You are here

Oracle CPU October 2022 - Airlock Gateway and IAM

CVE-2022-32215, CVE-2022-21634, CVE-2022-21597, CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619
java, cpu, Oracle Critical Patch Update

The Oracle Critical Patch Update for October 2022 includes updates for Java SE [1] that fix 9 Java SE vulnerabilities.

Airlock Gateway uses Java in the Configuration Center and in several add-on modules.

Airlock IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

Update required for Airlock IAM. No actions required for Airlock Gateway.


CVE-2022-32215, CVE-2022-21634, CVE-2022-21597, CVE-2022-21628, CVE-2022-21618, CVE-2022-21624, CVE-2022-21619
Component is not used in Airlock Gateway and IAM.

Java SE < 11.0.17 is vulnerable to Denial of Service (DoS) attacks when processing DER encoded ASN.1 data (e.g certificate). Airlock IAM < 7.6, 7.4.7, 7.5.4 use the affected component in Java SE 11. Update Airlock IAM to 7.4.7, 7.5.4. Affected component not used by Airlock Gateway.

Java SE < 11.0.17, 17.0.5 is vulnerable to HTTP/2 spoofing attacks in backend communication (HTTP client). Airlock IAM < 7.4.7, 7.5.4, 7.6.3, 7.7.1 use the affect component in Java SE 11. Airlock IAM is vulnerable in uncommon setups where TLS is not used. Update Airlock IAM to 7.4.7, 7.5.4, 7.6.3, 7.7.1. Affected component not used by Airlock Gateway.


Update affected Airlock IAM versions to Airlock IAM 7.4.7Airlock IAM 7.5.4, Airlock IAM 7.6.3 or Airlock IAM 7.7.1.

General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Authentication service
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution