A remote code execution (RCE) vulnerability affecting Oracle Fusion Middleware and numerous other Oracle systems has been addressed by Oracle. The “Miracle Exploit,” which is a pair of serious weaknesses that may be chained together to accomplish RCE, was discovered by security researchers “Peterjson” and “Jang” and notified to Oracle.
The researchers said they disclosed to Oracle in private a critical vulnerability they found in Oracle Access Manager, identified as CVE-2021-35587. An “easily exploitable” issue, the CVSS 9.8 bug enables unauthenticated attackers with network access to take control of an application through HTTP.
According to Jang, they unintentionally uncovered the issue when the pair were “building a PoC [proof of concept exploit code] for another mega 0-day.” This research produced the CVE-2022-21445 flaw, which was then investigated by the Zero Day Initiative (ZDI). This “mega” flaw, which had a severity rating of 9.8, was discovered in the Oracle Fusion Middleware’s Oracle Application Development Framework (ADF) Faces architecture.
To perform pre-authentication RCE, it is possible to combine the deserialization of trusted data vulnerability with CVE-2022-21497 (CVSS score of 8.1) – an Oracle Web Services Manager takeover weakness. The Fusion Middleware, multiple Oracle systems, and even Oracle’s cloud infrastructure are all impacted by CVE-2022-21445. Through HTTP, unauthenticated attackers with access to the network can take advantage of the vulnerability chain.
“One more thing to note, any website was developed by ADF Faces framework are affected,” said Peterjson.
On October 25, 2021, the bug report was delivered to the vendor after testing Oracle services and domains. In the same month, Oracle acknowledged receiving the tip and declared that an investigation was underway. But it was over six months before a fix was released. Oracle’s April set of patches addressed both issues. Along with Microsoft and Adobe, Oracle is one of several technology companies that issues a monthly patch update to address vulnerabilities in its software.
Businesses using Oracle software that is at risk are recommended to apply the fix right away. Other vendors who could have been impacted by the pre-auth RCE were made aware of it through their respective bug bounty programs. Peterjson revealed to The Stack that businesses had been notified if they hadn’t applied Oracle’s patch and that he thinks there are “huge” numbers of vulnerable instances.