SUSE-SU-2022:4290-1

Description of the patch:

This update for java-1_8_0-ibm fixes the following issues:

• CVE-2022-21626: An unauthenticated attacker with network access via HTTPS can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204471).

• CVE-2022-21618: An unauthenticated attacker with network access via Kerberos can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204468).

• CVE-2022-21619: An unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE (bsc#1204473).

• CVE-2022-21628: An unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204472).

• CVE-2022-21624: An unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise (bsc#1204475).

• CVE-2022-39399: An unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204480).

• Update to Java 8.0 Service Refresh 7 Fix Pack 20 [bsc#1205302]

  • Security:
    • The IBM ORB Does Not Support Object-Serialisation Data Filtering
    • Large Allocation In CipherSuite
    • Avoid Evaluating Sslalgorithmconstraints Twice
    • Cache The Results Of Constraint Checks
    • An incorrect ShortBufferException is thrown by IBMJCEPlus, IBMJCEPlusFIPS during cipher update operation
    • Disable SHA-1 Signed Jars For Ea
    • JSSE Performance Improvement
    • Oracle Road Map Kerberos Deprecation Of 3DES And RC4 Encryption
  • Java 8/Orb:
    • Upgrade ibmcfw.jar To Version o2228.02
  • Class Libraries:
    • Crash In Libjsor.So During An Rdma Failover
    • High CPU Consumption Observed In ZosEventPort$EventHandlerTask.run
    • Update Timezone Information To The Latest tzdata2022c
  • Jit Compiler:
    • Crash During JIT Compilation
    • Incorrect JIT Optimization Of Java Code
    • Incorrect Return From Class.isArray()
    • Unexpected ClassCastException...