Security update for java-1_8_0-ibm

Announcement ID:	SUSE-SU-2019:1308-2
Rating:	important
References:	bsc#1132728 bsc#1132729 bsc#1132732 bsc#1132734 bsc#1134718
Cross-References:	CVE-2019-10245 CVE-2019-2602 CVE-2019-2684 CVE-2019-2697 CVE-2019-2698
CVSS scores:	CVE-2019-10245 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-10245 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-2602 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-2602 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-2602 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-2684 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-2684 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-2684 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-2697 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-2697 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-2697 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-2698 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-2698 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-2698 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Legacy Module 15-SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0

An update that solves five vulnerabilities can now be installed.

Description:

This update for java-1_8_0-ibm fixes the following issues:

Update to Java 8.0 Service Refresh 5 Fix Pack 35.

Security issues fixed:

• CVE-2019-10245: Fixed Java bytecode verifier issue causing crashes (bsc#1134718).
• CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).
• CVE-2019-2697: Fixed flaw inside the 2D component (bsc#1132734).
• CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component: Libraries) (bsc#1132728).
• CVE-2019-2684: Fixed flaw was found in the RMI registry implementation (bsc#1132732).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Legacy Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2019-1308=1

Package List:

• Legacy Module 15-SP1 (nosrc ppc64le s390x x86_64)
  • java-1_8_0-ibm-1.8.0_sr5.35-3.20.1
• Legacy Module 15-SP1 (ppc64le s390x x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr5.35-3.20.1
• Legacy Module 15-SP1 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr5.35-3.20.1
  • java-1_8_0-ibm-plugin-1.8.0_sr5.35-3.20.1

References:

• https://www.suse.com/security/cve/CVE-2019-10245.html
• https://www.suse.com/security/cve/CVE-2019-2602.html
• https://www.suse.com/security/cve/CVE-2019-2684.html
• https://www.suse.com/security/cve/CVE-2019-2697.html
• https://www.suse.com/security/cve/CVE-2019-2698.html
• https://bugzilla.suse.com/show_bug.cgi?id=1132728
• https://bugzilla.suse.com/show_bug.cgi?id=1132729
• https://bugzilla.suse.com/show_bug.cgi?id=1132732
• https://bugzilla.suse.com/show_bug.cgi?id=1132734
• https://bugzilla.suse.com/show_bug.cgi?id=1134718