You are here

Oracle CPU April 2020 - Java (WAF and Login/IAM)

IDs: 
CVE-2020-2803, CVE-2020-2805, CVE-2019-18197, CVE-2020-2816, CVE-2020-2781, CVE-2020-2767, CVE-2020-2778, CVE-2020-2830, CVE-2020-2800, CVE-2020-2764, CVE-2020-2754, CVE-2020-2755, CVE-2020-2773, CVE-2020-2756, CVE-2020-2757
Keywords: 
java, cpu, Oracle Critical Patch Update
Description: 

The Oracle Critical Patch Update for April 2020 includes updates for Java SE [1] that fix Java SE vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.

Airlock Login/IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

No action required for Airlock WAF and Login/IAM.

Details:

CVE-2020-2803, CVE-2020-2805, CVE-2019-18197
Does not affect Java deployments, typically in servers, that load and run only trusted code.

CVE-2020-2816, CVE-2020-2781, CVE-2020-2767, CVE-2020-2778
Affects JSSE, the API, among others, for TLS communication. We consider the risk for Airlock WAF and Login/IAM as negligible. We further recommend to proxy all HTTPS traffic from untrusted networks trough Airlock WAF.

CVE-2020-2830, CVE-2020-2800, CVE-2020-2764
Affects the components Lightweight HTTP Server, Concurrency and Advanced Mangement Console. These components or the affected code within the components are not used by Airlock.

CVE-2020-2754, CVE_2020-2755
Affects the Nashorn scripting engine. Not relevant for Airlock because the engine is not used in runtime environments (only in trusted build environments).

CVE-2020-2773
Affects a security component in Java in combination with XML input. This issue does not expose a vulnerability for Airlock.

CVE-2020-2756, CVE-2020-2757
Affects Java serializations. Airlock does not process untrusted serialized Java bytecode.

Resolution: 

General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required