Security update for java-1_8_0-ibm

Announcement ID: SUSE-SU-2023:1850-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2022-21426 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2022-21426 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2023-21830 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2023-21830 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2023-21835 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2023-21835 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2023-21843 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2023-21843 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
  • Legacy Module 15-SP4
  • openSUSE Leap 15.4
  • SUSE CaaS Platform 4.0
  • SUSE Enterprise Storage 7
  • SUSE Enterprise Storage 7.1
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
  • SUSE Manager Proxy 4.3
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.3

An update that solves four vulnerabilities can now be installed.

Description:

This update for java-1_8_0-ibm fixes the following issues:

  • Update to Java 8.0 Service Refresh 8 (bsc#1208480):

  • Security fixes:

    • CVE-2023-21830: Fixed improper restrictions in CORBA deserialization (bsc#1207249).
    • CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).
    • CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
  • New Features/Enhancements:

    • Add RSA-PSS signature to IBMJCECCA.
  • Defect Fixes:
    • IJ45437 Service, Build, Packaging and Deliver: Getting FIPSRUNTIMEEXCEPTION when calling java code: MESSAGEDIGEST.GETINSTANCE("SHA256", "IBMJCEFIPS"); in MAC
    • IJ45272 Class Libraries: Fix security vulnerability CVE-2023-21843
    • IJ45280 Class Libraries: Update timezone information to the latest TZDATA2022F
    • IJ44896 Class Libraries: Update timezone information to the latest TZDATA2022G
    • IJ45436 Java Virtual Machine: Stack walking code gets into endless loop, hanging the application
    • IJ44079 Java Virtual Machine: When -DFILE.ENCODING is specified multiple times on the same command line the first option takes precedence instead of the last
    • IJ44532 JIT Compiler: Java JIT: Crash in DECREFERENCECOUNT() due to a NULL pointer
    • IJ44596 JIT Compiler: Java JIT: Invalid hard-coding of static final field object properties
    • IJ44107 JIT Compiler: JIT publishes new object reference to other threads without executing a memory flush
    • IX90193 ORB: Fix security vulnerability CVE-2023-21830
    • IJ44267 Security: 8273553: SSLENGINEIMPL.CLOSEINBOUND also has similar error of JDK-8253368
    • IJ45148 Security: code changes for tech preview
    • IJ44621 Security: Computing Diffie-Hellman secret repeatedly, using IBMJCEPLUS, causes a small memory leak
    • IJ44172 Security: Disable SHA-1 signed jars for EA
    • IJ44040 Security: Generating Diffie-Hellman key pairs repeatedly, using IBMJCEPLUS, Causes a small memory leak
    • IJ45200 Security: IBMJCEPLUS provider, during CHACHA20-POLY1305 crypto operations, incorrectly throws an ILLEGALSTATEEXCEPTION
    • IJ45182 Security: IBMJCEPLUS provider fails in RSAPSS and ECDSA during signature operations resulting in Java cores
    • IJ45201 Security: IBMJCEPLUS provider failures (two) with AESGCM algorithm
    • IJ45202 Security: KEYTOOL NPE if signing certificate does not contain a SUBJECTKEYIDENTIFIER extension
    • IJ44075 Security: PKCS11KEYSTORE.JAVA - DOESPUBLICKEYMATCHPRIVATEKEY() method uses SHA1XXXX signature algorithms to match private and public keys
    • IJ45203 Security: RSAPSS multiple names for KEYTYPE
    • IJ43920 Security: The PKCS12 keystore update and the PBES2 support
    • IJ40002 XML: Fix security vulnerability CVE-2022-21426

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4
    zypper in -t patch openSUSE-SLE-15.4-2023-1850=1
  • Legacy Module 15-SP4
    zypper in -t patch SUSE-SLE-Module-Legacy-15-SP4-2023-1850=1
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-1850=1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-1850=1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-1850=1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-1850=1
  • SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-1850=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2023-1850=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-1850=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-1850=1
  • SUSE Enterprise Storage 7.1
    zypper in -t patch SUSE-Storage-7.1-2023-1850=1
  • SUSE Enterprise Storage 7
    zypper in -t patch SUSE-Storage-7-2023-1850=1
  • SUSE CaaS Platform 4.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • openSUSE Leap 15.4 (nosrc ppc64le s390x x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • openSUSE Leap 15.4 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-32bit-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-devel-32bit-1.8.0_sr8.0-150000.3.71.1
  • openSUSE Leap 15.4 (ppc64le s390x x86_64)
    • java-1_8_0-ibm-src-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-demo-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
  • Legacy Module 15-SP4 (nosrc ppc64le s390x x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • Legacy Module 15-SP4 (ppc64le s390x x86_64)
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
  • Legacy Module 15-SP4 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (nosrc x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (nosrc x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (nosrc ppc64le s390x x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (ppc64le s390x x86_64)
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (nosrc ppc64le s390x x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (ppc64le s390x x86_64)
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (nosrc ppc64le s390x x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (ppc64le s390x x86_64)
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1 (nosrc ppc64le x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64)
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2 (nosrc ppc64le x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3 (nosrc ppc64le x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Enterprise Storage 7.1 (nosrc x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Enterprise Storage 7.1 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE Enterprise Storage 7 (nosrc x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE Enterprise Storage 7 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1
  • SUSE CaaS Platform 4.0 (nosrc x86_64)
    • java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1
  • SUSE CaaS Platform 4.0 (x86_64)
    • java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1
    • java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1

References: