Oracle CPU January 2020 - Java (WAF and Login/IAM)

The Oracle Critical Patch Update for January 2020 includes updates for Java SE [1] that fix Java SE vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.

Airlock Login/IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

No action required for Airlock WAF and Login/IAM.

Details:

CVE-2019-16168, CVE-2019-13117, CVE-2019-13118
Do not affect Java deployments, typically in servers, that load and run only trusted code.

CVE-2020-2604, CVE-2020-2583
These Java serializiation vulnerabilities do not affect the Airlock Secure Access Hub, since no untrusted data is deserialized.

CVE-2020-2601
Kerberos Ticket Granting Service requests use weak RSA-MD5 signatures. The Airlock Secure Access Hub does not create such requests and is therefore not vulnerable.

CVE-2020-2585
This JavaFX vulnerability does not affect the Airlock Secure Access Hub, since JavaFX is not used.

CVE-2020-2655
Affects the Java TLS implementation and may affect Confidentiality and Integrity. Since the attack complexity is high and the impact on confidentiality and integrity is low, we rate the risk for Airlock as low.

CVE-2020-2593
This bug in URL normalization is not exploitable in Airlock since no untrusted code is executed.

CVE-2020-2654
May allow denial of service when parsing X.509 certificates. Airlock IAM only parses trusted certificates. Airlock WAF only parses certificates using Java in the configuration center on trusted input. We rate the risk for Airlock as low.

CVE-2020-2590
This vulnerability may affect the integrity of SASL messages included in Kerberos GSSAPI. Airlock is not affected, because SASL is not used in our Kerberos implementations.

CVE-2020-2659
This sandbox restriction escape does not affect the Airlock Secure Access Hub, since no untrusted code is executed.