Security update for java-11-openjdk SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1452-1 Final 1 1 2024-04-26T14:40:10Z current 2024-04-26T14:40:10Z 2024-04-26T14:40:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for java-11-openjdk This update for java-11-openjdk fixes the following issues: - CVE-2024-21011: Fixed denial of service due to long Exception message logging (JDK-8319851,bsc#1222979) - CVE-2024-21012: Fixed unauthorized data modification due HTTP/2 client improper reverse DNS lookup (JDK-8315708,bsc#1222987) - CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (JDK-8322122,bsc#1222983) - CVE-2024-21085: Fixed denial of service due to Pack200 excessive memory allocation (JDK-8322114,bsc#1222984) - CVE-2024-21094: Fixed unauthorized data modification due to C2 compilation failure with 'Exceeded _node_regs array' (JDK-8317507,JDK-8325348,bsc#1222986) Other fixes: - Upgrade to upstream tag jdk-11.0.23+9 (April 2024 CPU) * Security fixes + JDK-8318340: Improve RSA key implementations * Other changes + JDK-6928542: Chinese characters in RTF are not decoded + JDK-7132796: [macosx] closed/javax/swing/JComboBox/4517214/ /bug4517214.java fails on MacOS + JDK-7148092: [macosx] When Alt+down arrow key is pressed, the combobox popup does not appear. + JDK-8054022: HttpURLConnection timeouts with Expect: 100-Continue and no chunking + JDK-8054572: [macosx] JComboBox paints the border incorrectly + JDK-8058176: [mlvm] tests should not allow code cache exhaustion + JDK-8067651: LevelTransitionTest.java, fix trivial methods levels logic + JDK-8068225: nsk/jdi/EventQueue/remove_l/remove_l005 intermittently times out + JDK-8156889: ListKeychainStore.sh fails in some virtualized environments + JDK-8166275: vm/mlvm/meth/stress/compiler/deoptimize keeps timeouting + JDK-8166554: Avoid compilation blocking in OverloadCompileQueueTest.java + JDK-8169475: WheelModifier.java fails by timeout + JDK-8180266: Convert sun/security/provider/KeyStore/DKSTest.sh to Java Jtreg Test + JDK-8186610: move ModuleUtils to top-level testlibrary + JDK-8192864: defmeth tests can hide failures + JDK-8193543: Regression automated test '/open/test/jdk/java/ /awt/TrayIcon/SystemTrayInstance/SystemTrayInstanceTest.java' fails + JDK-8198668: MemoryPoolMBean/isUsageThresholdExceeded/ /isexceeded001/TestDescription.java still failing + JDK-8202282: [TESTBUG] appcds TestCommon .makeCommandLineForAppCDS() can be removed + JDK-8202790: DnD test DisposeFrameOnDragTest.java does not clean up + JDK-8202931: [macos] java/awt/Choice/ChoicePopupLocation/ /ChoicePopupLocation.java fails + JDK-8207211: [TESTBUG] Remove excessive output from CDS/AppCDS tests + JDK-8207214: Broken links in JDK API serialized-form page + JDK-8207855: Make applications/jcstress invoke tests in batches + JDK-8208243: vmTestbase/gc/lock/jni/jnilock002/ /TestDescription.java fails in jdk/hs nightly + JDK-8208278: [mlvm] [TESTBUG] vm.mlvm.mixed.stress.java .findDeadlock.INDIFY_Test Deadlocked threads are not always detected + JDK-8208623: [TESTBUG] runtime/LoadClass/LongBCP.java fails in AUFS file system + JDK-8208699: remove unneeded imports from runtime tests + JDK-8208704: runtime/appcds/MultiReleaseJars.java timed out often in hs-tier7 testing + JDK-8208705: [TESTBUG] The -Xlog:cds,cds+hashtables vm option is not always required for appcds tests + JDK-8209549: remove VMPropsExt from TEST.ROOT + JDK-8209595: MonitorVmStartTerminate.java timed out + JDK-8209946: [TESTBUG] CDS tests should use '@run driver' + JDK-8211438: [Testbug] runtime/XCheckJniJsig/XCheckJSig.java looks for libjsig in wrong location + JDK-8211978: Move testlibrary/jdk/testlibrary/ /SimpleSSLContext.java and testkeys to network testlibrary + JDK-8213622: Windows VS2013 build failure - ''snprintf': identifier not found' + JDK-8213926: WB_EnqueueInitializerForCompilation requests compilation for NULL + JDK-8213927: G1 ignores AlwaysPreTouch when UseTransparentHugePages is enabled + JDK-8214908: add ctw tests for jdk.jfr and jdk.management.jfr modules + JDK-8214915: CtwRunner misses export for jdk.internal.access + JDK-8216408: XMLStreamWriter setDefaultNamespace(null) throws NullPointerException + JDK-8217475: Unexpected StackOverflowError in 'process reaper' thread + JDK-8218754: JDK-8068225 regression in JDIBreakpointTest + JDK-8219475: javap man page needs to be updated + JDK-8219585: [TESTBUG] sun/management/jmxremote/bootstrap/ /JMXInterfaceBindingTest.java passes trivially when it shouldn't + JDK-8219612: [TESTBUG] compiler.codecache.stress.Helper .TestCaseImpl can't be defined in different runtime package as its nest host + JDK-8225471: Test utility jdk.test.lib.util.FileUtils .areAllMountPointsAccessible needs to tolerate duplicates + JDK-8226706: (se) Reduce the number of outer loop iterations on Windows in java/nio/channels/Selector/RacyDeregister.java + JDK-8226905: unproblem list applications/ctw/modules/* tests on windows + JDK-8226910: make it possible to use jtreg's -match via run-test framework + JDK-8227438: [TESTLIB] Determine if file exists by Files.exists in function FileUtils.deleteFileIfExistsWithRetry + JDK-8231585: java/lang/management/ThreadMXBean/ /MaxDepthForThreadInfoTest.java fails with java.lang.NullPointerException + JDK-8232839: JDI AfterThreadDeathTest.java failed due to 'FAILED: Did not get expected IllegalThreadStateException on a StepRequest.enable()' + JDK-8233453: MLVM deoptimize stress test timed out + JDK-8234309: LFGarbageCollectedTest.java fails with parse Exception + JDK-8237222: [macos] java/awt/Focus/UnaccessibleChoice/ /AccessibleChoiceTest.java fails + JDK-8237777: 'Dumping core ...' is shown despite claiming that '# No core dump will be written.' + JDK-8237834: com/sun/jndi/ldap/LdapDnsProviderTest.java failing with LDAP response read timeout + JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel + JDK-8239801: [macos] java/awt/Focus/UnaccessibleChoice/ /AccessibleChoiceTest.java fails + JDK-8244679: JVM/TI GetCurrentContendedMonitor/contmon001 failed due to '(IsSameObject#3) unexpected monitor object: 0x000000562336DBA8' + JDK-8246222: Rename javac test T6395981.java to be more informative + JDK-8247818: GCC 10 warning stringop-overflow with symbol code + JDK-8249087: Always initialize _body[0..1] in Symbol constructor + JDK-8251349: Add TestCaseImpl to OverloadCompileQueueTest.java's build dependencies + JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/ /btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR + JDK-8253543: sanity/client/SwingSet/src/ /ButtonDemoScreenshotTest.java failed with 'AssertionError: All pixels are not black' + JDK-8253739: java/awt/image/MultiResolutionImage/ /MultiResolutionImageObserverTest.java fails + JDK-8253820: Save test images and dumps with timestamps from client sanity suite + JDK-8255277: randomDelay in DrainDeadlockT and LoggingDeadlock do not randomly delay + JDK-8255546: Missing coverage for javax.smartcardio.CardPermission and ResponseAPDU + JDK-8255743: Relax SIGFPE match in in runtime/ErrorHandling/SecondaryErrorTest.java + JDK-8257505: nsk/share/test/StressOptions stressTime is scaled in getter but not when printed + JDK-8259801: Enable XML Signature secure validation mode by default + JDK-8264135: UnsafeGetStableArrayElement should account for different JIT implementation details + JDK-8265349: vmTestbase/../stress/compiler/deoptimize/ /Test.java fails with OOME due to CodeCache exhaustion. + JDK-8269025: jsig/Testjsig.java doesn't check exit code + JDK-8269077: TestSystemGC uses 'require vm.gc.G1' for large pages subtest + JDK-8271094: runtime/duplAttributes/DuplAttributesTest.java doesn't check exit code + JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code + JDK-8271828: mark hotspot runtime/classFileParserBug tests which ignore external VM flags + JDK-8271829: mark hotspot runtime/Throwable tests which ignore external VM flags + JDK-8271890: mark hotspot runtime/Dictionary tests which ignore external VM flags + JDK-8272291: mark hotspot runtime/logging tests which ignore external VM flags + JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes + JDK-8272551: mark hotspot runtime/modules tests which ignore external VM flags + JDK-8272552: mark hotspot runtime/cds tests which ignore external VM flags + JDK-8273803: Zero: Handle 'zero' variant in CommandLineOptionTest.java + JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java fails in Windows 11 + JDK-8274621: NullPointerException because listenAddress[0] is null + JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC + JDK-8280007: Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2 + JDK-8281149: (fs) java/nio/file/FileStore/Basic.java fails with java.lang.RuntimeException: values differ by more than 1GB + JDK-8281377: Remove vmTestbase/nsk/monitoring/ThreadMXBean/ /ThreadInfo/Deadlock/JavaDeadlock001/TestDescription.java from problemlist. + JDK-8281717: Cover logout method for several LoginModule + JDK-8282665: [REDO] ByteBufferTest.java: replace endless recursion with RuntimeException in void ck(double x, double y) + JDK-8284090: com/sun/security/auth/module/AllPlatforms.java fails to compile + JDK-8285756: clean up use of bad arguments for `@clean` in langtools tests + JDK-8285785: CheckCleanerBound test fails with PasswordCallback object is not released + JDK-8285867: Convert applet manual tests SelectionVisible.java to Frame and automate + JDK-8286846: test/jdk/javax/swing/plaf/aqua/ /CustomComboBoxFocusTest.java fails on mac aarch64 + JDK-8286969: Add a new test library API to execute kinit in SecurityTools.java + JDK-8287113: JFR: Periodic task thread uses period for method sampling events + JDK-8289511: Improve test coverage for XPath Axes: child + JDK-8289764: gc/lock tests failed with 'OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects' + JDK-8289948: Improve test coverage for XPath functions: Node Set Functions + JDK-8290399: [macos] Aqua LAF does not fire an action event if combo box menu is displayed + JDK-8290909: MemoryPoolMBean/isUsageThresholdExceeded tests failed with 'isUsageThresholdExceeded() returned false, and is still false, while threshold = MMMMMMM and used peak = NNNNNNN' + JDK-8292182: [TESTLIB] Enhance JAXPPolicyManager to setup required permissions for jtreg version 7 jar + JDK-8292946: GC lock/jni/jnilock001 test failed 'assert(gch->gc_cause() == GCCause::_scavenge_alot || !gch->incremental_collection_failed()) failed: Twice in a row' + JDK-8293819: sun/util/logging/PlatformLoggerTest.java failed with 'RuntimeException: Retrieved backing PlatformLogger level null is not the expected CONFIG' + JDK-8294158: HTML formatting for PassFailJFrame instructions + JDK-8294254: [macOS] javax/swing/plaf/aqua/ /CustomComboBoxFocusTest.java failure + JDK-8294402: Add diagnostic logging to VMProps.checkDockerSupport + JDK-8294535: Add screen capture functionality to PassFailJFrame + JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM + JDK-8296384: [TESTBUG] sun/security/provider/SecureRandom/ /AbstractDrbg/SpecTest.java intermittently timeout + JDK-8299494: Test vmTestbase/nsk/stress/except/except011.java failed: ExceptionInInitializerError: target class not found + JDK-8300269: The selected item in an editable JComboBox with titled border is not visible in Aqua LAF + JDK-8300727: java/awt/List/ListGarbageCollectionTest/ /AwtListGarbageCollectionTest.java failed with 'List wasn't garbage collected' + JDK-8301310: The SendRawSysexMessage test may cause a JVM crash + JDK-8301377: adjust timeout for JLI GetObjectSizeIntrinsicsTest.java subtest again + JDK-8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library + JDK-8302017: Allocate BadPaddingException only if it will be thrown + JDK-8302109: Trivial fixes to btree tests + JDK-8302149: Speed up compiler/jsr292/methodHandleExceptions/TestAMEnotNPE.java + JDK-8302607: increase timeout for ContinuousCallSiteTargetChange.java + JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM + JDK-8304314: StackWalkTest.java fails after CODETOOLS-7903373 + JDK-8304725: AsyncGetCallTrace can cause SIGBUS on M1 + JDK-8305502: adjust timeouts in three more M&M tests + JDK-8305505: NPE in javazic compiler + JDK-8305972: Update XML