Security researchers have published technical details of a critical Fusion Middleware vulnerability, tracked as CVE-2022–21445, that was reported to Oracle by researchers PeterJson of VNG Corporation and Nguyen Jang of VNPT in October 2021. The flaw was addressed by the IT giant six months later with the release of its April 2022 Critical Patch Update.
The vulnerability resides in the ADF Faces component, it is deserialization of untrusted data that could lead to arbitrary code execution.
The security duo described the issue as a mega flaw that impacts all applications relying on ADF Faces, including Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management. The duo named their attack “The Miracle Exploit.”
“Now after a period of time after Oracle released the patch, we decided to publish this blog to share the detail of Miracle exploit. We very very excited at the time (6 months ago), but now we don’t have that feeling anymore because Oracle took too long to patch this vulnerability, more than the standard.” reported the security duo in blog post. “Anyway, this is a cool exploit, a cool story me and Jang worked together in a month so let we tell you about our story.”
The researchers also discovered a server-side request forgery (SSRF) vulnerability, tracked as CVE-2022–21497. This issue could be chained with CVE-2022–21445 to achieve pre-authentication remote code execution in Oracle Access Manager.
“In the demonstration we sent to Oracle, we chose edelivery.oracle.com , businessnetwork.oracle.com which are popular for user to download Oracle’s Products and this site is based on ADF Faces framework.” concludes the experts. “Last but not least, we successfully achieved pre-auth RCE on login.oracle.com which is play an important role in oracle’s online services.”
“Why we hack some Oracle’s sites? Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous , it affects Oracle system and Oracle’s customers. That’s why we want Oracle take an action ASAP. But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy.” they added.
(SecurityAffairs – hacking, Oracle)