You are here

Home › Oracle Oracle October 2019 - Java (WAF and Login/IAM)

Oracle Oracle October 2019 - Java (WAF and Login/IAM)

Submitted on 21. October 2019 - 16:34 by rischi.
Last update on 23. October 2019 - 17:26.
IDs: 
CVE-2019-2949, CVE-2019-2989, CVE-2019-2958, CVE-2019-11068, CVE-2019-2977, CVE-2019-2975CVE-2019-2999, CVE-2019-2996, CVE-2019-2987, CVE-2019-2962, CVE-2019-2988, CVE-2019-2992, CVE-2019-2964, CVE-2019-2973, CVE-2019-2981, CVE-2019-2978, CVE-2019-2894
Keywords: 
java, cpu, Oracle Critical Patch Update
Description: 

The Oracle Critical Patch Update for October 2019 includes updates for Java SE [1] that fix 20 Java SE vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.

Airlock Login/IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

No action required for Airlock WAF and Login/IAM.

Details:

CVE-2019-2999, CVE-2019-2996, CVE-2019-2945
Does not affect Java deployments, typically in servers, that load and run only trusted code.

CVE-2019-2964, CVE-2019-2977, CVE-2019-2933, CVE-2019-2949, CVE-2019-2989, CVE-2019-11068, CVE-2019-2975, CVE-2019-2973, CVE-2019-2981, CVE-2019-2978, CVE-2019-2983
The affected function is not used in combination with untrusted data.

CVE-2019-2987, CVE-2019-2962, CVE-2019-2992, CVE-2019-2988
Affected component not used by Airlock Secure Access Hub.

CVE-2019-2958
Affects only Windows deployments.

CVE-2019-2894
Insecure usage of ECDSA curves in Java SSL context. The risk for Airlock Secure Access Hub is negligible.

Resolution: 

General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required
Reference: 
Oracle Critical Patch Update Advisory - October 2019
© Ergon Informatik AG