Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CISA: Oracle Vulnerabilities From ‘Miracle Exploit’ Targeted in Attacks

CISA is warning organizations that two Oracle vulnerabilities tracked as CVE-2022-21445 and CVE-2020-14644 are being exploited in the wild. 

CISA

CISA this week added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including two Oracle product flaws for which there do not appear to be any previous reports of exploitation. 

The two Oracle product vulnerabilities added to the cybersecurity agency’s KEV list are tracked as CVE-2022-21445 and CVE-2020-14644. 

CVE-2022-21445 impacts the JDeveloper product of the Oracle Fusion Middleware platform, specifically a component named ADF Faces. CVE-2020-14644 impacts WebLogic Server. Both security holes have been rated ‘critical’ and they can be exploited by an unauthenticated attacker for remote code execution and to take over the targeted system. 

While CVE-2022-21445 and CVE-2020-14644 were discovered two years apart, they are connected. 

When CVE-2022-21445 was disclosed in June 2022, the researchers who found it described it as a ‘mega’ vulnerability that Oracle took six months to patch. 

They warned at the time that the flaw affected all applications that rely on the ADF Faces component, including Oracle Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management.

At the time, they showed how CVE-2022-21445 could be chained with another vulnerability to compromise impacted systems, specifically CVE-2020-14644, which Oracle just added to the KEV catalog. 

The researchers warned at the time that the exploit, which they dubbed ‘The Miracle Exploit’, affected all of Oracle’s online systems and cloud services that relied on ADF Faces. 

Advertisement. Scroll to continue reading.

The experts said they had reported their findings to major organizations such as Dell, BestBuy, Starbucks, and several others that had been impacted.

SecurityWeek has not seen any public reports describing attacks involving CVE-2022-21445 and CVE-2020-14644, but CISA does occasionally add vulnerabilities to its KEV catalog based on privately received reports. 

Related: CISA Warns of Progress Telerik Vulnerability Exploitation

Related: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products

Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.