CISA this week added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including two Oracle product flaws for which there do not appear to be any previous reports of exploitation.
The two Oracle product vulnerabilities added to the cybersecurity agency’s KEV list are tracked as CVE-2022-21445 and CVE-2020-14644.
CVE-2022-21445 impacts the JDeveloper product of the Oracle Fusion Middleware platform, specifically a component named ADF Faces. CVE-2020-14644 impacts WebLogic Server. Both security holes have been rated ‘critical’ and they can be exploited by an unauthenticated attacker for remote code execution and to take over the targeted system.
While CVE-2022-21445 and CVE-2020-14644 were discovered two years apart, they are connected.
When CVE-2022-21445 was disclosed in June 2022, the researchers who found it described it as a ‘mega’ vulnerability that Oracle took six months to patch.
They warned at the time that the flaw affected all applications that rely on the ADF Faces component, including Oracle Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management.
At the time, they showed how CVE-2022-21445 could be chained with another vulnerability to compromise impacted systems, specifically CVE-2020-14644, which Oracle just added to the KEV catalog.
The researchers warned at the time that the exploit, which they dubbed ‘The Miracle Exploit’, affected all of Oracle’s online systems and cloud services that relied on ADF Faces.
The experts said they had reported their findings to major organizations such as Dell, BestBuy, Starbucks, and several others that had been impacted.
SecurityWeek has not seen any public reports describing attacks involving CVE-2022-21445 and CVE-2020-14644, but CISA does occasionally add vulnerabilities to its KEV catalog based on privately received reports.
Related: CISA Warns of Progress Telerik Vulnerability Exploitation
Related: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products
Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign