You are here

Oracle CPU July 2019 - Java (WAF and Login/IAM)

IDs: 
CVE-2019-7317, CVE-2019-1821, CVE-2019-2818, CVE-2019-2818, CVE-2019-2818CVE-2019-2745, CVE-2019-2745, CVE-2019-2842 CVE-2019-2786, CVE-2019-2766
Keywords: 
java, cpu, Oracle Critical Patch Update
Description: 

The Oracle Critical Patch Update for July 2019 includes updates for Java SE [1] that fix ten Java SE vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.

Airlock Login/IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

No action required for Airlock WAF and Login/IAM.

Details:

CVE-2019-7317, CVE-2019-1821, CVE-2019-2818, CVE-2019-2786
Does not affect trusted Java code deployments and are therefore not relevant for Airlock Secure Access Hub.

CVE-2019-2766
Not relevant because this issue only affects Windows platforms.

CVE-2019-2745
This side-channel issue concerning Elliptic Curve Cryptography is exploitable only locally.

CVE-2019-2769, CVE-2019-2762
For these potential Denial of Service issues we do not see any relevant attack vector for Airlock Secure Access Hub.

CVE-2019-2816
This vulnerability may allow invalid characters in URL objects. Airlock Secure Access Hub always checks URLs against whitelists or performs validation (e.g. using regular expressions).

CVE-2019-2842
This missing bounds check does not affect Airlock Secure Access Hub since compiler intrinsics are not used.

Resolution: 

General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required