The mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.
Airlock does not use mod_session_dbd but implements its own Airlock Secure Session. Airlock is not affected.
To protect back-end servers Airlock replaces back-end session handling by the Airlock Secure Session. Back-end session cookies are not exposed.
The default configuration of Airlock secures the back-end servers. No action is required. Nevertheless we recommend to update vulnerable back-end software anyway: update Apache http 2.4 servers to version >= 2.4.6.