Oracle CPU January 2017 - Java (WAF)

Airlock WAF uses Java in the Configuration Center and in several add-on modules.

The Oracle Critical Patch Update for January 2017 includes updates for Java SE [1] which fixes 17 vulnerabilities.

Airlock WAF is not affected.

Details:

• CVE-2016-5547, CVE-2016-5546
  Affect the parsing of DER input. Java in Airlock WAF is not used to parse untrusted DER input and is therefore not affected.
   
• CVE-2016-5552
  This issue might lead to incorrect parsing of URLs. Our analysis concludes that there is low risk of Airlock WAF being affected.
   
• CVE-2017-3241
  Airlock WAF is not affected, as Java RMI is used by Airlock WAF internally only and is not accessible for remote users.
   
• CVE-2017-3253, CVE-2017-3252
  Airlock WAF is not affected, as the 2D and JAAS components of Java SE are not used.
   
• CVE-2017-3289, CVE-2017-3272, CVE-2017-3260, CVE-2016-5549, CVE-2016-5548, CVE-2017-3231, CVE-2017-3261, CVE-2017-3259
  Only affect client deployments that run untrusted code. Airlock WAF is not affected.
   
• CVE-2017-3262, CVE-2016-8328
  Only affect Java Mission Control Installations. Airlock WAF is not affected, since Java Mission Control is not used.
   
• CVE-2016-2183
  This is related to the Sweet32 attack [2]. Airlock WAF is not affected, since Java is not used to handle SSL/TLS communications.