Security for Java to 3.0.2 + JDK-8306072: Open source several AWT MouseInfo related tests + JDK-8306076: Open source AWT misc tests + JDK-8306409: Open source AWT KeyBoardFocusManger, LightWeightComponent related tests + JDK-8306640: Open source several AWT TextArea related tests + JDK-8306652: Open source AWT MenuItem related tests + JDK-8306681: Open source more AWT DnD related tests + JDK-8306683: Open source several clipboard and color AWT tests + JDK-8306752: Open source several container and component AWT tests + JDK-8306753: Open source several container AWT tests + JDK-8306755: Open source few Swing JComponent and AbstractButton tests + JDK-8306812: Open source several AWT Miscellaneous tests + JDK-8306871: Open source more AWT Drag & Drop tests + JDK-8306996: Open source Swing MenuItem related tests + JDK-8307123: Fix deprecation warnings in DPrinter + JDK-8307130: Open source few Swing JMenu tests + JDK-8307299: Move more DnD tests to open + JDK-8307311: Timeouts on one macOS 12.6.1 host of two Swing JTableHeader tests + JDK-8307381: Open Source JFrame, JIF related Swing Tests + JDK-8307683: Loop Predication should not hoist range checks with trap on success projection by negating their condition + JDK-8308043: Deadlock in TestCSLocker.java due to blocking GC while allocating + JDK-8308116: jdk.test.lib.compiler.InMemoryJavaCompiler .compile does not close files + JDK-8308223: failure handler missed jcmd.vm.info command + JDK-8308232: nsk/jdb tests don't pass -verbose flag to the debuggee + JDK-8308245: Add -proc:full to describe current default annotation processing policy + JDK-8308336: Test java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java failed: java.net.BindException: Address already in use + JDK-8309104: [JVMCI] compiler/unsafe/ /UnsafeGetStableArrayElement test asserts wrong values with Graal + JDK-8309119: [17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication + JDK-8309462: [AIX] vmTestbase/nsk/jvmti/RunAgentThread/ /agentthr001/TestDescription.java crashing due to empty while loop + JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when using second test directory + JDK-8309870: Using -proc:full should be considered requesting explicit annotation processing + JDK-8310106: sun.security.ssl.SSLHandshake .getHandshakeProducer() incorrectly checks handshakeConsumers + JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/ /bug6889007.java fails + JDK-8310551: vmTestbase/nsk/jdb/interrupt/interrupt001/ /interrupt001.java timed out due to missing prompt + JDK-8310807: java/nio/channels/DatagramChannel/Connect.java timed out + JDK-8311081: KeytoolReaderP12Test.java fail on localized Windows platform + JDK-8311511: Improve description of NativeLibrary JFR event + JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java + JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074 + JDK-8313082: Enable CreateCoredumpOnCrash for testing in makefiles + JDK-8313164: src/java.desktop/windows/native/libawt/windows/ /awt_Robot.cpp GetRGBPixels adjust releasing of resources + JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground release resources in early returns + JDK-8313643: Update HarfBuzz to 8.2.2 + JDK-8313816: Accessing jmethodID might lead to spurious crashes + JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to extra concurrent mark with -Xcomp + JDK-8314164: java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java fails intermittently in timeout + JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 write result errno in missing case + JDK-8315034: File.mkdirs() occasionally fails to create folders on Windows shared folder + JDK-8315042: NPE in PKCS7.parseOldSignedData + JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some cases + JDK-8315499: build using devkit on Linux ppc64le RHEL puts path to devkit into libsplashscreen + JDK-8315594: Open source few headless Swing misc tests + JDK-8315600: Open source few more headless Swing misc tests + JDK-8315602: Open source swing security manager test + JDK-8315606: Open source few swing text/html