Oracle CPU Januar 2019 - Java (WAF and Login/IAM)

The Oracle Critical Patch Update for January 2019 includes updates for Java SE [1] that fix several vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules. In particular, Airlock Login on WAF runs on Java.

Airlock Login/IAM before version 7.0 relies on a separately installed Java environment and the Java runtime environment is maintained by the system administrator.

Airlock WAF and Login/IAM are not affected.

Details:

• CVE-2019-2540
  Allows unauthenticated attacker with network access via multiple protocols to compromise Java Advanced Management Console. Furthermore human interaction other than the attacker's is required. The risk for Airlock Suite is negligible.
• CVE-2018-11212
  Denial-of-service (DoS) is possible through special crafted image inputs. Airlock Suite does not read untrusted image input data and is therefore not affected.
• CVE-2019-2426
  In Microsoft Windows, transparent NTLM authentication in the http client can lead to information leak to untrusted servers. Airlock IAM and WAF only communicates with trusted servers and is therefore not affected.
• CVE-2019-2449
  Applications running untrusted code can perform a partial denial-of-service (DoS). This is typically the case for Java Web Start applications or sandboxed Java applets. Airlock Suite does not run untrusted code and is therefore not affected.
• CVE-2019-2422
  Applications running untrusted code can read limited amount of JVM memory to possible leak sensitive information. This is typically the case for Java Web Start applications or sandboxed Java applets. Airlock Suite does not run untrusted code and is therefore not affected.