Oracle JDeveloper v12.2.1.3.0 and v12.2.1.4.0 - Remote Code Execution (RCE) via 'Miracle' Java Object Deserialization Vulnerability (CVE-2022-21445)

Background & Context

Oracle ADF Faces is a set of over 150 Ajax-enabled JavaServer Faces (JSF) components as well as a complete framework, all built on top of the JSF 2.0 standard. Much of this functionality can be implemented declaratively using Oracle JDeveloper, a free integrated development environment (IDE) with built-in support for ADF Faces components, allowing you to quickly and easily build the view layer of your web application. JDeveloper offers complete end-to-end development for Oracle's platform and Oracle's applications.

Vulnerability Summary

A critical Java Object Deserializations vulnerability exists in the Oracle JDeveloper product, distributed either standalone or via the ADF Faces bundle of Oracle Fusion Middleware. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

The root cause is the oracle.adfinternal.view.resource.rich.RemoteApplicationResourceLoader class, which fails to properly validate or sanitise user-provided data in serialised objects that are passed to it from untrusted upstream (attacker-controlled) sources. As a result, the class allows malicious code that is passed to it to self-execute during the deserialization process (i.e., before the object is returned to the caller).

Impact If Exploited

It is sometimes possible for attackers to leverage deserialization vulnerabilities in order to perform unauthorized actions, like generating a shell. That is the case with CVE_2022-21445: an attacker could exploit this vulnerability by submitting specially-crafted serialized data to the class in order to execute arbitrary code on the system. Since the vulnerable class can be reached via an exposed HTTP endpoint ( http://HOST:PORT/contextApp/afr/FOOO/remote/BAR/ where FOO and BAR are user-controlled strings, and the latter the malicious payload), this vulnerability can be exploited remotely. The given endpoint is also accessible prior to authentication.

As a result, successful exploit allows any remote user with network access via HTTP to compromise Oracle JDeveloper. Successful attacks of this vulnerability can result in the complete hostile takeover and sequestration of vulnerable Oracle JDeveloper instances.

Threat Landscape & Known Exploitation

Initially reported as a vulnerability several years ago (2021) and patched the following year (2022), nevertheless the vulnerability has been reported by the CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of 2024-09-18 (two years later). The vulnerability is reportedly being exploited as part of an exploit chain involving a second vulnerability, CVE-2022–21497.

Exploit code is available 'in the wild' to attackers via sites such as GitHub, making attack against vulnerable instances relatively trivial.

Prioritisation should be given to immediate remediation in any impacted environment.

Affected Product Versions

• Oracle JDeveloper 12.2.1.3.0 and 12.2.1.4.0.

• Any other applications that rely on ADF Faces, including Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management.

Indicators of Compromise (IoC)

The vendor has not published a list of indicators of compromise (IoC) at the time of writing.

Official Fix & Remediation Guidance

Oracle released a fix as part of its April 2022 Critical Patch Update, six months after the initial report. Customers are advised to upgrade to the latest version of the impacted product. At the time of writing the latest release version is 12c Release 2 (12.2.1.4).

Full product downloads can be found at https://www.oracle.com/uk/tools/downloads/jdeveloper-12c-downloads.html, or alternatively ADF bundles can be found at https://support.oracle.com/knowledge/Middleware/2659387_1.html.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

Vendor Advisories

• https://www.oracle.com/security-alerts/cpuapr2022.html

Third-Party Analysis & Threat Intelligence

• https://www.securityweek.com/researchers-it-took-oracle-6-months-patch-mega-vulnerability-affecting-many-systems/

• https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3aed9edeea2

PoC and Exploit Code

• https://github.com/M0chae1/CVE-2022-21445

• https://y4er.com/posts/cve-2022-21445-oracle-adf-faces-deserialization-rce/#%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA