Описание
Security update for java-1_8_0-ibm
This update for java-1_8_0-ibm fixes the following issues:
-
Update to Java 8.0 Service Refresh 8 (bsc#1208480):
-
Security fixes:
- CVE-2023-21830: Fixed improper restrictions in CORBA deserialization (bsc#1207249).
- CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).
- CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
-
New Features/Enhancements:
- Add RSA-PSS signature to IBMJCECCA.
-
Defect Fixes:
- IJ45437 Service, Build, Packaging and Deliver: Getting FIPSRUNTIMEEXCEPTION when calling java code: MESSAGEDIGEST.GETINSTANCE('SHA256', 'IBMJCEFIPS'); in MAC
- IJ45272 Class Libraries: Fix security vulnerability CVE-2023-21843
- IJ45280 Class Libraries: Update timezone information to the latest TZDATA2022F
- IJ44896 Class Libraries: Update timezone information to the latest TZDATA2022G
- IJ45436 Java Virtual Machine: Stack walking code gets into endless loop, hanging the application
- IJ44079 Java Virtual Machine: When -DFILE.ENCODING is specified multiple times on the same command line the first option takes precedence instead of the last
- IJ44532 JIT Compiler: Java JIT: Crash in DECREFERENCECOUNT() due to a NULL pointer
- IJ44596 JIT Compiler: Java JIT: Invalid hard-coding of static final field object properties
- IJ44107 JIT Compiler: JIT publishes new object reference to other threads without executing a memory flush
- IX90193 ORB: Fix security vulnerability CVE-2023-21830
- IJ44267 Security: 8273553: SSLENGINEIMPL.CLOSEINBOUND also has similar error of JDK-8253368
- IJ45148 Security: code changes for tech preview
- IJ44621 Security: Computing Diffie-Hellman secret repeatedly, using IBMJCEPLUS, causes a small memory leak
- IJ44172 Security: Disable SHA-1 signed jars for EA
- IJ44040 Security: Generating Diffie-Hellman key pairs repeatedly, using IBMJCEPLUS, Causes a small memory leak
- IJ45200 Security: IBMJCEPLUS provider, during CHACHA20-POLY1305 crypto operations, incorrectly throws an ILLEGALSTATEEXCEPTION
- IJ45182 Security: IBMJCEPLUS provider fails in RSAPSS and ECDSA during signature operations resulting in Java cores
- IJ45201 Security: IBMJCEPLUS provider failures (two) with AESGCM algorithm
- IJ45202 Security: KEYTOOL NPE if signing certificate does not contain a SUBJECTKEYIDENTIFIER extension
- IJ44075 Security: PKCS11KEYSTORE.JAVA - DOESPUBLICKEYMATCHPRIVATEKEY() method uses SHA1XXXX signature algorithms to match private and public keys
- IJ45203 Security: RSAPSS multiple names for KEYTYPE
- IJ43920 Security: The PKCS12 keystore update and the PBES2 support
- IJ40002 XML: Fix security vulnerability CVE-2022-21426
-
Список пакетов
Image SLES15-SP1-SAP-Azure-LI-BYOS-Production
Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP2-SAP-Azure
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP2-SAP-BYOS-Azure
Image SLES15-SP2-SAP-BYOS-EC2-HVM
Image SLES15-SP2-SAP-BYOS-GCE
Image SLES15-SP2-SAP-EC2-HVM
Image SLES15-SP2-SAP-GCE
Image SLES15-SP3-SAP-Azure-LI-BYOS-Production
Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP3-SAPCAL-Azure
Image SLES15-SP3-SAPCAL-EC2-HVM
Image SLES15-SP3-SAPCAL-GCE
Image SLES15-SP4-SAP
Image SLES15-SP4-SAP-Azure
Image SLES15-SP4-SAP-Azure-LI-BYOS
Image SLES15-SP4-SAP-Azure-LI-BYOS-Production
Image SLES15-SP4-SAP-Azure-VLI-BYOS
Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP4-SAP-EC2
Image SLES15-SP4-SAP-GCE
Image SLES15-SP4-SAPCAL
Image SLES15-SP4-SAPCAL-Azure
Image SLES15-SP4-SAPCAL-EC2
Image SLES15-SP4-SAPCAL-GCE
Image SLES15-SP5-SAP-Azure
Image SLES15-SP5-SAP-Azure-LI-BYOS
Image SLES15-SP5-SAP-Azure-LI-BYOS-Production
Image SLES15-SP5-SAP-Azure-VLI-BYOS
Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP5-SAP-EC2
Image SLES15-SP5-SAP-GCE
Image SLES15-SP5-SAPCAL-Azure
Image SLES15-SP5-SAPCAL-EC2
Image SLES15-SP5-SAPCAL-GCE
Image SLES15-SP6-SAP
Image SLES15-SP6-SAP-Azure
Image SLES15-SP6-SAP-Azure-LI-BYOS
Image SLES15-SP6-SAP-Azure-LI-BYOS-Production
Image SLES15-SP6-SAP-Azure-VLI-BYOS
Image SLES15-SP6-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP6-SAP-EC2
Image SLES15-SP6-SAP-GCE
Image SLES15-SP6-SAPCAL
Image SLES15-SP6-SAPCAL-Azure
Image SLES15-SP6-SAPCAL-EC2
Image SLES15-SP6-SAPCAL-GCE
SUSE Enterprise Storage 7
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise Module for Legacy 15 SP4
SUSE Linux Enterprise Server 15 SP1-LTSS
SUSE Linux Enterprise Server 15 SP2-LTSS
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP1
SUSE Linux Enterprise Server for SAP Applications 15 SP2
SUSE Linux Enterprise Server for SAP Applications 15 SP3
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2023:1850-1
- E-Mail link for SUSE-SU-2023:1850-1
- SUSE Security Ratings
- SUSE Bug 1207246
- SUSE Bug 1207248
- SUSE Bug 1207249
- SUSE Bug 1208480
- SUSE CVE CVE-2022-21426 page
- SUSE CVE CVE-2023-21830 page
- SUSE CVE CVE-2023-21835 page
- SUSE CVE CVE-2023-21843 page
Описание
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Затронутые продукты
Ссылки
- CVE-2022-21426
- SUSE Bug 1198672
- SUSE Bug 1201643
Описание
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Затронутые продукты
Ссылки
- CVE-2023-21830
- SUSE Bug 1207249
Описание
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Затронутые продукты
Ссылки
- CVE-2023-21835
- SUSE Bug 1207246
Описание
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
Затронутые продукты
Ссылки
- CVE-2023-21843
- SUSE Bug 1207248