CVE-2022-21445 Overview
CVE-2022-21445 is a critical insecure deserialization vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware, specifically affecting the ADF Faces component. This vulnerability allows an unauthenticated attacker with network access via HTTP to achieve complete takeover of affected Oracle ADF installations. Due to its ease of exploitation and severe impact, this vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog.
Critical Impact
Unauthenticated remote attackers can achieve complete system takeover, compromising confidentiality, integrity, and availability of Oracle ADF installations through insecure deserialization in the ADF Faces component.
Affected Products
- Oracle Application Development Framework 12.2.1.3.0
- Oracle Application Development Framework 12.2.1.4.0
- Oracle Fusion Middleware (ADF Faces component)
Discovery Timeline
- 2022-04-19 - CVE-2022-21445 published to NVD
- 2022-04-27 - Added to CISA Known Exploited Vulnerabilities catalog
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2022-21445
Vulnerability Analysis
This vulnerability stems from insecure deserialization (CWE-502) within the ADF Faces component of Oracle Application Development Framework. The flaw allows remote attackers to submit specially crafted serialized objects that, when processed by the vulnerable application, result in arbitrary code execution on the target system.
The exploitation path requires no authentication and can be triggered over standard HTTP connections, making it particularly dangerous for internet-facing Oracle Fusion Middleware deployments. Successful exploitation grants the attacker complete control over the ADF installation, enabling data theft, system modification, and denial of service.
Oracle Application Development Framework is distributed through the Oracle JDeveloper product, and organizations using this framework should consult the Fusion Middleware Patch Advisor for detailed patching guidance.
Root Cause
The vulnerability originates from improper handling of serialized Java objects within the ADF Faces component. When the application deserializes untrusted data without proper validation, an attacker can inject malicious object graphs that execute arbitrary code during the deserialization process. This is a classic insecure deserialization pattern where the application trusts incoming serialized data without verifying its origin or contents.
Attack Vector
The attack is network-based and requires no user interaction or prior authentication. An attacker can craft a malicious HTTP request containing a specially serialized Java object payload targeting vulnerable deserialization endpoints in ADF Faces. When the server processes this request, the malicious payload executes with the privileges of the application server, potentially leading to complete system compromise.
The attack leverages common Java deserialization gadget chains that may be present in the application's classpath. These gadget chains allow attackers to chain together existing application classes to achieve arbitrary code execution during object reconstruction.
Detection Methods for CVE-2022-21445
Indicators of Compromise
- Unusual HTTP POST requests to ADF Faces endpoints containing serialized Java object payloads
- Anomalous process execution spawned by the application server process
- Unexpected outbound network connections from Oracle Fusion Middleware servers
- Suspicious Java deserialization activity patterns in application logs
Detection Strategies
- Monitor HTTP traffic for requests containing Java serialization magic bytes (AC ED 00 05) or Base64-encoded serialized objects
- Implement Web Application Firewall (WAF) rules to detect and block common deserialization attack patterns
- Deploy endpoint detection solutions to monitor for post-exploitation behavior on ADF servers
- Review application server logs for deserialization-related exceptions or errors
Monitoring Recommendations
- Enable detailed access logging on Oracle WebLogic Server hosting ADF applications
- Configure security monitoring for the ADF Faces component endpoints
- Implement network segmentation monitoring for Fusion Middleware infrastructure
- Set up alerts for any process spawning from the WebLogic/ADF application server context
How to Mitigate CVE-2022-21445
Immediate Actions Required
- Apply the Oracle Critical Patch Update from April 2022 immediately for all affected ADF installations
- Restrict network access to Oracle ADF applications to trusted networks only
- Implement WAF rules to filter suspicious serialized object payloads
- Audit all Oracle Fusion Middleware deployments for affected versions 12.2.1.3.0 and 12.2.1.4.0
Patch Information
Oracle has released patches addressing CVE-2022-21445 as part of the April 2022 Critical Patch Update. Organizations should obtain patches through the Oracle Critical Patch Update Advisory and the Fusion Middleware Patch Advisor. Given the critical severity and confirmed active exploitation tracked by CISA's Known Exploited Vulnerabilities catalog, immediate patching is essential.
Workarounds
- Isolate affected Oracle ADF servers behind network firewalls with strict access controls
- Implement serialization filters in the JVM to restrict dangerous classes from being deserialized
- Deploy a reverse proxy or WAF to inspect and filter incoming requests to ADF endpoints
- Consider temporarily disabling external access to ADF applications until patches can be applied
# Example: JVM deserialization filter configuration
# Add to Java startup options for WebLogic Server
-Djdk.serialFilter=!org.apache.commons.collections.*;!org.apache.xalan.*;pattern=*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
