Several Oracle products are affected by critical vulnerabilities that threat actors are exploiting. The security researchers who discovered the vulnerability named it The Miracle Exploit. This vulnerability affected all Oracle online systems and Oracle Fusion Middleware products. The vulnerability is related to a vulnerability that was identified two years ago. When chained, the two vulnerabilities can bring about remote code execution.
The Oracle Fusion Middleware products are employed for creating web interfaces in Java EE apps and any website created by the ADF Faces framework is impacted. The vulnerabilities also impact Oracle Business Intelligence, Identity Management, Enterprise Manager, SOA Suite, Application Testing Suite, WebCenter Portal, and Transportation Management. Vulnerability CVE-2022-21445 has a CVSS score of 9.8 while vulnerability CVE-2022-21497 has a CVSS score of 8.1. An unauthenticated attacker with network access through HTTP can exploit the vulnerabilities quickly to take over an application. If an attacker succeeds in his exploitation, a whole system can be compromised and allow lateral movement inside a system. Then the attacker can steal sensitive information which ransomware groups can further exploit in the future.
Vulnerability CVE-2022-21445 can deserialize untrusted data and allow remote code execution. Vulnerability CVE-2022-21497, a server-side request vulnerability, can be exploited to cause lateral motion into other Oracle systems and remote code execution. Oracle issued patches to correct the vulnerabilities in April 2022, half a year after the discovery of vulnerability CVE-2022-21445. The Cybersecurity and Infrastructure Security Agency (CISA) listed the CVE-2022-21445 Miracle Exploit vulnerability on its Known Exploited Vulnerabilities (KEV) Catalog. Oracle Fusion did not present any data regarding the scope of vulnerability exploitation. The exploitation was not reported publicly, though CISA obtained some reports secretly.
Because of the seriousness of the vulnerabilities and their effect, the Health Sector Cybersecurity Coordination Center has published an analyst note cautioning the healthcare and public health sectors regarding the risk of exploitation. Healthcare providers can become vulnerable when they use Oracle Fusion products that depend on the ADF Faces system. HC3 warns that in case the vulnerable Oracle middleware parts are incorporated into their software program, attackers can take control of electronic medical records and other critical systems, causing data breaches, operational interferences, and possibly regulatory fines.
HC3 suggests implementing the measures listed below. Making sure to protect ePHI is necessary to get a HIPAA certification.
- apply the most recent patch for Oracle JDeveloper
- separate networks and make sure environments that utilize JDeveloper are segregated from production systems,
- restrict access to JDeveloper environments to trustworthy end users only
- use strong authentication systems