CVE-2022-21420

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This critical vulnerability in Oracle Coherence allows unauthenticated attackers with network access via the T3 protocol to completely compromise the system. Affected versions include 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 of Oracle Fusion Middleware. Successful exploitation results in full takeover of Oracle Coherence instances.

💻 Affected Systems

Products:

• Oracle Coherence
• Oracle Fusion Middleware

Versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects the Core component and requires T3 protocol access.

📦 What is this software?

Coherence by Oracle

View all CVEs affecting Coherence →

Coherence by Oracle

View all CVEs affecting Coherence →

Coherence by Oracle

View all CVEs affecting Coherence →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Oracle Coherence cluster leading to data theft, system manipulation, and service disruption across all connected applications.

🟠

Likely Case

Remote code execution leading to unauthorized access, data exfiltration, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if T3 protocol is blocked at network boundaries and systems are properly segmented.

🌐 Internet-Facing: HIGH - Unauthenticated network access via T3 makes internet-facing systems extremely vulnerable to exploitation.

🏢 Internal Only: HIGH - Even internal systems are at high risk due to unauthenticated exploitation capability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CVSS 9.8 indicates trivial exploitation for unauthenticated attackers with network access via T3.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update (CPU) from April 2022 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2022.html

Restart Required: Yes

Instructions:

1. Download and apply the April 2022 Critical Patch Update for Oracle Fusion Middleware. 2. Restart Oracle Coherence services. 3. Verify patch application by checking version.

🔧 Temporary Workarounds

Block T3 Protocol

linux

Block T3 protocol traffic at network boundaries to prevent exploitation.

Copy

iptables -A INPUT -p tcp --dport 7001 -j DROP
firewall-cmd --permanent --add-rich-rule='rule protocol value="tcp" port="7001" drop'

Network Segmentation

all

Isolate Oracle Coherence instances in separate network segments with strict access controls.

🧯 If You Can't Patch

• Implement strict network segmentation and isolate Oracle Coherence instances
• Block all T3 protocol traffic at firewalls and network boundaries

🔍 How to Verify

Check if Vulnerable:

Copy

Check Oracle Coherence version against affected versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Check Version:

Copy

java -jar coherence.jar -version

Verify Fix Applied:

Copy

Verify version is updated beyond affected versions and check for April 2022 CPU application

📡 Detection & Monitoring

Log Indicators:

• Unusual T3 protocol connections
• Unexpected Java process execution
• Abnormal Coherence cluster behavior

Network Indicators:

• T3 protocol traffic to Coherence ports (typically 7001+)
• Unusual outbound connections from Coherence servers

SIEM Query:

Copy

source="coherence.log" AND ("T3" OR "deserialization" OR "unexpected")

📊 Metadata

CVE ID: CVE-2022-21420

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: April 19, 2022

Last Updated: November 21, 2024

🔗 References

• https://www.oracle.com/security-alerts/cpuapr2022.html Vendor Advisory
• https://www.oracle.com/security-alerts/cpuapr2022.html Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON