Security update for java-1_8_0-openj9 (important)

An update that fixes 9 vulnerabilities is now available.

Description:

This update for java-1_8_0-openj9 fixes the following issues:

• Updated to OpenJDK 8u345 build 01 with OpenJ9 0.33.0 virtual machine:

  • CVE-2022-34169: Fixed an integer truncation issue in the Xalan Java
    XSLT library that occurred when processing malicious stylesheets
    (bsc#1201684).
  • CVE-2022-21541: Fixed a potential bypass of sandbox restrictions in
    the Hotspot component (bsc#1201692).
  • CVE-2022-21540: Fixed a potential bypass of sandbox restrictions in
    the Hotspot component (bsc#1201694).

• Updated to OpenJDK 8u332 build 09 with OpenJ9 0.32.0 virtual machine:

  • CVE-2021-41041: Failed an issue that could allow unverified methods to
    be invoked using MethodHandles (bsc#1198935).
  • CVE-2022-21426: Fixed a remote partial denial of service issue
    (component: JAXP) (bsc#1198672).
  • CVE-2022-21434: Fixed an issue that could allow a remote attacker to
    update, insert or delete data (component: Libraries) (bsc#1198674).
  • CVE-2022-21443: Fixed a remote partial denial of service issue
    (component: Libraries) (bsc#1198675).
  • CVE-2022-21476: Fixed an issue that could allow unauthorized access to
    confidential data (component: Libraries) (bsc#1198671).
  • CVE-2022-21496: Fixed an issue that could allow a remote attacker to
    update, insert or delete data (component: JNDI) (bsc#1198673).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4:

  zypper in -t patch openSUSE-SLE-15.4-2022-3092=1

• openSUSE Leap 15.3:

  zypper in -t patch openSUSE-SLE-15.3-2022-3092=1