You are here

Oracle CPU July 2020 - Airlock Gateway and IAM

IDs: 
CVE-2020-14664, CVE-2020-14583, CVE-2020-14593, CVE-2020-14562, CVE-2020-14621, CVE-2020-14556, CVE-2020-14573, CVE-2020-14581, CVE-2020-14578, CVE-2020-14579, CVE-2020-14577
Keywords: 
java, cpu, Oracle Critical Patch Update
Description: 

The Oracle Critical Patch Update for July 2020 includes updates for Java SE [1] that fix 11 Java SE vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.

Airlock Login/IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

No action required for Airlock WAF and Login/IAM.

Details:

CVE-2020-14664, CVE-2020-14583, CVE-2020-14593, CVE-2020-14562
Does not affect Java deployments that load and run only trusted code.

CVE-2020-14621
Airlock Login/IAM uses JAXP in SAML. We consider the risk for Airlock WAF and IAM as negligible

CVE-2020-14556
Affected component not used by Airlock (ForkJoinPool)

CVE-2020-14573
Airlock does not compile untrusted code.

CVE-2020-14581
Airlock does not read images from untrusted sources.

CVE-2020-14578, CVE-2020-14579
Airlock IAM may read untrusted DER input in rare cases. This could trigger a Runtime Exception. Risk for Airlock is negligible (DoS not possible).

CVE-2020-14577
Affects server name verification of TLS certificates. Risk for Oracle is low. We do not see a way to exploit this vulnerability.

Resolution: 

General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required