You are here

Oracle CPU July 2020 - Airlock Gateway and IAM

CVE-2020-14664, CVE-2020-14583, CVE-2020-14593, CVE-2020-14562, CVE-2020-14621, CVE-2020-14556, CVE-2020-14573, CVE-2020-14581, CVE-2020-14578, CVE-2020-14579, CVE-2020-14577
java, cpu, Oracle Critical Patch Update

The Oracle Critical Patch Update for July 2020 includes updates for Java SE [1] that fix 11 Java SE vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.

Airlock Login/IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

No action required for Airlock WAF and Login/IAM.


CVE-2020-14664, CVE-2020-14583, CVE-2020-14593, CVE-2020-14562
Does not affect Java deployments that load and run only trusted code.

Airlock Login/IAM uses JAXP in SAML. We consider the risk for Airlock WAF and IAM as negligible

Affected component not used by Airlock (ForkJoinPool)

Airlock does not compile untrusted code.

Airlock does not read images from untrusted sources.

CVE-2020-14578, CVE-2020-14579
Airlock IAM may read untrusted DER input in rare cases. This could trigger a Runtime Exception. Risk for Airlock is negligible (DoS not possible).

Affects server name verification of TLS certificates. Risk for Oracle is low. We do not see a way to exploit this vulnerability.


General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required