How to Fix CVE-2022-21445: Insecure Deserialization in Application Development Framework (ADF)
By Sai Kiran Pandrala
| Severity | CVSS 9.8 - Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV (added 2024-09-18) |
| Affected | Application Development Framework (ADF) 12.2.1.3.0; Application Development Framework (ADF) 12.2.1.4.0 |
| Fixed in | See vendor advisory |
| Type (CWE) | Not verified - see official advisory |
Patch immediately. CISA added CVE-2022-21445 to the Known Exploited Vulnerabilities catalog on 2024-09-18. Federal civilian agencies must remediate by 2024-10-09. Treat every internet-reachable instance as a priority patch.
What is CVE-2022-21445?
CVE-2022-21445 is an Insecure Deserialization flaw in Oracle Corporation Application Development Framework (ADF). It carries a CVSS base score of 9.8 (critical). CISA confirmed real-world exploitation by adding it to the Known Exploited Vulnerabilities catalog on 2024-09-18.
From the source record: Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). Note: Oracle Application Development Framework (ADF) is downloaded via Oracle JDeveloper Product. Please refer to Fusion Middlewar...
Why it matters in practice: KEV-listed CVEs draw continuous internet-wide scanning. Any unpatched, internet-reachable installation is on borrowed time. The blast radius depends on how the affected service is exposed. An internet-facing instance with no compensating controls is the highest-risk configuration.
Am I affected?
You are affected if your installation of Application Development Framework (ADF) matches a version listed in the Affected row above.
Check the Oracle product version:
# WebLogic example
. $MW_HOME/wlserver/server/bin/setWLSEnv.sh
java weblogic.version
# Java SE
java -version
How to fix CVE-2022-21445
Apply the vendor patch. Target the patched build listed on the vendor advisory. The runnable command set below covers the most common deployment patterns for Application Development Framework (ADF).
Oracle critical patch update (cpu)
# Vendor advisory: https://www.oracle.com/security-alerts/cpuapr2022.html
# Download the patch ZIP from My Oracle Support, then:
cd $ORACLE_HOME/OPatch
./opatch apply /path/to/patch_<id>
./opatch lsinventory | grep <patch_id>
After applying the patch
- Restart the service or device so the patched binary loads.
- Confirm the running version matches the Fixed in row using the verification command below.
- Rotate credentials and API keys that the affected service could access if the asset was exposed during the disclosure window.
If you can't patch immediately
Until the patch lands, narrow the attack surface with these runnable controls.
Reduce the attack surface
Restrict network reach to the affected service to the smallest set of hosts that must access it. On Linux:
# Vendor advisory: https://www.oracle.com/security-alerts/cpuapr2022.html
sudo iptables -A INPUT -p tcp --dport <service-port> -s 10.10.10.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <service-port> -j DROP
On Windows:
# Vendor advisory: https://www.oracle.com/security-alerts/cpuapr2022.html
New-NetFirewallRule -DisplayName "Block CVE-2022-21445 inbound" -Direction Inbound -Action Block -Protocol TCP -LocalPort <service-port>
Mitigations are temporary. Apply the vendor patch as soon as a maintenance window opens.
How to verify the fix worked
Confirm the patched build is the one actually running.
Run the product's --version or about command and compare against the Fixed in row (See vendor advisory). Re-run an authenticated vulnerability scan and confirm the scanner no longer flags CVE-2022-21445.
Also worth doing: pull recent log windows for any indicators of compromise listed in the vendor advisory, and re-run an authenticated vulnerability scan with up-to-date signatures.
Frequently asked questions
Related fixes
Other vulnerabilities in the same area that are worth patching alongside this one:
- How to Fix CVE-2026-21932: Critical Vulnerability in Oracle Java SE — Critical Vulnerability in Oracle Java SE
- How to Fix CVE-2026-21949: Critical Vulnerability in MySQL Server — Critical Vulnerability in MySQL Server
- How to Fix CVE-2026-35233: An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p, pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context , An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p, pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context
- How to Fix CVE-2012-4681: Access control in Java , Access control in Java
- How to Fix CVE-2020-14864: Security vulnerability in Business Intelligence Enterprise Edition , Security vulnerability in Business Intelligence Enterprise Edition
Is CVE-2022-21445 being exploited in the wild?
Yes. CISA added CVE-2022-21445 to the Known Exploited Vulnerabilities catalog on 2024-09-18. KEV listing means at least one confirmed real-world exploitation report exists.
Do I have to take downtime to patch?
For most Oracle Corporation Application Development Framework (ADF) deployments, the patched build needs a service restart or device reboot. HA pairs and clusters can roll the upgrade by patching the standby first, failing over, then patching the former primary.
Will a WAF or IDS rule alone close CVE-2022-21445?
No. Network filters cut down opportunistic scans but they do not remove the flaw. The vendor patch is the only durable fix.
Why is CVE-2022-21445 rated critical?
The CVSS base score of 9.8 reflects network reach, low attack complexity, and high impact on confidentiality, integrity, and availability. That combination is what the rating model maps to critical.
References
- Official vendor advisory: https://www.oracle.com/security-alerts/cpuapr2022.html
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2022-21445
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA KEV entry: "Oracle ADF Faces Deserialization of Untrusted Data Vulnerability" - added 2024-09-18, due 2024-10-09
*Assembled from the official vendor advisory, the NVD record, and the CISA KEV listing on 2026-05-25. Always confirm against the vendor advisory before applying changes in production.*