Security update for java-1_7_1-ibm SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14634-1 Final 1 1 2021-02-19T09:35:35Z current 2021-02-19T09:35:35Z 2021-02-19T09:35:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for java-1_7_1-ibm This update for java-1_7_1-ibm fixes the following issues: - Update to Java 7.1 Service Refresh 4 Fix Pack 80 [bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803] * CVE-2020-27221: Potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. * CVE-2020-14803: Unauthenticated attacker with network access via multiple protocols allows to compromise Java SE. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slessp4-java-1_7_1-ibm-14634 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114634-1/ Link for SUSE-SU-2021:14634-1 https://lists.suse.com/pipermail/sle-security-updates/2021-February/008347.html E-Mail link for SUSE-SU-2021:14634-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1181239 SUSE Bug 1181239 https://bugzilla.suse.com/1182186 SUSE Bug 1182186 https://www.suse.com/security/cve/CVE-2020-14803/ SUSE CVE CVE-2020-14803 page https://www.suse.com/security/cve/CVE-2020-27221/ SUSE CVE CVE-2020-27221 page SUSE Linux Enterprise Server 11 SP4-LTSS java-1_7_1-ibm-1.7.1_sr4.80-26.65.1 java-1_7_1-ibm-alsa-1.7.1_sr4.80-26.65.1 java-1_7_1-ibm-devel-1.7.1_sr4.80-26.65.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.80-26.65.1 java-1_7_1-ibm-plugin-1.7.1_sr4.80-26.65.1 java-1_7_1-ibm-1.7.1_sr4.80-26.65.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS java-1_7_1-ibm-alsa-1.7.1_sr4.80-26.65.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS java-1_7_1-ibm-devel-1.7.1_sr4.80-26.65.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS java-1_7_1-ibm-jdbc-1.7.1_sr4.80-26.65.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS java-1_7_1-ibm-plugin-1.7.1_sr4.80-26.65.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). CVE-2020-14803 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-1.7.1_sr4.80-26.65.1 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-alsa-1.7.1_sr4.80-26.65.1 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-devel-1.7.1_sr4.80-26.65.1 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-jdbc-1.7.1_sr4.80-26.65.1 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-plugin-1.7.1_sr4.80-26.65.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114634-1/ https://www.suse.com/security/cve/CVE-2020-14803.html CVE-2020-14803 https://bugzilla.suse.com/1177943 SUSE Bug 1177943 https://bugzilla.suse.com/1181239 SUSE Bug 1181239 https://bugzilla.suse.com/1182186 SUSE Bug 1182186 In Eclipse OpenJ9 up to and including version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. CVE-2020-27221 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-1.7.1_sr4.80-26.65.1 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-alsa-1.7.1_sr4.80-26.65.1 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-devel-1.7.1_sr4.80-26.65.1 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-jdbc-1.7.1_sr4.80-26.65.1 SUSE Linux Enterprise Server 11 SP4-LTSS:java-1_7_1-ibm-plugin-1.7.1_sr4.80-26.65.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114634-1/ https://www.suse.com/security/cve/CVE-2020-27221.html CVE-2020-27221 https://bugzilla.suse.com/1182186 SUSE Bug 1182186