Security update for java-1_8_0-ibm

Announcement ID:	SUSE-SU-2023:3406-1
Rating:	important
References:	bsc#1214431
Cross-References:	CVE-2022-40609 CVE-2023-22006 CVE-2023-22036 CVE-2023-22041 CVE-2023-22044 CVE-2023-22045 CVE-2023-22049 CVE-2023-25193
CVSS scores:	CVE-2022-40609 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-40609 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-22006 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2023-22006 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2023-22036 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-22036 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-22041 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-22041 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-22044 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2023-22044 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2023-22045 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2023-22045 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2023-22049 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-22049 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-25193 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-25193 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5

An update that solves eight vulnerabilities can now be installed.

Description:

This update for java-1_8_0-ibm fixes the following issues:

• Update to Java 8.0 Service Refresh 8 Fix Pack 10 (bsc#1213541)
• CVE-2022-40609: Fixed an unsafe deserialization flaw which could allow a remote attacker to execute arbitrary code on the system. (bsc#1213934)
• CVE-2023-22041: Fixed a flaw whcih could allow unauthorized access to critical data or complete access. (bsc#1213475)
• CVE-2023-22049: Fixed a flaw which could result in unauthorized update. (bsc#1213482)
• CVE-2023-22045: Fixed a flaw which could result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. (bsc#1213481)
• CVE-2023-22044: Fixed a flaw which could result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. (bsc#1213479)
• CVE-2023-22036: Fixed a flaw which could result in unauthorized ability to cause a partial denial of service. (bsc#1213474)
• CVE-2023-25193: Fixed a flaw which could allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. (bsc#1207922)
• CVE-2023-22006: Fixed a flaw which could result in unauthorized update, insert or delete access for JDK accessible data. (bsc#1213473)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Development Kit 12 SP5
  zypper in -t patch SUSE-SLE-SDK-12-SP5-2023-3406=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-3406=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-3406=1
• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-3406=1

Package List:

• SUSE Linux Enterprise Software Development Kit 12 SP5 (nosrc)
  • java-1_8_0-ibm-1.8.0_sr8.10-30.114.1
• SUSE Linux Enterprise Software Development Kit 12 SP5 (ppc64le s390x x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.10-30.114.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (nosrc ppc64le x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.10-30.114.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.10-30.114.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.10-30.114.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.10-30.114.1
• SUSE Linux Enterprise Server 12 SP5 (nosrc ppc64le s390x x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.10-30.114.1
• SUSE Linux Enterprise Server 12 SP5 (ppc64le s390x x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.10-30.114.1
• SUSE Linux Enterprise Server 12 SP5 (x86_64)
  • java-1_8_0-ibm-alsa-1.8.0_sr8.10-30.114.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.10-30.114.1
• SUSE Linux Enterprise High Performance Computing 12 SP5 (nosrc x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.10-30.114.1
• SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.10-30.114.1
  • java-1_8_0-ibm-alsa-1.8.0_sr8.10-30.114.1
  • java-1_8_0-ibm-plugin-1.8.0_sr8.10-30.114.1

References:

• https://www.suse.com/security/cve/CVE-2022-40609.html
• https://www.suse.com/security/cve/CVE-2023-22006.html
• https://www.suse.com/security/cve/CVE-2023-22036.html
• https://www.suse.com/security/cve/CVE-2023-22041.html
• https://www.suse.com/security/cve/CVE-2023-22044.html
• https://www.suse.com/security/cve/CVE-2023-22045.html
• https://www.suse.com/security/cve/CVE-2023-22049.html
• https://www.suse.com/security/cve/CVE-2023-25193.html
• https://bugzilla.suse.com/show_bug.cgi?id=1214431