openSUSE 15: java-17-openjdk / java-17-openjdk-demo / java-17-openjdk-devel / etc (SUSE-SU-2023:3023-1)

medium Nessus Plugin ID 179116

Language:

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3023-1 advisory.

Updated to version jdk-17.0.8+7 (July 2023 CPU):

- CVE-2023-22006: Fixed vulnerability in the network component (bsc#1213473).
- CVE-2023-22036: Fixed vulnerability in the utility component (bsc#1213474).
- CVE-2023-22041: Fixed vulnerability in the hotspot component (bsc#1213475).
- CVE-2023-22044: Fixed vulnerability in the hotspot component (bsc#1213479).
- CVE-2023-22045: Fixed vulnerability in the hotspot component (bsc#1213481).
- CVE-2023-22049: Fixed vulnerability in the libraries component (bsc#1213482).
- CVE-2023-25193: Fixed vulnerability in the embedded harfbuzz module (bsc#1207922).

- JDK-8294323: Improve Shared Class Data
- JDK-8296565: Enhanced archival support
- JDK-8298676, JDK-8300891: Enhanced Look and Feel
- JDK-8300285: Enhance TLS data handling
- JDK-8300596: Enhance Jar Signature validation
- JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
- JDK-8302475: Enhance HTTP client file downloading
- JDK-8302483: Enhance ZIP performance
- JDK-8303376: Better launching of JDI
- JDK-8304460: Improve array usages
- JDK-8304468: Better array usages
- JDK-8305312: Enhanced path handling
- JDK-8308682: Enhance AES performance

Bugfixes:

- JDK-8178806: Better exception logging in crypto code
- JDK-8201516: DebugNonSafepoints generates incorrect information
- JDK-8224768: Test ActalisCA.java fails
- JDK-8227060: Optimize safepoint cleanup subtask order
- JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError
- JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
- JDK-8244976: vmTestbase/nsk/jdi/Event/request/request001.java doesn' initialize eName
- JDK-8245877: assert(_value != __null) failed: resolving NULL
_value in JvmtiExport::post_compiled_method_load
- JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken
- JDK-8252990: Intrinsify Unsafe.storeStoreFence
- JDK-8254711: Add java.security.Provider.getService JFR Event
- JDK-8257856: Make ClassFileVersionsTest.java robust to JDK version updates
- JDK-8261495: Shenandoah: reconsider update references memory ordering
- JDK-8268288: jdk/jfr/api/consumer/streaming/ /TestOutOfProcessMigration.java fails with 'Error:
ShouldNotReachHere()'
- JDK-8268298: jdk/jfr/api/consumer/log/TestVerbosity.java fails: unexpected log message
- JDK-8268582: javadoc throws NPE with --ignore-source-errors option
- JDK-8269821: Remove is-queue-active check in inner loop of write_ref_array_pre_work
- JDK-8270434: JDI+UT: Unexpected event in JDI tests
- JDK-8270859: Post JEP 411 refactoring: client libs with maximum covering > 10K
- JDK-8270869: G1ServiceThread may not terminate
- JDK-8271519: java/awt/event/SequencedEvent/ /MultipleContextsFunctionalTest.java failed with 'Total [200]
- Expected [400]'
- JDK-8273909: vmTestbase/nsk/jdi/Event/request/request001 can still fail with 'ERROR: new event is not ThreadStartEvent'
- JDK-8274243: Implement fast-path for ASCII-compatible CharsetEncoders on aarch64
- JDK-8274615: Support relaxed atomic add for linux-aarch64
- JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
- JDK-8275233: Incorrect line number reported in exception stack trace thrown from a lambda expression
- JDK-8275287: Relax memory ordering constraints on updating instance class and array class counters
- JDK-8275721: Name of UTC timezone in a locale changes depending on previous code
- JDK-8275735: [linux] Remove deprecated Metrics api (kernel memory limit)
- JDK-8276058: Some swing test fails on specific CI macos system
- JDK-8277407: javax/swing/plaf/synth/SynthButtonUI/6276188/ /bug6276188.java fails to compile after JDK-8276058
- JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java - add 4357905
- JDK-8278146: G1: Rework VM_G1Concurrent VMOp to clearly identify it as pause
- JDK-8278434: timeouts in test java/time/test/java/time/ /format/TestZoneTextPrinterParser.java
- JDK-8278834: Error 'Cannot read field 'sym' because 'this.lvar[od]' is null' when compiling
- JDK-8282077: PKCS11 provider C_sign() impl should handle CKR_BUFFER_TOO_SMALL error
- JDK-8282201: Consider removal of expiry check in VerifyCACerts.java test
- JDK-8282227: Locale information for nb is not working properly
- JDK-8282704: runtime/Thread/StopAtExit.java may leak memory
- JDK-8283057: Update GCC to version 11.2.0 for Oracle builds on Linux
- JDK-8283062: Uninitialized warnings in libgtest with GCC 11.2
- JDK-8283520: JFR: Memory leak in dcmd_arena
- JDK-8283566: G1: Improve G1BarrierSet::enqueue performance
- JDK-8284331: Add sanity check for signal handler modification warning.
- JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java failed with Default Button not pressed for L&F:
com.sun.java.swing.plaf.motif.MotifLookAndFeel
- JDK-8285987: executing shell scripts without #! fails on Alpine linux
- JDK-8286191: misc tests fail due to JDK-8285987
- JDK-8286287: Reading file as UTF-16 causes Error which 'shouldn't happen'
- JDK-8286331: jni_GetStringUTFChars() uses wrong heap allocator
- JDK-8286346: 3-parameter version of AllocateHeap should not ignore AllocFailType
- JDK-8286398: Address possibly lossy conversions in jdk.internal.le
- JDK-8287007: [cgroups] Consistently use stringStream throughout parsing code
- JDK-8287246: DSAKeyValue should check for missing params instead of relying on KeyFactory provider
- JDK-8287541: Files.writeString fails to throw IOException for charset 'windows-1252'
- JDK-8287854: Dangling reference in ClassVerifier::verify_class
- JDK-8287876: The recently de-problemlisted TestTitledBorderLeak test is unstable
- JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md with information on 4th party dependencies
- JDK-8288589: Files.readString ignores encoding errors for UTF-16
- JDK-8289509: Improve test coverage for XPath Axes:
descendant, descendant-or-self, following, following-sibling
- JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
- JDK-8289949: Improve test coverage for XPath: operators
- JDK-8290822: C2: assert in PhaseIdealLoop::do_unroll() is subject to undefined behavior
- JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067
- JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value
- JDK-8291638: Keep-Alive timeout of 0 should close connection immediately
- JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage() is lower than expected
- JDK-8292301: [REDO v2] C2 crash when allocating array of size too large
- JDK-8292407: Improve Weak CAS VarHandle/Unsafe tests resilience under spurious failures
- JDK-8292713: Unsafe.allocateInstance should be intrinsified without UseUnalignedAccesses
- JDK-8292755: Non-default method in interface leads to a stack overflow in JShell
- JDK-8292990: Improve test coverage for XPath Axes: parent
- JDK-8293295: Add type check asserts to java_lang_ref_Reference accessors
- JDK-8293492: ShenandoahControlThread missing from hs-err log and thread dump
- JDK-8293858: Change PKCS7 code to use default SecureRandom impl instead of SHA1PRNG
- JDK-8293887: AArch64 build failure with GCC 12 due to maybe-uninitialized warning in libfdlibm k_rem_pio2.c
- JDK-8294183: AArch64: Wrong macro check in SharedRuntime::generate_deopt_blob
- JDK-8294281: Allow warnings to be disabled on a per-file basis
- JDK-8294673: JFR: Add SecurityProviderService#threshold to TestActiveSettingEvent.java
- JDK-8294717: (bf) DirectByteBuffer constructor will leak if allocating Deallocator or Cleaner fails with OOME
- JDK-8294906: Memory leak in PKCS11 NSS TLS server
- JDK-8295564: Norwegian Nynorsk Locale is missing formatting
- JDK-8295974: jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames
- JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java fails intermittently on a VM
- JDK-8296318: use-def assert: special case undetected loops nested in infinite loops
- JDK-8296343: CPVE thrown on missing content-length in OCSP response
- JDK-8296412: Special case infinite loops with unmerged backedges in IdealLoopTree::check_safepts
- JDK-8296545: C2 Blackholes should allow load optimizations
- JDK-8296934: Write a test to verify whether Undecorated Frame can be iconified or not
- JDK-8297000: [jib] Add more friendly warning for proxy issues
- JDK-8297154: Improve safepoint cleanup logging
- JDK-8297450: ScaledTextFieldBorderTest.java fails when run with -show parameter
- JDK-8297587: Upgrade JLine to 3.22.0
- JDK-8297730: C2: Arraycopy intrinsic throws incorrect exception
- JDK-8297955: LDAP CertStore should use LdapName and not String for DNs
- JDK-8298488: [macos13] tools/jpackage tests failing with 'Exit code: 137' on macOS
- JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors
- JDK-8299179: ArrayFill with store on backedge needs to reduce length by 1
- JDK-8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
- JDK-8299544: Improve performance of CRC32C intrinsics (non-AVX-512) for small inputs
- JDK-8299570: [JVMCI] Insufficient error handling when CodeBuffer is exhausted
- JDK-8299959: C2: CmpU::Value must filter overflow computation against local sub computation
- JDK-8300042: Improve CPU related JFR events descriptions
- JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
- JDK-8300823: UB: Compile::_phase_optimize_finished is initialized too late
- JDK-8300939: sun/security/provider/certpath/OCSP/ /OCSPNoContentLength.java fails due to network errors
- JDK-8301050: Detect Xen Virtualization on Linux aarch64
- JDK-8301119: Support for GB18030-2022
- JDK-8301123: Enable Symbol refcounting underflow checks in PRODUCT
- JDK-8301190: [vectorapi] The typeChar of LaneType is incorrect when default locale is tr
- JDK-8301216: ForkJoinPool invokeAll() ignores timeout
- JDK-8301338: Identical branch conditions in CompileBroker::print_heapinfo
- JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument
- JDK-8301637: ThreadLocalRandom.current().doubles().parallel() contention
- JDK-8301661: Enhance os::pd_print_cpu_info on macOS and Windows
- JDK-8302151: BMPImageReader throws an exception reading BMP images
- JDK-8302172: [JVMCI] HotSpotResolvedJavaMethodImpl.canBeInlined must respect ForceInline
- JDK-8302320: AsyncGetCallTrace obtains too few frames in sanity test
- JDK-8302491: NoClassDefFoundError omits the original cause of an error
- JDK-8302508: Add timestamp to the output TraceCompilerThreads
- JDK-8302594: use-after-free in Node::destruct
- JDK-8302595: use-after-free related to GraphKit::clone_map
- JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
- JDK-8302849: SurfaceManager might expose partially constructed object
- JDK-8303069: Memory leak in CompilerOracle::parse_from_line
- JDK-8303102: jcmd: ManagementAgent.status truncates the text longer than O_BUFLEN
- JDK-8303130: Document required Accessibility permissions on macOS
- JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return
- JDK-8303433: Bump update version for OpenJDK: jdk-17.0.8
- JDK-8303440: The 'ZonedDateTime.parse' may not accept the 'UTC+XX' zone id
- JDK-8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates
- JDK-8303476: Add the runtime version in the release file of a JDK image
- JDK-8303482: Update LCMS to 2.15
- JDK-8303508: Vector.lane() gets wrong value on x86
- JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during unrolling
- JDK-8303564: C2: 'Bad graph detected in build_loop_late' after a CMove is wrongly split thru phi
- JDK-8303575: adjust Xen handling on Linux aarch64
- JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return
- JDK-8303588: [JVMCI] make JVMCI source directories conform with standard layout
- JDK-8303809: Dispose context in SPNEGO NegotiatorImpl
- JDK-8303822: gtestMain should give more helpful output
- JDK-8303861: Error handling step timeouts should never be blocked by OnError and others
- JDK-8303937: Corrupted heap dumps due to missing retries for os::write()
- JDK-8303949: gcc10 warning Linux ppc64le - note: the layout of aggregates containing vectors with 8-byte alignment has changed in GCC 5
- JDK-8304054: Linux: NullPointerException from FontConfiguration.getVersion in case no fonts are installed
- JDK-8304063: tools/jpackage/share/AppLauncherEnvTest.java fails when checking LD_LIBRARY_PATH
- JDK-8304134: jib bootstrapper fails to quote filename when checking download filetype
- JDK-8304291: [AIX] Broken build after JDK-8301998
- JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
- JDK-8304350: Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0
- JDK-8304671: javac regression: Compilation with --release 8 fails on underscore in enum identifiers
- JDK-8304683: Memory leak in WB_IsMethodCompatible
- JDK-8304760: Add 2 Microsoft TLS roots
- JDK-8304867: Explicitly disable dtrace for ppc builds
- JDK-8304880: [PPC64] VerifyOops code in C1 doesn't work with ZGC
- JDK-8305088: SIGSEGV in Method::is_method_handle_intrinsic
- JDK-8305113: (tz) Update Timezone Data to 2023c
- JDK-8305400: ISO 4217 Amendment 175 Update
- JDK-8305403: Shenandoah evacuation workers may deadlock
- JDK-8305481: gtest is_first_C_frame failing on ARM
- JDK-8305690: [X86] Do not emit two REX prefixes in Assembler::prefix
- JDK-8305711: Arm: C2 always enters slowpath for monitorexit
- JDK-8305721: add `make compile-commands` artifacts to .gitignore
- JDK-8305975: Add TWCA Global Root CA
- JDK-8305993: Add handleSocketErrorWithMessage to extend nio Net.c exception message
- JDK-8305994: Guarantee eventual async monitor deflation
- JDK-8306072: Open source several AWT MouseInfo related tests
- JDK-8306133: Open source few AWT Drag & Drop related tests
- JDK-8306409: Open source AWT KeyBoardFocusManger, LightWeightComponent related tests
- JDK-8306432: Open source several AWT Text Component related tests
- JDK-8306466: Open source more AWT Drag & Drop related tests
- JDK-8306489: Open source AWT List related tests
- JDK-8306543: GHA: MSVC installation is failing
- JDK-8306640: Open source several AWT TextArea related tests
- JDK-8306652: Open source AWT MenuItem related tests
- JDK-8306658: GHA: MSVC installation could be optional since it might already be pre-installed
- JDK-8306664: GHA: Update MSVC version to latest stepping
- JDK-8306681: Open source more AWT DnD related tests
- JDK-8306683: Open source several clipboard and color AWT tests
- JDK-8306752: Open source several container and component AWT tests
- JDK-8306753: Open source several container AWT tests
- JDK-8306755: Open source few Swing JComponent and AbstractButton tests
- JDK-8306768: CodeCache Analytics reports wrong threshold
- JDK-8306774: Make runtime/Monitor/ /GuaranteedAsyncDeflationIntervalTest.java more reliable
- JDK-8306825: Monitor deflation might be accidentally disabled by zero intervals
- JDK-8306850: Open source AWT Modal related tests
- JDK-8306871: Open source more AWT Drag & Drop tests
- JDK-8306883: Thread stacksize is reported with wrong units in os::create_thread logging
- JDK-8306941: Open source several datatransfer and dnd AWT tests
- JDK-8306943: Open source several dnd AWT tests
- JDK-8306954: Open source five Focus related tests
- JDK-8306955: Open source several JComboBox jtreg tests
- JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
- JDK-8306996: Open source Swing MenuItem related tests
- JDK-8307080: Open source some more JComboBox jtreg tests
- JDK-8307128: Open source some drag and drop tests 4
- JDK-8307130: Open source few Swing JMenu tests
- JDK-8307133: Open source some JTable jtreg tests
- JDK-8307134: Add GTS root CAs
- JDK-8307135: java/awt/dnd/NotReallySerializableTest/ /NotReallySerializableTest.java failed
- JDK-8307331: Correctly update line maps when class redefine rewrites bytecodes
- JDK-8307346: Add missing gc+phases logging for ObjectCount(AfterGC) JFR event collection code
- JDK-8307347: serviceability/sa/ClhsdbDumpclass.java could leave files owned by root on macOS
- JDK-8307378: Allow collectors to provide specific values for GC notifications' actions
- JDK-8307381: Open Source JFrame, JIF related Swing Tests
- JDK-8307425: Socket input stream read burns CPU cycles with back-to-back poll(0) calls
- JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has invalid jtreg `@requires` clause
- JDK-8308554: [17u] Fix commit of 8286191. vm.musl was not removed from ExternalEditorTest
- JDK-8308880: [17u] micro bench ZoneStrings missed in backport of 8278434
- JDK-8308884: [17u/11u] Backout JDK-8297951
- JDK-8311467: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.8

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1207922

https://bugzilla.suse.com/1213473

https://bugzilla.suse.com/1213474

https://bugzilla.suse.com/1213475

https://bugzilla.suse.com/1213479

https://bugzilla.suse.com/1213481

https://bugzilla.suse.com/1213482

https://lists.suse.com/pipermail/sle-updates/2023-July/030633.html

https://www.suse.com/security/cve/CVE-2023-22006

https://www.suse.com/security/cve/CVE-2023-22036

https://www.suse.com/security/cve/CVE-2023-22041

https://www.suse.com/security/cve/CVE-2023-22044

https://www.suse.com/security/cve/CVE-2023-22045

https://www.suse.com/security/cve/CVE-2023-22049

https://www.suse.com/security/cve/CVE-2023-25193

Plugin Details

Severity: Medium

ID: 179116

File Name: suse_SU-2023-3023-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 8/1/2023

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-22041

CVSS v3

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 4.5

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/28/2023

Vulnerability Publication Date: 2/4/2023

Reference Information

CVE: CVE-2023-22006, CVE-2023-22036, CVE-2023-22041, CVE-2023-22044, CVE-2023-22045, CVE-2023-22049, CVE-2023-25193

SuSE: SUSE-SU-2023:3023-1