Security update for java-1_8_0-ibm

Announcement ID:	SUSE-SU-2023:1823-1
Rating:	moderate
References:	bsc#1207246 bsc#1207248 bsc#1207249 bsc#1208480
Cross-References:	CVE-2022-21426 CVE-2023-21830 CVE-2023-21835 CVE-2023-21843
CVSS scores:	CVE-2022-21426 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2022-21426 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-21830 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21830 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21835 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-21835 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-21843 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21843 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9

An update that solves four vulnerabilities can now be installed.

Description:

This update for java-1_8_0-ibm fixes the following issues:

• Update to Java 8.0 Service Refresh 8 (bsc#1208480):

• Security fixes:

  • CVE-2023-21830: Fixed improper restrictions in CORBA deserialization (bsc#1207249).
  • CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).
  • CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).

• New Features/Enhancements:

  • Add RSA-PSS signature to IBMJCECCA.
• Defect Fixes:
  • IJ45437 Service, Build, Packaging and Deliver: Getting FIPSRUNTIMEEXCEPTION when calling java code: MESSAGEDIGEST.GETINSTANCE("SHA256", "IBMJCEFIPS"); in MAC
  • IJ45272 Class Libraries: Fix security vulnerability CVE-2023-21843
  • IJ45280 Class Libraries: Update timezone information to the latest TZDATA2022F
  • IJ44896 Class Libraries: Update timezone information to the latest TZDATA2022G
  • IJ45436 Java Virtual Machine: Stack walking code gets into endless loop, hanging the application
  • IJ44079 Java Virtual Machine: When -DFILE.ENCODING is specified multiple times on the same command line the first option takes precedence instead of the last
  • IJ44532 JIT Compiler: Java JIT: Crash in DECREFERENCECOUNT() due to a NULL pointer
  • IJ44596 JIT Compiler: Java JIT: Invalid hard-coding of static final field object properties
  • IJ44107 JIT Compiler: JIT publishes new object reference to other threads without executing a memory flush
  • IX90193 ORB: Fix security vulnerability CVE-2023-21830
  • IJ44267 Security: 8273553: SSLENGINEIMPL.CLOSEINBOUND also has similar error of JDK-8253368
  • IJ45148 Security: code changes for tech preview
  • IJ44621 Security: Computing Diffie-Hellman secret repeatedly, using IBMJCEPLUS, causes a small memory leak
  • IJ44172 Security: Disable SHA-1 signed jars for EA
  • IJ44040 Security: Generating Diffie-Hellman key pairs repeatedly, using IBMJCEPLUS, Causes a small memory leak
  • IJ45200 Security: IBMJCEPLUS provider, during CHACHA20-POLY1305 crypto operations, incorrectly throws an ILLEGALSTATEEXCEPTION
  • IJ45182 Security: IBMJCEPLUS provider fails in RSAPSS and ECDSA during signature operations resulting in Java cores
  • IJ45201 Security: IBMJCEPLUS provider failures (two) with AESGCM algorithm
  • IJ45202 Security: KEYTOOL NPE if signing certificate does not contain a SUBJECTKEYIDENTIFIER extension
  • IJ44075 Security: PKCS11KEYSTORE.JAVA - DOESPUBLICKEYMATCHPRIVATEKEY() method uses SHA1XXXX signature algorithms to match private and public keys
  • IJ45203 Security: RSAPSS multiple names for KEYTYPE
  • IJ43920 Security: The PKCS12 keystore update and the PBES2 support
  • IJ40002 XML: Fix security vulnerability CVE-2022-21426

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 9
  zypper in -t patch SUSE-OpenStack-Cloud-9-2023-1823=1
• SUSE OpenStack Cloud Crowbar 9
  zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2023-1823=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP4
  zypper in -t patch SUSE-SLE-SAP-12-SP4-2023-1823=1
• SUSE Linux Enterprise Software Development Kit 12 SP5
  zypper in -t patch SUSE-SLE-SDK-12-SP5-2023-1823=1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2023-1823=1
• SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-ESPOS-2023-1823=1
• SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2023-1823=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-1823=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-1823=1
• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-1823=1

Package List:

• SUSE OpenStack Cloud 9 (nosrc x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE OpenStack Cloud 9 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.0-30.105.1
• SUSE OpenStack Cloud Crowbar 9 (nosrc x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE OpenStack Cloud Crowbar 9 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP4 (nosrc ppc64le x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP4 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Software Development Kit 12 SP5 (nosrc)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Software Development Kit 12 SP5 (ppc64le s390x x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (nosrc x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (nosrc x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (nosrc ppc64le s390x x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (ppc64le s390x x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (nosrc ppc64le x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP5 (nosrc ppc64le s390x x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP5 (ppc64le s390x x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise Server 12 SP5 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise High Performance Computing 12 SP5 (nosrc x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.0-30.105.1
• SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-devel-1.8.0_sr8.0-30.105.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.0-30.105.1

References:

• https://www.suse.com/security/cve/CVE-2022-21426.html
• https://www.suse.com/security/cve/CVE-2023-21830.html
• https://www.suse.com/security/cve/CVE-2023-21835.html
• https://www.suse.com/security/cve/CVE-2023-21843.html
• https://bugzilla.suse.com/show_bug.cgi?id=1207246
• https://bugzilla.suse.com/show_bug.cgi?id=1207248
• https://bugzilla.suse.com/show_bug.cgi?id=1207249
• https://bugzilla.suse.com/show_bug.cgi?id=1208480