CVE-2022-21445 – CVE-2022-21445 is a critical deserialization vu... (How to Fix)

Q: What is the severity of CVE-2022-21445?

CVE-2022-21445 has a CVSS score of 9.8 (CRITICAL). CVE-2022-21445 is a critical deserialization vulnerability in Oracle ADF Faces that allows unauthenticated remote attackers to execute arbitrary code. Affected systems include Oracle Fusion Middleware ADF versions 12.2.1.3.0 and 12.2.1.4.0. Successful exploitation results in complete compromise of the ADF application server.

📋 TL;DR

CVE-2022-21445 is a critical deserialization vulnerability in Oracle ADF Faces that allows unauthenticated remote attackers to execute arbitrary code. Affected systems include Oracle Fusion Middleware ADF versions 12.2.1.3.0 and 12.2.1.4.0. Successful exploitation results in complete compromise of the ADF application server.

💻 Affected Systems

Products:

Oracle Application Development Framework (ADF) Faces

Versions: 12.2.1.3.0 and 12.2.1.4.0

Operating Systems: All platforms running Oracle Fusion Middleware

Default Config Vulnerable: ⚠️ Yes

Notes: ADF is typically downloaded via Oracle JDeveloper. All deployments with affected versions are vulnerable by default.

📦 What is this software?

Application Development Framework by Oracle

View all CVEs affecting Application Development Framework →

Application Development Framework by Oracle

View all CVEs affecting Application Development Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with full administrative control, data exfiltration, and potential lateral movement to other systems.

🟠

Likely Case

Remote code execution leading to data theft, application compromise, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Unauthenticated HTTP access makes internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to network-based attacks from compromised internal hosts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CISA has added this to their Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update April 2022

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2022.html

Restart Required: Yes

Instructions:

1. Download appropriate patches from Oracle Support. 2. Apply patches to affected ADF installations. 3. Restart application servers. 4. Verify patch application.

🔧 Temporary Workarounds

Network Access Control

all

Restrict HTTP access to ADF applications to trusted networks only

Web Application Firewall Rules

all

Implement WAF rules to block suspicious deserialization patterns

🧯 If You Can't Patch

Isolate affected systems from internet and untrusted networks
Implement strict network segmentation and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Oracle ADF version in application server configuration or via Oracle Enterprise Manager

Check Version:

opatch lsinventory | grep -i adf

Verify Fix Applied:

Verify patch application through Oracle OPatch utility and confirm version is no longer 12.2.1.3.0 or 12.2.1.4.0

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to ADF endpoints
Java deserialization errors in application logs
Unexpected process execution

Network Indicators:

HTTP requests with serialized Java objects to ADF paths
Unusual outbound connections from application servers

SIEM Query:

source="*adf*" AND (http_method="POST" OR http_method="PUT") AND (uri="*/adf*" OR user_agent="*Java*" OR content_type="*serialized*" OR content_type="*java*" OR content_type="*application/x-java*" OR content_type="*application/x-java-serialized-object*")

📊 Metadata

CVE ID: CVE-2022-21445

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: April 19, 2022

Last Updated: October 27, 2025

🔗 References

https://www.oracle.com/security-alerts/cpuapr2022.html Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21445 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21445, you might also want to check these: