● Critical · CVSS 9.8 ⚠ ACTIVELY EXPLOITED — CISA KEV

How to Fix CVE-2022-21587: Oracle Web Applications Desktop Integrator Unauthenticated RCE

*By Sai Kiran Pandrala*

⚡ At a glance


Severity	CVSS 9.8, Critical
Actively exploited?	Yes, listed in CISA KEV
Affected	Oracle E-Business Suite Web Applications Desktop Integrator versions 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11
Fixed in	Apply the Oracle Critical Patch Update (CPU) for October 2022 or any later quarterly CPU
Type (CWE)	Unauthenticated Remote Code Execution

⚠️ Patch immediately. Oracle E-Business Suite handles core ERP data, financials, HR, supply chain. Compromise here is a tier-1 incident.

What is CVE-2022-21587?

Oracle Web Applications Desktop Integrator (WebADI) is a component of Oracle E-Business Suite that lets desktop spreadsheets integrate with EBS via Excel and similar tools. The vulnerability in WebADI's handling of HTTP requests lets an unauthenticated remote attacker compromise the EBS server.

Oracle's CVSS scoring (9.8) plus unauthenticated network attack vector plus full confidentiality / integrity / availability impact = full takeover of the EBS application tier. From there: financial data, HR records, vendor master data, payment workflows, and the database credentials EBS uses.

Am I affected?

You are affected if you run Oracle E-Business Suite with WebADI versions 12.2.3 through 12.2.11 without the October 2022 (or later) Critical Patch Update applied.

To check WebADI version, log into EBS Sysadmin responsibility → OAM → Applications Dashboard → look for Web Applications Desktop Integrator and its current patch level.

How to fix CVE-2022-21587

Open the Oracle Critical Patch Update Advisory, October 2022 (linked below) and identify the specific patch number for CVE-2022-21587.
Download the patch from My Oracle Support (requires CSI / support contract).
Apply the patch via Oracle's standard patching mechanism (adpatch, AD Online Patching for EBS 12.2). EBS 12.2 uses the online patching cycle:


# Vendor advisory: https://www.oracle.com/security-alerts/cpuoct2022.html
   adop phase=prepare
   adop phase=apply patches=<patch-number>
   adop phase=finalize
   adop phase=cutover
   adop phase=cleanup

Re-test critical EBS forms and concurrent programs after the cutover phase.

Apply the latest available Oracle CPU rather than just October 2022, newer CPUs include CVE-2022-21587's fix plus dozens of subsequent EBS security fixes.

Patch via your OS package manager


# The exact package name and patched version are listed in the vendor advisory:
# https://www.oracle.com/security-alerts/cpuoct2022.html
# Debian / Ubuntu
sudo apt update
sudo apt install --only-upgrade webapplicationsdesktopintegrator

# RHEL / Rocky / AlmaLinux / Fedora
sudo dnf upgrade webapplicationsdesktopintegrator

# openSUSE
sudo zypper update webapplicationsdesktopintegrator

# Verify the running version matches the fixed version
dpkg -s webapplicationsdesktopintegrator 2>/dev/null | grep -i version || rpm -q webapplicationsdesktopintegrator 2>/dev/null


# Windows: pull the cumulative update that ships this fix.
Install-Module PSWindowsUpdate -Force -SkipPublisherCheck
Get-WindowsUpdate -AcceptAll -Install -AutoReboot

Verify the fix landed


# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://www.oracle.com/security-alerts/cpuoct2022.html
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2022-21587 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

Restrict EBS application-tier network access to internal users only. EBS Web Applications components should never be on the public internet.
Disable the WebADI service if your business doesn't actively use it. EBS administrators can disable individual function endpoints via the Function Security framework.
Audit WebADI access logs for unauthenticated requests during the unpatched window.

How to verify the fix worked

EBS Sysadmin → OAM → Applications Dashboard → WebADI patch level reflects the applied CPU.
Test the previously-vulnerable endpoint with an unauthenticated client, expect rejection.
Run an authenticated vulnerability scan against the EBS URL. CVE-2022-21587 detection should clear.

Frequently asked questions

Is CVE-2022-21587 actively exploited?

Yes. CVE-2022-21587 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2022-21587?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://www.oracle.com/security-alerts/cpuoct2022.html

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

Official Oracle Critical Patch Update Advisory, October 2022: https://www.oracle.com/security-alerts/cpuoct2022.html
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-21587
CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from the Oracle CPU October 2022 advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against the Oracle CPU advisory before applying changes in production.*

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2016-3427: Improper Access Control in Java Se And Jrockit — Improper Access Control in Java Se And Jrockit
How to Fix CVE-2026-34306: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Project Costing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Project Costing accessible data — Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Project Costing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Project Costing accessible data
How to Fix CVE-2026-35253: Origin Validation Error in Oracle Macaron Tool of Oracle Open Source Projects , Origin Validation Error in Oracle Macaron Tool of Oracle Open Source Projects
How to Fix CVE-2026-21985: Critical Vulnerability in Oracle VM VirtualBox , Critical Vulnerability in Oracle VM VirtualBox
How to Fix CVE-2015-2590: Security vulnerability in Java , Security vulnerability in Java