Bug 1194232 – VUL-0: java-1_8_0-ibm, java-1_7_1-ibm, java-1_7_0-ibm: IBM Security Update November 2021

Bug 1194232 - VUL-0: java-1_8_0-ibm, java-1_7_1-ibm, java-1_7_0-ibm: IBM Security Update November 2021


Summary:	VUL-0: java-1_8_0-ibm, java-1_7_1-ibm, java-1_7_0-ibm: IBM Security Update No...

Status:	NEW
Duplicates:	1194198 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-01-03 12:19 UTC by Pedro Monreal Gonzalez
Modified:	2022-04-08 13:19 UTC (History)
CC List:	6 users (show)

See Also:	https://bugzilla.linux.ibm.com/show_bug.cgi?id=195754
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pedro Monreal Gonzalez 2022-01-03 12:19:32 UTC

CVEs have been assigned, see the CVEs and version where this was fixed. For more info, see:
  * https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities

* IBM Security Update November 2021:
CVE-2021-41035   7.0.11.0   7.1.5.0   8.0.7.0

* Oracle October 19 2021 CPU:
CVE-2021-35586   7.0.11.0   7.1.5.0
CVE-2021-35564   7.0.11.0   7.1.5.0
CVE-2021-35559   7.0.11.0   7.1.5.0
CVE-2021-35556   7.0.11.0   7.1.5.0
CVE-2021-35565   7.0.11.0   7.1.5.0
CVE-2021-35588   7.0.11.0   7.1.5.0

* Oracle July 20 2021 CPU:
CVE-2021-2388   7.0.10.90
CVE-2021-2369   7.0.10.90   7.1.4.90   8.0.6.35
CVE-2021-2432   7.0.10.90   7.1.4.90
CVE-2021-2341   7.0.11.0    7.1.5.0    8.0.6.35

* Oracle April 20 2021 CPU:
CVE-2021-2161   7.0.10.85   7.1.4.85   8.0.6.30

Comment 1 Pedro Monreal Gonzalez 2022-01-03 12:57:48 UTC

I'll prepare submissions for:

 * java-1_8_0-ibm: 8.0-7.0
 * java-1_7_1-ibm: 7.1.5.0
 * java-1_7_0-ibm:

Comment 3 Pedro Monreal Gonzalez 2022-01-03 16:33:13 UTC

Updated table:

* IBM Security Update November 2021:
CVE-2021-41035   7.0.11.0   7.1.5.0   8.0.7.0

* Oracle October 19 2021 CPU:
CVE-2021-35560   8.0.7.0
CVE-2021-35578   8.0.7.0
CVE-2021-35586   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35564   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35559   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35556   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35565   7.0.11.0   7.1.5.0   8.0.7.0
CVE-2021-35588   7.0.11.0   7.1.5.0   8.0.7.0

* Oracle July 20 2021 CPU:
CVE-2021-2388   7.0.10.90
CVE-2021-2369   7.0.10.90   7.1.4.90   8.0.6.35
CVE-2021-2432   7.0.10.90   7.1.4.90
CVE-2021-2341   7.0.11.0    7.1.5.0    8.0.6.35

* Oracle April 20 2021 CPU:
CVE-2021-2161   7.0.10.85   7.1.4.85   8.0.6.30

I'll prepare submissions for:

 * java-1_8_0-ibm: 8.0-7.0
 * java-1_7_1-ibm: 7.1.5.0
 * java-1_7_0-ibm: 7.0.11.0

Comment 6 Thomas Staudt 2022-01-04 07:22:59 UTC

Removing Hanns, who has retired, and adding Gery.
I'll mirror this to IBM for documentation.

Comment 7 Pedro Monreal Gonzalez 2022-01-04 08:15:04 UTC

(In reply to Thomas Staudt from comment #6)
> Removing Hanns, who has retired, and adding Gery.
> I'll mirror this to IBM for documentation.

Thanks, Thomas! From now on, I'll add you and Gery in CC for IBM Java updates.

