Bug 1194232

Summary: VUL-0: java-1_8_0-ibm, java-1_7_1-ibm, java-1_7_0-ibm: IBM Security Update November 2021
Product: [Novell Products] SUSE Security Incidents Reporter: Pedro Monreal Gonzalez <pmonrealgonzalez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gery.schneider, meissner, pmonrealgonzalez, rfrohl, tstaudt, yan.huang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.linux.ibm.com/show_bug.cgi?id=195754
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Pedro Monreal Gonzalez 2022-01-03 12:19:32 UTC
CVEs have been assigned, see the CVEs and version where this was fixed. For more info, see:
  * https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities

* IBM Security Update November 2021:
CVE-2021-41035   7.0.11.0   7.1.5.0   8.0.7.0

* Oracle October 19 2021 CPU:
CVE-2021-35586   7.0.11.0   7.1.5.0
CVE-2021-35564   7.0.11.0   7.1.5.0
CVE-2021-35559   7.0.11.0   7.1.5.0
CVE-2021-35556   7.0.11.0   7.1.5.0
CVE-2021-35565   7.0.11.0   7.1.5.0
CVE-2021-35588   7.0.11.0   7.1.5.0

* Oracle July 20 2021 CPU:
CVE-2021-2388   7.0.10.90
CVE-2021-2369   7.0.10.90   7.1.4.90   8.0.6.35
CVE-2021-2432   7.0.10.90   7.1.4.90
CVE-2021-2341   7.0.11.0    7.1.5.0    8.0.6.35

* Oracle April 20 2021 CPU:
CVE-2021-2161   7.0.10.85   7.1.4.85   8.0.6.30
Comment 1 Pedro Monreal Gonzalez 2022-01-03 12:57:48 UTC
I'll prepare submissions for:

 * java-1_8_0-ibm: 8.0-7.0
 * java-1_7_1-ibm: 7.1.5.0
 * java-1_7_0-ibm:
Comment 3 Pedro Monreal Gonzalez 2022-01-03 16:33:13 UTC
Updated table:

* IBM Security Update November 2021:
CVE-2021-41035   7.0.11.0   7.1.5.0   8.0.7.0

* Oracle October 19 2021 CPU:
CVE-2021-35560   8.0.7.0
CVE-2021-35578   8.0.7.0
CVE-2021-35586   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35564   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35559   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35556   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35565   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35588   7.0.11.0   7.1.5.0   8.0.7.0

* Oracle July 20 2021 CPU:
CVE-2021-2388   7.0.10.90
CVE-2021-2369   7.0.10.90   7.1.4.90   8.0.6.35
CVE-2021-2432   7.0.10.90   7.1.4.90
CVE-2021-2341   7.0.11.0    7.1.5.0    8.0.6.35

* Oracle April 20 2021 CPU:
CVE-2021-2161   7.0.10.85   7.1.4.85   8.0.6.30

I'll prepare submissions for:

 * java-1_8_0-ibm: 8.0-7.0
 * java-1_7_1-ibm: 7.1.5.0
 * java-1_7_0-ibm: 7.0.11.0
Comment 6 Thomas Staudt 2022-01-04 07:22:59 UTC
Removing Hanns, who has retired, and adding Gery.
I'll mirror this to IBM for documentation.
Comment 7 Pedro Monreal Gonzalez 2022-01-04 08:15:04 UTC
(In reply to Thomas Staudt from comment #6)
> Removing Hanns, who has retired, and adding Gery.
> I'll mirror this to IBM for documentation.

Thanks, Thomas! From now on, I'll add you and Gery in CC for IBM Java updates.
Comment 15 LTC BugProxy 2022-01-05 15:45:49 UTC
*** Bug 1194198 has been marked as a duplicate of this bug. ***

trying to make this public..
Comment 16 Yan Huang 2022-01-05 15:48:15 UTC
(In reply to LTC BugProxy from comment #15)
> *** Bug 1194198 has been marked as a duplicate of this bug. ***
> 
> trying to make this public..

bsc#1194232 should be publicly accessible now.
Comment 18 Yan Huang 2022-01-06 11:36:17 UTC
(In reply to Yan Huang from comment #16)
> (In reply to LTC BugProxy from comment #15)
> > *** Bug 1194198 has been marked as a duplicate of this bug. ***
> > 
> > trying to make this public..
> 
> bsc#1194232 should be publicly accessible now.

The other bsc#1194198 is an internal ticket and should stay private.
Comment 19 Yan Huang 2022-01-06 11:39:00 UTC
Shouldn't this bsc#1194232 (for java-*-ibm) be mentioned at https://www.suse.com/security/cve/CVE-2021-41035.html
?

The page currently mentions only bsc#1192052 (for java-*-openj9).
Comment 20 Marcus Meissner 2022-01-06 13:46:43 UTC
i will cross ref the bug there.
Comment 22 Swamp Workflow Management 2022-01-18 14:21:53 UTC
SUSE-SU-2022:0107-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1185055,1188564,1188565,1191902,1191904,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE OpenStack Cloud Crowbar 8 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE OpenStack Cloud 9 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE OpenStack Cloud 8 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP5 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
HPE Helion Openstack 8 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2022-01-18 14:24:13 UTC
openSUSE-SU-2022:0108-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1185055,1188564,1188565,1191902,1191904,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
Comment 24 Swamp Workflow Management 2022-01-18 14:29:25 UTC
SUSE-SU-2022:0108-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1185055,1188564,1188565,1191902,1191904,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Manager Retail Branch Server 4.1 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Manager Proxy 4.1 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server for SAP 15 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server 15-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Enterprise Storage 7 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Enterprise Storage 6 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE CaaS Platform 4.5 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE CaaS Platform 4.0 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2022-01-18 14:33:06 UTC
SUSE-SU-2022:14875-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1185055,1188564,1188565,1188568,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-2432,CVE-2021-35556,CVE-2021-35559,CVE-2021-35564,CVE-2021-35565,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    java-1_7_1-ibm-1.7.1_sr5.0-26.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-01-18 17:28:11 UTC
SUSE-SU-2022:14876-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1185055,1188564,1188565,1188566,1188568,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-2388,CVE-2021-2432,CVE-2021-35556,CVE-2021-35559,CVE-2021-35564,CVE-2021-35565,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    java-1_7_0-ibm-1.7.0_sr11.0-65.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-01-24 20:21:25 UTC
SUSE-SU-2022:0166-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1185055,1188564,1188565,1188568,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-2432,CVE-2021-35556,CVE-2021-35559,CVE-2021-35564,CVE-2021-35565,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE OpenStack Cloud Crowbar 8 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE OpenStack Cloud 9 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE OpenStack Cloud 8 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP5 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
HPE Helion Openstack 8 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-04-08 13:19:06 UTC
openSUSE-SU-2022:0108-1: An update that solves 12 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1185055,1188564,1188565,1191902,1191904,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232,1197518
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1, seamonkey-2.53.11.1-lp153.17.5.1