CVE-2022-21593 in HTTP Server
Summary
by MITRE • 10/19/2022
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OHS Config MBeans). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data as well as unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/25/2026
The vulnerability identified as CVE-2022-21593 represents a critical security flaw within Oracle HTTP Server's Fusion Middleware component, specifically within the OHS Config MBeans functionality. This vulnerability affects Oracle HTTP Server versions 12.2.1.3.0 and 12.2.1.4.0, making it a targeted threat for organizations utilizing these specific releases. The flaw manifests as an easily exploitable security weakness that enables unauthenticated attackers to compromise the server through standard HTTP network connections, eliminating the need for prior authentication or privileged access. The vulnerability's classification as easily exploitable indicates that attackers can leverage it with minimal technical expertise or resources, significantly increasing the potential attack surface and threat impact. The CVSS 3.1 scoring system rates this vulnerability at 7.1, reflecting high confidentiality impact and moderate integrity impact, with no availability impact, demonstrating the primary concern lies in unauthorized data access and potential data modification.
The technical exploitation of this vulnerability occurs through the Oracle HTTP Server's configuration management beans, which are part of the broader Oracle Fusion Middleware architecture. These MBeans serve as management interfaces for configuring and monitoring the HTTP server components, but the flaw allows unauthorized access to these management functions without proper authentication. The vulnerability requires human interaction from individuals other than the attacker, suggesting that while the initial exploitation may be automated, some form of user involvement or specific conditions must be met for the attack to succeed. This human interaction requirement could involve legitimate users performing actions that inadvertently trigger the vulnerability or accessing specific management interfaces that expose the flaw. The attack vector operates over standard HTTP network protocols, making it accessible to attackers who can reach the server through typical network connections without requiring specialized tools or techniques.
The operational impact of successfully exploiting this vulnerability extends beyond simple unauthorized access to encompass complete compromise of Oracle HTTP Server accessible data. Attackers can gain unauthorized access to critical data stored within the server environment, potentially including sensitive configuration information, user credentials, or application data. The vulnerability also enables unauthorized update, insert, or delete operations on some of the server's accessible data, providing attackers with the capability to modify or corrupt data within the system. This dual impact on both confidentiality and integrity creates a significant threat to organizational security, as attackers can not only steal sensitive information but also manipulate or destroy critical server data. The potential for unauthorized access to all Oracle HTTP Server accessible data means that the entire server configuration and associated data repositories become vulnerable to compromise, potentially affecting multiple applications and services hosted on the server.
Organizations affected by this vulnerability should implement immediate mitigation strategies to protect their Oracle HTTP Server installations. The primary recommendation involves applying the relevant Oracle Critical Patch Updates (CPUs) or security patches released by Oracle to address this specific vulnerability. Additionally, network-level controls should be implemented to restrict access to the Oracle HTTP Server, particularly limiting HTTP access to trusted networks and implementing proper firewall rules to prevent unauthorized network access. The principle of least privilege should be enforced by ensuring that only authorized personnel have access to the management interfaces, and that all administrative access occurs through secure channels with proper authentication mechanisms. Organizations should also implement monitoring solutions to detect anomalous access patterns or unauthorized attempts to access the OHS Config MBeans, as this vulnerability may leave traces of exploitation in system logs. The vulnerability aligns with CWE-287, which addresses authentication issues, and may be categorized under ATT&CK technique T1190 for exploit public-facing application, highlighting the need for comprehensive security measures that address both the immediate vulnerability and broader threat landscape. Regular security assessments and vulnerability scanning should be conducted to identify similar issues within the Oracle Fusion Middleware environment and ensure overall system security posture remains strong against evolving threats.