You are here
Oracle CPU July 2019 - Java (WAF and Login/IAM)
Last update on 25. September 2019 - 10:54.
The Oracle Critical Patch Update for July 2019 includes updates for Java SE [1] that fix ten Java SE vulnerabilities.
Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.
Airlock Login/IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.
No action required for Airlock WAF and Login/IAM.
Details:
CVE-2019-7317, CVE-2019-1821, CVE-2019-2818, CVE-2019-2786
Does not affect trusted Java code deployments and are therefore not relevant for Airlock Secure Access Hub.
CVE-2019-2766
Not relevant because this issue only affects Windows platforms.
CVE-2019-2745
This side-channel issue concerning Elliptic Curve Cryptography is exploitable only locally.
CVE-2019-2769, CVE-2019-2762
For these potential Denial of Service issues we do not see any relevant attack vector for Airlock Secure Access Hub.
CVE-2019-2816
This vulnerability may allow invalid characters in URL objects. Airlock Secure Access Hub always checks URLs against whitelists or performs validation (e.g. using regular expressions).
CVE-2019-2842
This missing bounds check does not affect Airlock Secure Access Hub since compiler intrinsics are not used.
General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.