You are here

Oracle Critical Patch Update Advisory - October 2015 - Java, Solaris

IDs: 
CVE-2015-4803, CVE-2015-4893, CVE-2015-4911, CVE-2015-4868, CVE-1999-0377, CVE-2015-4869, CVE-2015-2642
Keywords: 
Java, Oracle CPU, Solaris
Description: 

The Oracle Critical Patch Update for October 2015 includes updates for several Oracle products including Solaris and Java [1].

Airlock WAF is not affected.

Most of the Java vulnerabilities affect client deployments only. The remaining vulnerabilities are not relevant for Airlock WAF because the affected components are not is use (CRL Checking: CVE-2015-4868, StAX Parser: CVE-2015-4911) or the attack risk is negligible due to other security restrictions like the maximal request body size (DoS in JAXP Parser: CVE-2015-4803, CVE-2015-4893).

Most of the Sun Systems/Solaris vulnerabilities affect Solaris 11 which is not used by Airlock WAF.  Other vulnerabilities can not be exploited over a network. The remaining vulnerabilities affect Oracle Sun System components that do not lie in the responsibility of Airlock (ILOM: CVE-2015-4915, CVE-2015-4821, XCP firmware: CVE-2015-4000) or the exploitation is prevented by the internal network firewall of Airlock WAF (INETD: CVE-1999-0377).

Resolution: 

It is strongly recommended to apply the Critical Patch Update for Java to all Java client installations or to disable or even un-install Java from clients.

We further recommend to check whether your Oracle/Sun hardware (ILOM, firmware etc.) is affected by one of the vulnerabilities listed in the Oracle Sun Systems Products Suite Risk Matrix in [1].

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required