CVE-2022-21570
📋 TL;DR
This vulnerability in Oracle Coherence allows unauthenticated attackers with network access via T3 or IIOP protocols to cause denial of service by crashing or hanging the service. It affects multiple versions of Oracle Coherence across Oracle Fusion Middleware deployments. The attack requires no authentication and has low complexity, making it easily exploitable.
💻 Affected Systems
- Oracle Coherence
- Oracle Fusion Middleware
📦 What is this software?
Coherence by Oracle
Coherence by Oracle
Coherence by Oracle
Coherence by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for Oracle Coherence services, potentially disrupting dependent applications and business processes that rely on Coherence for caching and data grid functionality.
Likely Case
Service disruption causing application performance degradation or outages for systems using vulnerable Oracle Coherence instances.
If Mitigated
Limited impact if network access to T3/IIOP ports is restricted or if the service is behind proper network segmentation and access controls.
🎯 Exploit Status
Exploitation requires sending specially crafted T3 or IIOP requests to vulnerable Coherence instances. No authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Critical Patch Update July 2022 or later
Vendor Advisory: https://www.oracle.com/security-alerts/cpujul2022.html
Restart Required: Yes
Instructions:
1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch to affected Oracle Coherence installations. 3. Restart Coherence services and dependent applications. 4. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Network Access Restriction
linuxBlock or restrict network access to T3 (typically ports 7001-7010) and IIOP (typically port 9002) ports on Coherence servers
iptables -A INPUT -p tcp --dport 7001:7010 -j DROP
iptables -A INPUT -p tcp --dport 9002 -j DROP
Network Access Restriction
windowsBlock or restrict network access to T3 (typically ports 7001-7010) and IIOP (typically port 9002) ports on Coherence servers
New-NetFirewallRule -DisplayName "Block Coherence Ports" -Direction Inbound -LocalPort 7001-7010,9002 -Protocol TCP -Action Block
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Coherence servers from untrusted networks
- Deploy network-based intrusion prevention systems (IPS) to detect and block exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Oracle Coherence version using coherence version command or examine installation directories for version informationCheck Version:
java -jar coherence.jar versionVerify Fix Applied:
Verify patch application by checking version after patching and confirming Critical Patch Update July 2022 or later is applied📡 Detection & Monitoring
Log Indicators:
- Unusual T3 or IIOP connection attempts
- Coherence service crashes or hangs
- Error messages related to T3/IIOP protocol handling
Network Indicators:
- Unusual traffic patterns to Coherence T3/IIOP ports
- Multiple connection attempts from single sources
SIEM Query:
source="coherence.log" AND ("T3" OR "IIOP") AND ("error" OR "crash" OR "hang")