You are here

Oracle CPU January 2017 - Java (WAF)

IDs: 
CVE-2016-2183, CVE-2016-5547, CVE-2016-5552, CVE-2017-3252, CVE-2017-3253, CVE-2016-5546, CVE-2017-3241, CVE-2017-3289, CVE-2017-3272, CVE-2017-3260, CVE-2016-5549, CVE-2016-5548, CVE-2017-3231, CVE-2017-3261, CVE-2017-3259, CVE-2017-3262, CVE-2016-8328
Keywords: 
java, cpu, Oracle Critical Patch Update
Description: 

Airlock WAF uses Java in the Configuration Center and in several add-on modules.

The Oracle Critical Patch Update for January 2017 includes updates for Java SE [1] which fixes 17 vulnerabilities.

Airlock WAF is not affected.

Details:

  • CVE-2016-5547, CVE-2016-5546
    Affect the parsing of DER input. Java in Airlock WAF is not used to parse untrusted DER input and is therefore not affected.
     
  • CVE-2016-5552
    This issue might lead to incorrect parsing of URLs. Our analysis concludes that there is low risk of Airlock WAF being affected.
     
  • CVE-2017-3241
    Airlock WAF is not affected, as Java RMI is used by Airlock WAF internally only and is not accessible for remote users.
     
  • CVE-2017-3253, CVE-2017-3252
    Airlock WAF is not affected, as the 2D and JAAS components of Java SE are not used.
     
  • CVE-2017-3289, CVE-2017-3272, CVE-2017-3260, CVE-2016-5549, CVE-2016-5548, CVE-2017-3231, CVE-2017-3261, CVE-2017-3259
    Only affect client deployments that run untrusted code. Airlock WAF is not affected.
     
  • CVE-2017-3262, CVE-2016-8328
    Only affect Java Mission Control Installations. Airlock WAF is not affected, since Java Mission Control is not used.
     
  • CVE-2016-2183
    This is related to the Sweet32 attack [2]. Airlock WAF is not affected, since Java is not used to handle SSL/TLS communications.
Resolution: 

It is strongly recommended to apply the Java update to all client installations, or better to disable or even un-install Java from clients.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required