tests + JDK-8315611: Open source swing text/html and tree test + JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should run with -Xbatch + JDK-8315731: Open source several Swing Text related tests + JDK-8315761: Open source few swing JList and JMenuBar tests + JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/ /bug4654927.java: component must be showing on the screen to determine its location + JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use createTestJvm + JDK-8316028: Update FreeType to 2.13.2 + JDK-8316030: Update Libpng to 1.6.40 + JDK-8316106: Open source few swing JInternalFrame and JMenuBar tests + JDK-8316461: Fix: make test outputs TEST SUCCESS after unsuccessful exit + JDK-8316947: Write a test to check textArea triggers MouseEntered/MouseExited events properly + JDK-8317307: test/jdk/com/sun/jndi/ldap/ /LdapPoolTimeoutTest.java fails with ConnectException: Connection timed out: no further information + JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js + JDK-8318154: Improve stability of WheelModifier.java test + JDK-8318410: jdk/java/lang/instrument/BootClassPath/ /BootClassPathTest.sh fails on Japanese Windows + JDK-8318468: compiler/tiered/LevelTransitionTest.java fails with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1 + JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java + JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni tests + JDK-8318608: Enable parallelism in vmTestbase/nsk/stress/threads tests + JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with 'transport error 202: bind failed: Address already in use' + JDK-8318889: C2: add bailout after assert Bad graph detected in build_loop_late + JDK-8318951: Additional negative value check in JPEG decoding + JDK-8318955: Add ReleaseIntArrayElements in Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to early return + JDK-8318971: Better Error Handling for Jar Tool When Processing Non-existent Files + JDK-8318983: Fix comment typo in PKCS12Passwd.java + JDK-8319124: Update XML Security for Java to 3.0.3 + JDK-8319456: jdk/jfr/event/gc/collection/ /TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker Initiated GC' not in the valid causes + JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh + JDK-8320001: javac crashes while adding type annotations to the return type of a constructor + JDK-8320208: Update Public Suffix List to b5bf572 + JDK-8320363: ppc64 TypeEntries::type_unknown logic looks wrong, missed optimization opportunity + JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + JDK-8320798: Console read line with zero out should zero out underlying buffer + JDK-8320884: Bump update version for OpenJDK: jdk-11.0.23 + JDK-8320937: support latest VS2022 MSC_VER in abstract_vm_version.cpp + JDK-8321151: JDK-8294427 breaks Windows L&F on all older Windows versions + JDK-8321215: Incorrect x86 instruction encoding for VSIB addressing mode + JDK-8321408: Add Certainly roots R1 and E1 + JDK-8321480: ISO 4217 Amendment 176 Update + JDK-8322178: Error. can't find jdk.testlibrary .SimpleSSLContext in test directory or libraries + JDK-8322417: Console read line with zero out should zero out when throwing exception + JDK-8322725: (tz) Update Timezone Data to 2023d + JDK-8322750: Test 'api/java_awt/interactive/ /SystemTrayTests.html' failed because A blue ball icon is added outside of the system tray + JDK-8322752: [11u] GetStackTraceAndRetransformTest.java is failing assert + JDK-8322772: Clean up code after JDK-8322417 + JDK-8323008: filter out harmful -std* flags added by autoconf from CXX + JDK-8323243: JNI invocation of an abstract instance method corrupts the stack + JDK-8323515: Create test alias 'all' for all test roots + JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/ /platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed + JDK-8324184: Windows VS2010 build failed with 'error C2275: 'int64_t'' + JDK-8324307: [11u] hotspot fails to build with GCC 12 and newer (non-static data member initializers) + JDK-8324347: Enable 'maybe-uninitialized' warning for FreeType 2.13.1 + JDK-8324659: GHA: Generic jtreg errors are not reported + JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/ /AKISerialNumber.java is failing + JDK-8325150: (tz) Update Timezone Data to 2024a + JDK-8326109: GCC 13 reports maybe-uninitialized warnings for jni.cpp with dtrace enabled + JDK-8326503: [11u] java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java fail because of package org.junit.jupiter.api does not exist + JDK-8327391: Add SipHash attribution file + JDK-8329837: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.23 - Removed the possibility to use the system timezone-java (bsc#1213470). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1452,SUSE-SLE-SERVER-12-SP5-2024-1452 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241452-1/ Link for SUSE-SU-2024:1452-1 https://lists.suse.com/pipermail/sle-updates/2024-April/035111.html E-Mail link for SUSE-SU-2024:1452-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1213470 SUSE Bug 1213470 https://bugzilla.suse.com/1222979 SUSE Bug 1222979 https://bugzilla.suse.com/1222983 SUSE Bug 1222983 https://bugzilla.suse.com/1222984 SUSE Bug 1222984 https://bugzilla.suse.com/1222986 SUSE Bug 1222986 https://bugzilla.suse.com/1222987 SUSE Bug 1222987 https://www.suse.com/security/cve/CVE-2024-21011/ SUSE CVE CVE-2024-21011 page https://www.suse.com/security/cve/CVE-2024-21012/ SUSE CVE CVE-2024-21012 page https://www.suse.com/security/cve/CVE-2024-21068/ SUSE CVE CVE-2024-21068 page https://www.suse.com/security/cve/CVE-2024-21085/ SUSE CVE CVE-2024-21085 page https://www.suse.com/security/cve/CVE-2024-21094/ SUSE CVE CVE-2024-21094 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 java-11-openjdk-11.0.23.0-3.75.1 java-11-openjdk-demo-11.0.23.0-3.75.1 java-11-openjdk-devel-11.0.23.0-3.75.1 java-11-openjdk-headless-11.0.23.0-3.75.1 java-11-openjdk-javadoc-11.0.23.0-3.75.1 java-11-openjdk-jmods-11.0.23.0-3.75.1 java-11-openjdk-src-11.0.23.0-3.75.1 java-11-openjdk-11.0.23.0-3.75.1 as a component of SUSE Linux Enterprise Server 12 SP5 java-11-openjdk-demo-11.0.23.0-3.75.1 as a component of SUSE Linux Enterprise Server 12 SP5 java-11-openjdk-devel-11.0.23.0-3.75.1 as a component of SUSE Linux Enterprise Server 12 SP5 java-11-openjdk-headless-11.0.23.0-3.75.1 as a component of SUSE Linux Enterprise Server 12 SP5 java-11-openjdk-11.0.23.0-3.75.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 java-11-openjdk-demo-11.0.23.0-3.75.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 java-11-openjdk-devel-11.0.23.0-3.75.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 java-11-openjdk-headless-11.0.23.0-3.75.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21011 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241452-1/ https://www.suse.com/security/cve/CVE-2024-21011.html CVE-2024-21011 https://bugzilla.suse.com/1222979 SUSE Bug 1222979 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21012 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241452-1/ https://www.suse.com/security/cve/CVE-2024-21012.html CVE-2024-21012 https://bugzilla.suse.com/1222987 SUSE Bug 1222987 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21068 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241452-1/ https://www.suse.com/security/cve/CVE-2024-21068.html CVE-2024-21068 https://bugzilla.suse.com/1222983 SUSE Bug 1222983 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21085 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241452-1/ https://www.suse.com/security/cve/CVE-2024-21085.html CVE-2024-21085 https://bugzilla.suse.com/1222984 SUSE Bug 1222984 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21094 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-demo-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-devel-11.0.23.0-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:java-11-openjdk-headless-11.0.23.0-3.75.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241452-1/ https://www.suse.com/security/cve/CVE-2024-21094.html CVE-2024-21094 https://bugzilla.suse.com/1222986 SUSE Bug 1222986