Alert Issued About the Miracle Exploit Vulnerabilities Identified in Oracle Systems

by | Nov 3, 2024

Several Oracle products are affected by critical vulnerabilities that threat actors are exploiting. The security researchers who discovered the vulnerability named it The Miracle Exploit. This vulnerability affected all Oracle online systems and Oracle Fusion Middleware products. The vulnerability is related to a vulnerability that was identified two years ago. When chained, the two vulnerabilities can bring about remote code execution.

The Oracle Fusion Middleware products are employed for creating web interfaces in Java EE apps and any website created by the ADF Faces framework is impacted. The vulnerabilities also impact Oracle Business Intelligence, Identity Management, Enterprise Manager, SOA Suite, Application Testing Suite, WebCenter Portal, and Transportation Management. Vulnerability CVE-2022-21445 has a CVSS score of 9.8 while vulnerability CVE-2022-21497 has a CVSS score of 8.1. An unauthenticated attacker with network access through HTTP can exploit the vulnerabilities quickly to take over an application. If an attacker succeeds in his exploitation, a whole system can be compromised and allow lateral movement inside a system. Then the attacker can steal sensitive information which ransomware groups can further exploit in the future.

Vulnerability CVE-2022-21445 can deserialize untrusted data and allow remote code execution. Vulnerability CVE-2022-21497, a server-side request vulnerability, can be exploited to cause lateral motion into other Oracle systems and remote code execution. Oracle issued patches to correct the vulnerabilities in April 2022, half a year after the discovery of vulnerability CVE-2022-21445. The Cybersecurity and Infrastructure Security Agency (CISA) listed the CVE-2022-21445 Miracle Exploit vulnerability on its Known Exploited Vulnerabilities (KEV) Catalog. Oracle Fusion did not present any data regarding the scope of vulnerability exploitation. The exploitation was not reported publicly, though CISA obtained some reports secretly.

Because of the seriousness of the vulnerabilities and their effect, the Health Sector Cybersecurity Coordination Center has published an analyst note cautioning the healthcare and public health sectors regarding the risk of exploitation. Healthcare providers can become vulnerable when they use Oracle Fusion products that depend on the ADF Faces system. HC3 warns that in case the vulnerable Oracle middleware parts are incorporated into their software program, attackers can take control of electronic medical records and other critical systems, causing data breaches, operational interferences, and possibly regulatory fines.

HC3 suggests implementing the measures listed below. Making sure to protect ePHI is necessary to get a HIPAA certification.

  • apply the most recent patch for Oracle JDeveloper
  • separate networks and make sure environments that utilize JDeveloper are segregated from production systems,
  • restrict access to JDeveloper environments to trustworthy end users only
  • use strong authentication systems

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy