Detections
Analytics

SUSE SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2025:03120-1)

high Nessus Plugin ID 264462

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03120-1 advisory.

 Update to version jdk8u462 (icedtea-3.36.0).

 Security issues fixed:

 - CVE-2025-30749: heap corruption allows unauthenticated attacker with network access to compromise and takeover Java applications that load and run untrusted code (bsc#1246595).
 - CVE-2025-30754: incomplete handshake allows unauthenticated attacker with network access via TLS to gain unauthorized update, insert, delete and read access to sensitive data (bsc#1246598).
 - CVE-2025-30761: issue in Scripting component allows unauthenticated attacker with network access to gain unauthorized creation, deletion or modification access to critical data (bsc#1246580).
 - CVE-2025-50106: Glyph out-of-memory access allows unauthenticated attacker with network access to compromise and takeover Java applications that load and run untrusted code (bsc#1246584).

 Other issues fixed:

 - Import of OpenJDK 8 u462 build 08
 - JDK-8026976: ECParameters, Point does not match field size.
 - JDK-8071996: split_if accesses NULL region of ConstraintCast.
 - JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names.
 - JDK-8186787: clang-4.0 SIGSEGV in Unsafe_PutByte.
 - JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken.
 - JDK-8278472: Invalid value set to CANDIDATEFORM structure.
 - JDK-8293107: GHA: Bump to Ubuntu 22.04.
 - JDK-8303770: Remove Baltimore root certificate expiring in May 2025.
 - JDK-8309841: Jarsigner should print a warning if an entry is removed.
 - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract.
 - JDK-8345625: Better HTTP connections.
 - JDK-8346887: DrawFocusRect() may cause an assertion failure.
 - JDK-8349111: Enhance Swing supports.
 - JDK-8350498: Remove two Camerfirma root CA certificates.
 - JDK-8352716: (tz) Update Timezone Data to 2025b.
 - JDK-8353433: XCG currency code not recognized in JDK 8u.
 - JDK-8356096: ISO 4217 Amendment 179 Update.
 - JDK-8359170: Add 2 TLS and 2 CS Sectigo roots.
 - Backports
 - JDK-8358538: Update GHA Windows runner to 2025.
 - JDK-8354941: Build failure with glibc 2.42 due to uabs() name collision.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected java-1_8_0-openjdk, java-1_8_0-openjdk-demo, java-1_8_0-openjdk-devel and / or java-1_8_0-openjdk- headless packages.

See Also

https://bugzilla.suse.com/1246580

https://bugzilla.suse.com/1246584

https://bugzilla.suse.com/1246595

https://bugzilla.suse.com/1246598

https://bugzilla.suse.com/1246806

http://www.nessus.org/u?76b78e12

https://www.suse.com/security/cve/CVE-2025-30749

https://www.suse.com/security/cve/CVE-2025-30754

https://www.suse.com/security/cve/CVE-2025-30761

https://www.suse.com/security/cve/CVE-2025-50106

Plugin Details

Severity: High

ID: 264462

File Name: suse_SU-2025-03120-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 9/10/2025

Updated: 9/10/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-50106

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo, p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk, p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel, p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 9/9/2025

Vulnerability Publication Date: 7/15/2025

Reference Information

CVE: CVE-2025-30749, CVE-2025-30754, CVE-2025-30761, CVE-2025-50106

SuSE: SUSE-SU-2025:03120-1