CVE-2022-21587: 
Oracle E-Business Suite vulnerability analysis and mitigation

CVE-2022-21587 is a critical vulnerability in Oracle Web Applications Desktop Integrator, a component of Oracle E-Business Suite (component: Upload). The vulnerability affects versions 12.2.3-12.2.11. This critical flaw, rated with a CVSS 3.1 Base Score of 9.8, was disclosed in Oracle's October 2022 Critical Patch Update and later added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on February 2, 2023 (Oracle Advisory, CISA KEV).

The vulnerability is an unauthenticated arbitrary file upload flaw that allows attackers to execute code remotely without requiring authentication. It has been assigned the highest severity rating with a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

Successful exploitation of this vulnerability can result in complete takeover of Oracle Web Applications Desktop Integrator. The vulnerability affects all three security aspects - confidentiality, integrity, and availability - with high impact ratings (Oracle Advisory).

Oracle released patches for this vulnerability in the October 2022 Critical Patch Update. Organizations are strongly advised to apply these security patches immediately. CISA has set a deadline of February 23, 2023, for federal agencies to patch their systems (Security Online).

The security community has shown significant concern about this vulnerability, particularly after its addition to CISA's KEV catalog. Rapid7 has reported responding to multiple compromise incidents related to this vulnerability, indicating its active exploitation in the wild (Rapid7).