You are here

Oracle Critical Patch Update Advisory - January 2014 - Java, Solaris

IDs: 
CVE-2013-5907, CVE-2013-5907, CVE-2014-0411, CVE-2014-0411, CVE-2013-5821, CVE-2014-0390, CVE-2013-5872, CB-K14/0052, CB-K14/0053
Keywords: 
Oracle Critical Patch Update, CPU, Java, Solaris
Description: 

The Oracle Critical Patch Update for January 2014 includes updates for several Oracle products including Solaris and Java.

Airlock is not affected by any of the listened vulnerabilities.

Java Details

The following Java vulnerabilities affect server installations of Java.

CVE Number
Java ComponentDescription
CVE-2013-59072DDoes not affect Airlock, since Airlock is not using the Java 2D API
CVE-2014-0423BeansMissing XML external entities restriction in the Beans component could lead to XXE attacks. Does not affect Airlock, since untrusted clients are not able to modify the XML definitions of Java Beans
CVE-2014-0411JSSEDoes not affect Airlock, since Java is not handling SSL/TLS communication on Airlock

All other Java vulnerabilities affect Java client installations, Java deployments or Java installations in GNOME environment and are therefore not relevant for Airlock.

Solaris Details

The following vulnerabilities affect Solaris version 10

CVE Number
Solaris
Component
Description
CVE-2013-5876KernelCan only be exploited by having local access (shell) on Airlock. Airlock is not affected by these vulnerabilities because there are no interactive local users other than root on the system.  
CVE-2013-5821RPC
CVE-2013-5872NSCD
CVE-2014-0390Java Web ConsoleJava Web Console is not installed on Airlock

All other Solaris vulnerabilities affect Solaris version 8,9 or 11. These Solaris versions are not in use by any currently supported Airlock release.

Resolution: 

No action required for Airlock.

It is strongly recommended to apply the Critical Patch Update for Java to all Java client installations or to disable or even un-install Java from clients.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required