You are here

Home › Oracle CPU April 2022 - Airlock Gateway and IAM

Oracle CPU April 2022 - Airlock Gateway and IAM

Submitted on 26. April 2022 - 15:16 by bgre.
Last update on 26. April 2022 - 17:17.
IDs: 
CVE-2022-0778, CVE-2022-21449, CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443
Keywords: 
java, cpu, Oracle Critical Patch Update
Description: 

The Oracle Critical Patch Update for April 2022 includes updates for Java SE [1] that fix 7 Java SE vulnerabilities.

Airlock Gateway uses Java in the Configuration Center and in several add-on modules.

Airlock IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

Actions required for Airlock IAM 7.6. No action required for Airlock Gateway and IAM <= 7.5.

Details:

CVE-2022-0778
Affected JVM (Oracle GraalVM Enterprise Edition) not used by Airlock Gateway/IAM.

CVE-2022-21449
Affects Airlock IAM 7.6 when verifing ECDSA signatures in OpenID Connect ID and Device Token use-cases. Resolution: Update to Airlock IAM 7.6.1. Airlock Gateway is not affected.

CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443
Does not affect Java deployments, typically in servers, that load and run only trusted code.

Resolution: 

Update Airlock IAM 7.6 to 7.6.1

General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.

Component: 
Authentication service
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution
Reference: 
Oracle Critical Patch Update Advisory - April 2022
© Ergon Informatik AG