You are here
Oracle CPU October 2022 - Airlock Gateway and IAM
Last update on 7. November 2022 - 16:38.
The Oracle Critical Patch Update for October 2022 includes updates for Java SE [1] that fix 9 Java SE vulnerabilities.
Airlock Gateway uses Java in the Configuration Center and in several add-on modules.
Airlock IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.
Update required for Airlock IAM. No actions required for Airlock Gateway.
Details:
CVE-2022-32215, CVE-2022-21634, CVE-2022-21597, CVE-2022-21628, CVE-2022-21618, CVE-2022-21624, CVE-2022-21619
Component is not used in Airlock Gateway and IAM.
CVE-2022-21626
Java SE < 11.0.17 is vulnerable to Denial of Service (DoS) attacks when processing DER encoded ASN.1 data (e.g certificate). Airlock IAM < 7.6, 7.4.7, 7.5.4 use the affected component in Java SE 11. Update Airlock IAM to 7.4.7, 7.5.4. Affected component not used by Airlock Gateway.
CVE-2022-39399
Java SE < 11.0.17, 17.0.5 is vulnerable to HTTP/2 spoofing attacks in backend communication (HTTP client). Airlock IAM < 7.4.7, 7.5.4, 7.6.3, 7.7.1 use the affect component in Java SE 11. Airlock IAM is vulnerable in uncommon setups where TLS is not used. Update Airlock IAM to 7.4.7, 7.5.4, 7.6.3, 7.7.1. Affected component not used by Airlock Gateway.
Update affected Airlock IAM versions to Airlock IAM 7.4.7, Airlock IAM 7.5.4, Airlock IAM 7.6.3 or Airlock IAM 7.7.1.
General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.