Headline
RHSA-2022:0970: Red Hat Security Advisory: java-1.8.0-ibm security update
An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-35550: OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)
- CVE-2021-35603: OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
- CVE-2022-21248: OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934)
- CVE-2022-21293: OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392)
- CVE-2022-21294: OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416)
- CVE-2022-21340: OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026)
- CVE-2022-21341: OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236)
- CVE-2022-21360: OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756)
- CVE-2022-21365: OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838)
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
- Red Hat CodeReady Studio
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-03-21
Updated:
2022-03-21
RHSA-2022:0970 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: java-1.8.0-ibm security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR7-FP5.
Security Fix(es):
- OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210) (CVE-2021-35550)
- OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934) (CVE-2022-21248)
- OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392) (CVE-2022-21293)
- OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416) (CVE-2022-21294)
- OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) (CVE-2022-21340)
- OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236) (CVE-2022-21341)
- OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756) (CVE-2022-21360)
- OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365)
- OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of IBM Java must be restarted for this update to take effect.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Fixes
- BZ - 2015311 - CVE-2021-35603 OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
- BZ - 2015648 - CVE-2021-35550 OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)
- BZ - 2041417 - CVE-2022-21293 OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392)
- BZ - 2041427 - CVE-2022-21294 OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416)
- BZ - 2041491 - CVE-2022-21360 OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756)
- BZ - 2041785 - CVE-2022-21365 OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838)
- BZ - 2041801 - CVE-2022-21248 OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934)
- BZ - 2041884 - CVE-2022-21340 OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026)
- BZ - 2041897 - CVE-2022-21341 OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236)
CVEs
- CVE-2021-35550
- CVE-2021-35603
- CVE-2022-21248
- CVE-2022-21293
- CVE-2022-21294
- CVE-2022-21340
- CVE-2022-21341
- CVE-2022-21360
- CVE-2022-21365
Red Hat Enterprise Linux for x86_64 8
SRPM
x86_64
java-1.8.0-ibm-1.8.0.7.5-1.el8_5.x86_64.rpm
SHA-256: 8aae3735d16c5b75943682e23f820c3d5b5041e89a84412d446d1b86efbcf771
java-1.8.0-ibm-demo-1.8.0.7.5-1.el8_5.x86_64.rpm
SHA-256: 2ad9481d402e516189905f971484f3e7db9fea65f9ea044535528aaeda9cee69
java-1.8.0-ibm-devel-1.8.0.7.5-1.el8_5.x86_64.rpm
SHA-256: 379661405d76db3c2e2c467486f9a1abb09a92154a57567cef6d26971cf63a53
java-1.8.0-ibm-headless-1.8.0.7.5-1.el8_5.x86_64.rpm
SHA-256: ce8c5252175b0edbc89f58ea07f1d9d83d80d203d9dad1f50f0ae4070d05c94a
java-1.8.0-ibm-jdbc-1.8.0.7.5-1.el8_5.x86_64.rpm
SHA-256: d77289153373f38de67b12712bfe6cbf6044cf04945b537da6c54d6139e18757
java-1.8.0-ibm-plugin-1.8.0.7.5-1.el8_5.x86_64.rpm
SHA-256: 72e35d94fb689db8063a27096decd99f553eca7486f11b0b5d6f113bcfdb8c64
java-1.8.0-ibm-src-1.8.0.7.5-1.el8_5.x86_64.rpm
SHA-256: 0fb30232c9980362986ca593cc24c790a7de81f9d300e67a8ea6b56a02104d27
java-1.8.0-ibm-webstart-1.8.0.7.5-1.el8_5.x86_64.rpm
SHA-256: dee2ba6152862bf01acc7d08935017732fe4ece74acb00ee1e389a3724b87a36
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
s390x
java-1.8.0-ibm-1.8.0.7.5-1.el8_5.s390x.rpm
SHA-256: 498963a2365374cca3583ca169595542867d06a3cf4f329c1154877a71864ccf
java-1.8.0-ibm-demo-1.8.0.7.5-1.el8_5.s390x.rpm
SHA-256: a93d3a9410ab2809a1878ee758630c63c428343b3ab1f7f5f313ca5411b34cab
java-1.8.0-ibm-devel-1.8.0.7.5-1.el8_5.s390x.rpm
SHA-256: 9f37be6b6b914b376d3d991c134509bb4a9366f329186571b8d5c2ac3477d759
java-1.8.0-ibm-headless-1.8.0.7.5-1.el8_5.s390x.rpm
SHA-256: f2590b5fd6c5e205373c89fed793c5334baa0dd61abe839cd39b6c0c82a76148
java-1.8.0-ibm-jdbc-1.8.0.7.5-1.el8_5.s390x.rpm
SHA-256: 2b5905693dc537754dcbb240a4714190cee7bb6447b6033e05bbbfdcc94d0a6f
java-1.8.0-ibm-src-1.8.0.7.5-1.el8_5.s390x.rpm
SHA-256: 98528a0f8d2934300aa4aa58f8576bb1f0aa52bd8cdee97e622b4a41555e778f
Red Hat Enterprise Linux for Power, little endian 8
SRPM
ppc64le
java-1.8.0-ibm-1.8.0.7.5-1.el8_5.ppc64le.rpm
SHA-256: 8eeed8df518d41cedc53f7ab0f535fbb65c4209168d2d22de6b340a68b21b451
java-1.8.0-ibm-demo-1.8.0.7.5-1.el8_5.ppc64le.rpm
SHA-256: 75f19c8deeddc732512a82d7fbfaa38d794eca1e70be5f93fa4e9570ba7053bc
java-1.8.0-ibm-devel-1.8.0.7.5-1.el8_5.ppc64le.rpm
SHA-256: 609d8528546c7d9bab5798cc6c0ef01de07ad3135d9abf1c6708c722fed92a98
java-1.8.0-ibm-headless-1.8.0.7.5-1.el8_5.ppc64le.rpm
SHA-256: 95ae5d7a88ad88d5fac8b9e8a44a9d99dc54937c7d47f08c3de8b8afd2c1feea
java-1.8.0-ibm-jdbc-1.8.0.7.5-1.el8_5.ppc64le.rpm
SHA-256: 5830fb6d10b7e0494690f432fd4b48da58f5c187dbfa4f70b38c9d5e0a3592d1
java-1.8.0-ibm-plugin-1.8.0.7.5-1.el8_5.ppc64le.rpm
SHA-256: 27077abc9c28be979263981a5db05b4e2df07279b0aa90e37985ee2c927177f7
java-1.8.0-ibm-src-1.8.0.7.5-1.el8_5.ppc64le.rpm
SHA-256: 92aac85c364688522ed9e75683031dd2b2aa13aa9aab6fb74518a5dc1b076713
java-1.8.0-ibm-webstart-1.8.0.7.5-1.el8_5.ppc64le.rpm
SHA-256: a3154b458ecfdd4feef1cf7762931dcbf1c667404fd290046c596b0c4c5128a8
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.