CVE-2022-21445 Oracle CVE debrief

Who should care

Oracle ADF Faces administrators, Java application owners, security operations teams, vulnerability management teams, and asset owners responsible for externally reachable web applications using Oracle ADF Faces.

Technical summary

The vulnerability is described as a deserialization of untrusted data issue in Oracle ADF Faces. In practical terms, this means application code may process attacker-influenced serialized data in an unsafe way, creating a path for abuse of trust boundaries. The supplied corpus does not include vendor exploit details or impact scoring, so remediation should be driven by the KEV listing and Oracle’s guidance referenced by CISA.

Defensive priority

High. This CVE is in CISA’s Known Exploited Vulnerabilities catalog, so it should be prioritized for immediate inventory validation, mitigation, and patching or removal planning. The KEV due date supplied with the record is 2024-10-09.

Recommended defensive actions

• Identify all Oracle ADF Faces deployments, including embedded or legacy web applications.
• Apply Oracle’s vendor guidance and mitigations referenced by CISA for this issue.
• If mitigations are unavailable, plan to discontinue use of the affected product or component.
• Prioritize internet-facing or broadly accessible instances first.
• Confirm remediation completion through asset inventory and configuration review.
• Monitor application and server logs for unexpected errors or anomalous requests involving ADF Faces components.

Evidence notes

CISA’s KEV record for CVE-2022-21445 lists vendorProject Oracle, product ADF Faces, dateAdded 2024-09-18, and dueDate 2024-10-09. The KEV metadata instructs defenders to apply mitigations per vendor instructions or discontinue use if mitigations are unavailable. CISA source notes reference Oracle’s April 2022 CPU and the NVD entry for this CVE. No additional impact details or CVSS score were supplied in the corpus.

Official resources