You are here

Oracle CPU January 2020 - Java (WAF and Login/IAM)

CVE-2020-2604, CVE-2019-16168, CVE-2019-13117, CVE-2019-13118, CVE-2020-2601, CVE-2020-2585, CVE-2020-2655, CVE-2020-2593, CVE-2020-2654, CVE-2020-2590, CVE-2020-2659, CVE-2020-2583
java, cpu, Oracle Critical Patch Update

The Oracle Critical Patch Update for January 2020 includes updates for Java SE [1] that fix Java SE vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.

Airlock Login/IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

No action required for Airlock WAF and Login/IAM.


CVE-2019-16168, CVE-2019-13117, CVE-2019-13118
Do not affect Java deployments, typically in servers, that load and run only trusted code.

CVE-2020-2604, CVE-2020-2583
These Java serializiation vulnerabilities do not affect the Airlock Secure Access Hub, since no untrusted data is deserialized.

Kerberos Ticket Granting Service requests use weak RSA-MD5 signatures. The Airlock Secure Access Hub does not create such requests and is therefore not vulnerable.

This JavaFX vulnerability does not affect the Airlock Secure Access Hub, since JavaFX is not used.

Affects the Java TLS implementation and may affect Confidentiality and Integrity. Since the attack complexity is high and the impact on confidentiality and integrity is low, we rate the risk for Airlock as low.

This bug in URL normalization is not exploitable in Airlock since no untrusted code is executed.

May allow denial of service when parsing X.509 certificates. Airlock IAM only parses trusted certificates. Airlock WAF only parses certificates using Java in the configuration center on trusted input. We rate the risk for Airlock as low.

This vulnerability may affect the integrity of SASL messages included in Kerberos GSSAPI. Airlock is not affected, because SASL is not used in our Kerberos implementations.

This sandbox restriction escape does not affect the Airlock Secure Access Hub, since no untrusted code is executed.


General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required