You are here

Oracle CPU April 2017 - Java (WAF)

Affects product: 
Airlock WAF
SOAP Filter Module
XML Filter Module
IDs: 
CVE-2017-3511, CVE-2017-3526, CVE-2017-3533, CVE-2017-3544, CVE-2017-3512, CVE-2017-3514, CVE-2017-3509, CVE-2017-3539
Keywords: 
java, cpu, Oracle Critical Patch Update
Description: 

The Oracle Critical Patch Update for April 2017 includes updates for Java SE [1] which fix 8 vulnerabilities.

  • CVE-2017-3533
    This can lead to XML external entity attacks (XXE), allowing remote users, e.g., to execute SMTP or FTP commands on the machine being attacked, or to open firewall ports.
    Airlock WAF is not affected because all XML input is trusted. The Airlock SOAP and XML filter are not affected by default since DTDs are not allowed.
  • CVE-2017-3544
    This allows manipulations of SMTP connections by inserting newline characters into sender or recipient addresses when sending mails. Airlock WAF is not affected because the affected Java SMTP client is not used.
  • CVE-2017-3511
    This vulnerability concerns the JCE (Java Cryptography Extension) component and may allow a local attacker to escalate his privileges. Airlock WAF is not vulnerable, as local administrators are trusted.
  • CVE-2017-3526
    This issue in the JAXP component may allow denial of service attacks when parsing XML files. Airlock WAF is not affected because all XML input is trusted. The Airlock SOAP and XML filter are not affected, because Airlock WAF enforces size limits on XML documents.
  • CVE-2017-3512, CVE-2017-3514, CVE-2017-3509, CVE-2017-3539
    Only affect client deployments that run untrusted code. Airlock WAF is not affected.
Resolution: 

No action required for Airlock WAF, Airlock XML filter and Airlock SOAP filter.

General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Versions: 
Java SE 6u141, 7u131, 8u121
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required