Comment 15 LTC BugProxy 2022-01-05 15:45:49 UTC

*** Bug 1194198 has been marked as a duplicate of this bug. ***

trying to make this public..

Comment 16 Yan Huang 2022-01-05 15:48:15 UTC

(In reply to LTC BugProxy from comment #15)
> *** Bug 1194198 has been marked as a duplicate of this bug. ***
> 
> trying to make this public..

bsc#1194232 should be publicly accessible now.

Comment 18 Yan Huang 2022-01-06 11:36:17 UTC

(In reply to Yan Huang from comment #16)
> (In reply to LTC BugProxy from comment #15)
> > *** Bug 1194198 has been marked as a duplicate of this bug. ***
> > 
> > trying to make this public..
> 
> bsc#1194232 should be publicly accessible now.

The other bsc#1194198 is an internal ticket and should stay private.

Comment 19 Yan Huang 2022-01-06 11:39:00 UTC

Shouldn't this bsc#1194232 (for java-*-ibm) be mentioned at https://www.suse.com/security/cve/CVE-2021-41035.html
?

The page currently mentions only bsc#1192052 (for java-*-openj9).

Comment 20 Marcus Meissner 2022-01-06 13:46:43 UTC

i will cross ref the bug there.

Comment 22 Swamp Workflow Management 2022-01-18 14:21:53 UTC

SUSE-SU-2022:0107-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1185055,1188564,1188565,1191902,1191904,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE OpenStack Cloud Crowbar 8 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE OpenStack Cloud 9 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE OpenStack Cloud 8 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP5 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1
HPE Helion Openstack 8 (src):    java-1_8_0-ibm-1.8.0_sr7.0-30.84.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2022-01-18 14:24:13 UTC

openSUSE-SU-2022:0108-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1185055,1188564,1188565,1191902,1191904,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1

Comment 24 Swamp Workflow Management 2022-01-18 14:29:25 UTC

SUSE-SU-2022:0108-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1185055,1188564,1188565,1191902,1191904,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Manager Retail Branch Server 4.1 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Manager Proxy 4.1 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server for SAP 15 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Server 15-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Enterprise Storage 7 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE Enterprise Storage 6 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE CaaS Platform 4.5 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1
SUSE CaaS Platform 4.0 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2022-01-18 14:33:06 UTC

SUSE-SU-2022:14875-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1185055,1188564,1188565,1188568,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-2432,CVE-2021-35556,CVE-2021-35559,CVE-2021-35564,CVE-2021-35565,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    java-1_7_1-ibm-1.7.1_sr5.0-26.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Swamp Workflow Management 2022-01-18 17:28:11 UTC

SUSE-SU-2022:14876-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1185055,1188564,1188565,1188566,1188568,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-2388,CVE-2021-2432,CVE-2021-35556,CVE-2021-35559,CVE-2021-35564,CVE-2021-35565,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    java-1_7_0-ibm-1.7.0_sr11.0-65.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Swamp Workflow Management 2022-01-24 20:21:25 UTC

SUSE-SU-2022:0166-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1185055,1188564,1188565,1188568,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-2432,CVE-2021-35556,CVE-2021-35559,CVE-2021-35564,CVE-2021-35565,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE OpenStack Cloud Crowbar 8 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE OpenStack Cloud 9 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE OpenStack Cloud 8 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP5 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1
HPE Helion Openstack 8 (src):    java-1_7_1-ibm-1.7.1_sr5.0-38.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Swamp Workflow Management 2022-04-08 13:19:06 UTC

openSUSE-SU-2022:0108-1: An update that solves 12 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1185055,1188564,1188565,1191902,1191904,1191905,1191909,1191910,1191911,1191913,1191914,1192052,1194198,1194232,1197518
CVE References: CVE-2021-2163,CVE-2021-2341,CVE-2021-2369,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-35588,CVE-2021-41035
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    java-1_8_0-ibm-1.8.0_sr7.0-3.53.1, seamonkey-2.53.11.1-lp153.17.5.1