You are here

Oracle CPU October 2018 - Java (WAF and Login/IAM)

IDs: 
CVE-2018-3183, CVE-2018-3149, CVE-2018-3180, CVE-2018-3214, CVE-2018-3209, CVE-2018-3169, CVE-2018-3211, CVE-2018-3150, CVE-2018-13785, CVE-2018-3136, CVE-2018-3139
Keywords: 
java, cpu, Oracle Critical Patch Update
Description: 

The Oracle Critical Patch Update for October 2018 includes updates for Java SE [1] that fix several vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.

Airlock Login/IAM relies on a separately installed Java environment. This Java runtime environment is maintained by the system administrator.

Airlock WAF and Login/IAM are not affected.

Details:

  • CVE-2018-3183
    This vulnerability may allow a sandbox restriction bypass. An exploit requires an untrusted Java application or applet, both of which are not present in the Airlock Suite. The Airlock Suite is not affected.
  • CVE-2018-3149
    Using this JNDI vulnerability, a Java client could be tricked into loading and executing code from an LDAP server. Airlock IAM only communicates with trusted LDAP servers. Airlock WAF does not communicate with LDAP servers. The Airlock Suite is not affected.
  • CVE-2018-3180
    This attack may lead to establishing a TLS connection without server identity verification. Such connections are only established in Airlock IAM. As the attack complexity is high and the risk on confidentiality, integrity and availability is low [1], we rate the risk for the Airlock Suite as low.
  • CVE-2018-3214
    This vulnerability in the Java Sound component does not affect the Airlock Suite, as the component is not used.
  • CVE-2018-3209, CVE-2018-3169, CVE-2018-3211, CVE-2018-3150, CVE-2018-13785, CVE-2018-3136, CVE-2018-3139
    These vulnerabilities only affect deployments that run untrusted code. Airlock Suite is not affected.
Resolution: 

General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required