Researchers criticize Oracle's vulnerability disclosure process

While the critical flaws were reported in April, it took the vendor nearly half a year to issue patches, exceeding the standard responsible coordinated disclosure policy.

Security researchers are struggling to understand why it took Oracle six months to patch critical flaws they disclosed in Fusion Middleware.

In a blog post Thursday about Oracle's vulnerability disclosure process, Peterjson, a security engineer at VNG Corp. in Vietnam, urged enterprises to patch CVE-2022-21455 and CVE-2022-21497. Peterjson and fellow researcher Jang accidentally discovered pre-auth remote code execution flaws while reviewing the source code of Oracle's Application Development Framework (ADF) Faces, a component of Fusion Middleware.

If exploited, unauthenticated attackers could use an HTTP request to compromise Oracle Web Services Manager and Oracle JDeveloper, and according to the National Vulnerability Database, the two bugs are "easily exploitable." Peterjson and Jang conducted their own experiment to highlight the dangers of the flaws.

"Why did we hack some of Oracle's sites?" Peterjson wrote in the blog. "Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous and it affects Oracle system and Oracle's customers. That's why we want Oracle to take an action ASAP. But as you can see six months for Oracle to patch it, I don't know why, but we have to accept it and follow Oracle's policy."

They named their attack The Miracle Exploit because the flaws affect many products in Fusion Middleware and Oracle online systems. Peterjson noted that any website developed by ADF Faces is affected, including its cloud infrastructure. Additionally, the services can be accessed over the internet, so they do not have to be running locally to be exploited.

Regarding the vulnerability disclosure timeline, Peterjson said he and Jang sent their first report to Oracle on Oct. 25. Oracle acknowledged receipt four days later and confirmed it would investigate. However, Oracle did not fix the ADF Faces flaw until April 19.

The fixes for CVE-2022-21455, which received a 9.8 on the common vulnerability scoring system, and CVE-2022-21497, which scored an 8.1, were issued during Oracle's April critical patch update advisory.

"We very, very excited at the time (6 months ago), but now we don't have that feeling anymore because Oracle took too long to patch this vulnerability, more than the standard," Peterjson wrote in the blog.

While vendors do sometimes take too long to fix reported bugs, Peterjson told SearchSecurity he understands the amount of time and work it requires. However, the recent Oracle disclosure was disappointing, particularly due to the potentially malicious nature of the reported flaws.

"I had to wait almost six months, then wait for the next two months to make sure some big companies fixed it. I think we should disclose bug in a professional way and work with the vendor," he said to SearchSecurity through a direct message on Twitter.

Those big companies included Best Buy, Starbucks, Regions Bank and Dell Technologies.

Oracle did not respond to requests for comment.

Vulnerability disclosure process woes

Oracle is just the latest vendor to be called out for its poorly coordinated vulnerability disclosure process. Earlier, this month, Tenable issued three separate blogs to address transparency issues it had with Microsoft, particularly when it comes to cloud flaws. Though Microsoft did not go past the 90-day responsible disclosure standard, Tenable noted problems with communication and accused Microsoft of "downplaying" the severity of the two reported Azure vulnerabilities.

Shortly after, Orca Security claimed Microsoft inadequately fixed a critical flaw its researcher discovered in Azure Synapse.

The tech giant recently made changes to its Patch Tuesday updates that will now be augmented by a new automated service.

In addition to Microsoft, Intel also faced scrutiny over a new family of side-channel attacks dubbed "Hertzbleed." While associated issues were reported in 2021, Intel kept them under embargo past the 90-day coordinated vulnerability disclosure process standard.

Dig Deeper on Cloud security