The following Apache Tomcat vulnerabilities have been reported. Airlock is not affected and protects vulnerable back-ends.
CVE-2014-0095 (Apache Tomcat 8.x before 8.0.4)
The vulnerability affects the Apache Tomcat Connector AJP (Apache JServ Protocol). Airlock is not affected because Apache Tomcat version 8 is not used. Back-ends are not affected because Airlock does not support AJP for back-end connections.
CVE-2014-0099 (Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4)
By injecting an overlong content-length header which causes an integer overflow in Tomcat, an attacker can conduct a request smuggling attack to an Apache Tomcat behind a reverse proxy/WAF. Airlock is not affected because the content-length header value is limited by default to 100MB in Airlock 5 and 1GB in Airlock 4.2 (Mapping -> Allow Rules -> Length Check -> Max. request body size). These values prevent the integer overflow attack in Apache Tomcat.
An attacker can conduct a denial of service (DoS) attack via malformed chunk sizes in chunked transfer encoding of a request. Airlock is not affected and protects back-ends by rebuilding a clean HTTP request with correct chunk sizes.
No action required