SUSE SLES15: java-1_8_0-ibm / java-1_8_0-ibm-32bit / java-1_8_0-ibm-alsa / etc (SUSE-SU-2023:1850-1)

low Nessus Plugin ID 174375

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:1850-1 advisory.

- Update to Java 8.0 Service Refresh 8 (bsc#1208480):

* Security fixes:
- CVE-2023-21830: Fixed improper restrictions in CORBA deserialization (bsc#1207249).
- CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).
- CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).

* New Features/Enhancements:
- Add RSA-PSS signature to IBMJCECCA.
* Defect Fixes:
- IJ45437 Service, Build, Packaging and Deliver: Getting FIPSRUNTIMEEXCEPTION when calling java code:
MESSAGEDIGEST.GETINSTANCE('SHA256', 'IBMJCEFIPS'); in MAC
- IJ45272 Class Libraries: Fix security vulnerability CVE-2023-21843
- IJ45280 Class Libraries: Update timezone information to the latest TZDATA2022F
- IJ44896 Class Libraries: Update timezone information to the latest TZDATA2022G
- IJ45436 Java Virtual Machine: Stack walking code gets into endless loop, hanging the application
- IJ44079 Java Virtual Machine: When -DFILE.ENCODING is specified multiple times on the same command line the first option takes precedence instead of the last
- IJ44532 JIT Compiler: Java JIT: Crash in DECREFERENCECOUNT() due to a NULL pointer
- IJ44596 JIT Compiler: Java JIT: Invalid hard-coding of static final field object properties
- IJ44107 JIT Compiler: JIT publishes new object reference to other threads without executing a memory flush
- IX90193 ORB: Fix security vulnerability CVE-2023-21830
- IJ44267 Security: 8273553: SSLENGINEIMPL.CLOSEINBOUND also has similar error of JDK-8253368
- IJ45148 Security: code changes for tech preview
- IJ44621 Security: Computing Diffie-Hellman secret repeatedly, using IBMJCEPLUS, causes a small memory leak
- IJ44172 Security: Disable SHA-1 signed jars for EA
- IJ44040 Security: Generating Diffie-Hellman key pairs repeatedly, using IBMJCEPLUS, Causes a small memory leak
- IJ45200 Security: IBMJCEPLUS provider, during CHACHA20-POLY1305 crypto operations, incorrectly throws an ILLEGALSTATEEXCEPTION
- IJ45182 Security: IBMJCEPLUS provider fails in RSAPSS and ECDSA during signature operations resulting in Java cores
- IJ45201 Security: IBMJCEPLUS provider failures (two) with AESGCM algorithm
- IJ45202 Security: KEYTOOL NPE if signing certificate does not contain a SUBJECTKEYIDENTIFIER extension
- IJ44075 Security: PKCS11KEYSTORE.JAVA - DOESPUBLICKEYMATCHPRIVATEKEY() method uses SHA1XXXX signature algorithms to match private and public keys
- IJ45203 Security: RSAPSS multiple names for KEYTYPE
- IJ43920 Security: The PKCS12 keystore update and the PBES2 support
- IJ40002 XML: Fix security vulnerability CVE-2022-21426

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1207246

https://bugzilla.suse.com/1207248

https://bugzilla.suse.com/1207249

https://bugzilla.suse.com/1208480

https://lists.suse.com/pipermail/sle-updates/2023-April/028817.html

https://www.suse.com/security/cve/CVE-2022-21426

https://www.suse.com/security/cve/CVE-2023-21830

https://www.suse.com/security/cve/CVE-2023-21835

https://www.suse.com/security/cve/CVE-2023-21843

Plugin Details

Severity: Low

ID: 174375

File Name: suse_SU-2023-1850-1.nasl

Version: 1.3

Type: Local

Agent: unix

Published: 4/15/2023

Updated: 6/25/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2022-21426

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2023-21830

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel, p-cpe:/a:novell:suse_linux:java-1_8_0-ibm, p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa, p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/14/2023

Vulnerability Publication Date: 4/17/2022

Reference Information

CVE: CVE-2022-21426, CVE-2023-21830, CVE-2023-21835, CVE-2023-21843

SuSE: SUSE-SU-2023:1850-1