoC available
Aug 7, 2023
👾
Exploit known to exist
Aug 7, 2023
Vulnerability published
Apr 19, 2022
Vulnerability Reserved
Nov 15, 2021