You are here

Oracle CPU October 2017 - Java (WAF and Login/IAM)

Keywords: 
java, cpu, Oracle Critical Patch Update
Description: 

The Oracle Critical Patch Update for October 2017 includes updates for Java SE [1] that fix several vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules.

Airlock Login/IAM relies on a separately installed Java environment. This Java runtime environment is maintained by the system administrator.

Airlock WAF and Login/IAM are not affected.

Details

  • CVE-2017-10388
    Affects the Java Kerberos client, which is not used in Airlock WAF and Login/IAM. The Airlock Suite is therefore not vulnerable.
  • CVE-2017-10281
    Affects Java deserialization. Airlock WAF and Login/IAM are not affected because deserialization is only performed on trusted data.
  • CVE-2017-10295
    Affects applications using HttpURLConnection with attacker controlled URLs. Airlock WAF and Login/IAM are not affected because the URLs used with HttpURLConnection are trusted.
  • CVE-2017-10356
    Affects Java Keystores and may allow password guessing attacks. Airlock WAF does not use Java Keystore files and is therefore not affected. The keystore files used by Airlock Login/IAM reside on the server and are therefore in a protected environment.
  • CVE-2017-10345
    Affects Java Keystores and may allow high memory consumption. Airlock WAF does not use Java Keystore files and is therefore not affected. As Airlock Login/IAM only reads trusted Keystore files, it is not vulnerable.
  • CVE-2017-10355
    Affects Java applications establishing an FTP connection. FTP is not used in Airlock WAF and Airlock Login/IAM.
  • CVE-2016-10165
    Affects Java 2D which is not used by Airlock.
  • CVE-2017-10110, CVE-2017-10089, CVE-2017-10086, CVE-2017-10096, CVE-2017-10101, CVE-2017-10087, CVE-2017-10090, CVE-2017-10111, CVE-2017-10107, CVE-2017-10114, CVE-2017-10074, CVE-2017-10067, CVE-2017-10125, CVE-2017-10109, CVE-2017-10105, CVE-2017-10081, CVE-2017-10193
    Only affect client deployments that run untrusted code or the Java Advance Management Console. Airlock WAF and Login/IAM are not affected.
Resolution: 

No action required for Airlock WAF, Airlock WAF add-on modules and Airlock Login/IAM

General Advice:

  • We recommend regular updates of the Java SE installation used by Airlock Login/IAM.
  • We strongly recommend to update all client deployments of Java and uninstalling Java from clients where it is not needed.
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required