Oracle ADF Faces 'Miracle' RCE (CVE-2022-21445)
Description
Oracle ADF Faces, a component of Oracle Fusion Middleware used in JDeveloper versions 12.2.1.3.0, 12.2.1.4.0, and earlier, contains a critical insecure deserialization vulnerability (CVE-2022-21445). This flaw allows unauthenticated attackers to send maliciously crafted serialized Java objects to the application, which are then processed without proper validation. Successful exploitation enables attackers to execute arbitrary code on the server with the privileges of the application, potentially leading to complete system compromise.
Remediation
Apply the security patches provided in Oracle's Critical Patch Update (CPU) for April 2022 immediately. Follow these steps to remediate:
1. Identify affected systems: Locate all installations of Oracle JDeveloper and Oracle ADF Faces versions 12.2.1.3.0, 12.2.1.4.0, and earlier in your environment
2. Apply patches: Download and install the appropriate patches from Oracle Support (My Oracle Support) following Oracle's patch installation guidelines
3. Verify patching: Confirm successful patch application by checking version numbers and testing application functionality
4. Implement defense-in-depth: Consider implementing network segmentation, web application firewalls (WAF), and input validation controls to reduce exposure
5. Monitor for exploitation: Review logs for suspicious deserialization attempts or unexpected DNS queries to external domains
If immediate patching is not possible, consider temporarily restricting network access to affected applications until patches can be applied.