Security update for java-11-openjdk SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:3235-1 Final 1 1 2018-10-18T17:31:28Z current 2018-10-18T17:31:28Z 2018-10-18T17:31:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for java-11-openjdk This update for java-11-openjdk fixes the following issues: Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU) Security fixes: - S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support - S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses - S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups - S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability - S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again - S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks - S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound - S8194534, CVE-2018-3136, bsc#1112142: Manifest better support - S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates - S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection Security-In-Depth fixes: - S8194546: Choosier FileManagers - S8195874: Improve jar specification adherence - S8196897: Improve PRNG support - S8197881: Better StringBuilder support - S8201756: Improve cipher inputs - S8203654: Improve cypher state updates - S8204497: Better formatting of decimals - S8200666: Improve LDAP support - S8199110: Address Internet Addresses Update to upstream tag jdk-11+28 (OpenJDK 11 rc1) - S8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy - S8207838: AArch64: Float registers incorrectly restored in JNI call - S8209637: [s390x] Interpreter doesn't call result handler after native calls - S8209670: CompilerThread releasing code buffer in destructor is unsafe - S8209735: Disable avx512 by default - S8209806: API docs should be updated to refer to javase11 - Report version without the "-internal" postfix - Don't build against gdk making the accessibility depend on a particular version of gtk. Update to upstream tag jdk-11+27 - S8031761: [TESTBUG] Add a regression test for JDK-8026328 - S8151259: [TESTBUG] nsk/jvmti/RedefineClasses/redefclass030 fails with "unexpected values of outer fields of the class" when running with -Xcomp - S8164639: Configure PKCS11 tests to use user-supplied NSS libraries - S8189667: Desktop#moveToTrash expects incorrect "<<ALL FILES>>" FilePermission - S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM in -Xcomp - S8195156: [Graal] serviceability/jvmti/GetModulesInfo/ /JvmtiGetAllModulesTest.java fails with Graal in Xcomp mode - S8199081: [Testbug] compiler/linkage/LinkageErrors.java fails if run twice - S8201394: Update java.se module summary to reflect removal of java.se.ee module - S8204931: Colors with alpha are painted incorrectly on Linux - S8204966: [TESTBUG] hotspot/test/compiler/whitebox/ /IsMethodCompilableTest.java test fails with -XX:CompileThreshold=1 - S8205608: Fix 'frames()' in ThreadReferenceImpl.c to prevent quadratic runtime behavior - S8205687: TimeoutHandler generates huge core files - S8206176: Remove the temporary tls13VN field - S8206258: [Test Error] sun/security/pkcs11 tests fail if NSS libs not found - S8206965: java/util/TimeZone/Bug8149452.java failed on de_DE and ja_JP locale. - S8207009: TLS 1.3 half-close and synchronization issues - S8207046: arm32 vm crash: C1 arm32 platform functions parameters type mismatch - S8207139: NMT is not enabled on Windows 2016/10 - S8207237: SSLSocket#setEnabledCipherSuites is accepting empty string - S8207355: C1 compilation hangs in ComputeLinearScanOrder::compute_dominator - S8207746: C2: Lucene crashes on AVX512 instruction - S8207765: HeapMonitorTest.java intermittent failure - S8207944: java.lang.ClassFormatError: Extra bytes at the end of class file test" possibly violation of JVMS 4.7.1 - S8207948: JDK 11 L10n resource file update msg drop 10 - S8207966: HttpClient response without content-length does not return body - S8208125: Cannot input text into JOptionPane Text Input Dialog - S8208164: (str) improve specification of String::lines - S8208166: Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029 - S8208189: ProblemList compiler/graalunit/JttThreadsTest.java - S8208205: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' - S8208226: ProblemList com/sun/jdi/BasicJDWPConnectionTest.java - S8208251: serviceability/jvmti/HeapMonitor/MyPackage/ /HeapMonitorGCCMSTest.java fails intermittently on Linux-X64 - S8208305: ProblemList compiler/jvmci/compilerToVM/GetFlagValueTest.java - S8208347: ProblemList compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.java - S8208353: Upgrade JDK 11 to libpng 1.6.35 - S8208358: update bug ids mentioned in tests - S8208370: fix typo in ReservedStack tests' @requires - S8208391: Differentiate response and connect timeouts in HTTP Client API - S8208466: Fix potential memory leak in harfbuzz shaping. - S8208496: New Test to verify concurrent behavior of TLS. - S8208521: ProblemList more tests that fail due to 'Error attaching to process: Can't create thread_db agent!' - S8208640: [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard. - S8208663: JDK 11 L10n resource file update msg drop 20 - S8208676: Missing NULL check and resource leak in NetworkPerformanceInterface::NetworkPerformance::network_utilization - S8208691: Tighten up jdk.includeInExceptions security property - S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/ /TestNssDbSqlite.java fails in aarch64 platforms - S8209029: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' in jdk-11+25 testing - S8209149: [TESTBUG] runtime/RedefineTests/ /RedefineRunningMethods.java needs a longer timeout - S8209451: Please change jdk 11 milestone to FCS - S8209452: VerifyCACerts.java failed with "At least one cacert test failed" - S8209506: Add Google Trust Services GlobalSign root certificates - S8209537: Two security tests failed after JDK-8164639 due to dependency was missed This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00041.html E-Mail link for openSUSE-SU-2018:3235-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 java-11-openjdk-11.0.1.0-lp150.2.6.1 java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 java-11-openjdk-src-11.0.1.0-lp150.2.6.1 java-11-openjdk-11.0.1.0-lp150.2.6.1 as a component of openSUSE Leap 15.0 java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 as a component of openSUSE Leap 15.0 java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 as a component of openSUSE Leap 15.0 java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 as a component of openSUSE Leap 15.0 java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 as a component of openSUSE Leap 15.0 java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 as a component of openSUSE Leap 15.0 java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 as a component of openSUSE Leap 15.0 java-11-openjdk-src-11.0.1.0-lp150.2.6.1 as a component of openSUSE Leap 15.0 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N). CVE-2018-3136 openSUSE Leap 15.0:java-11-openjdk-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-src-11.0.1.0-lp150.2.6.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00041.html https://www.suse.com/security/cve/CVE-2018-3136.html CVE-2018-3136 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112142 SUSE Bug 1112142 https://bugzilla.suse.com/1112143 SUSE Bug 1112143 https://bugzilla.suse.com/1112144 SUSE Bug 1112144 https://bugzilla.suse.com/1112146 SUSE Bug 1112146 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112148 SUSE Bug 1112148 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1112152 SUSE Bug 1112152 https://bugzilla.suse.com/1116574 SUSE Bug 1116574 https://bugzilla.suse.com/1122292 SUSE Bug 1122292 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). CVE-2018-3139 openSUSE Leap 15.0:java-11-openjdk-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-src-11.0.1.0-lp150.2.6.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00041.html https://www.suse.com/security/cve/CVE-2018-3139.html CVE-2018-3139 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112142 SUSE Bug 1112142 https://bugzilla.suse.com/1112143 SUSE Bug 1112143 https://bugzilla.suse.com/1112144 SUSE Bug 1112144 https://bugzilla.suse.com/1112146 SUSE Bug 1112146 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112148 SUSE Bug 1112148 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1112152 SUSE Bug 1112152 https://bugzilla.suse.com/1116574 SUSE Bug 1116574 https://bugzilla.suse.com/1122292 SUSE Bug 1122292 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). CVE-2018-3149 openSUSE Leap 15.0:java-11-openjdk-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-src-11.0.1.0-lp150.2.6.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00041.html https://www.suse.com/security/cve/CVE-2018-3149.html CVE-2018-3149 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112142 SUSE Bug 1112142 https://bugzilla.suse.com/1112143 SUSE Bug 1112143 https://bugzilla.suse.com/1112144 SUSE Bug 1112144 https://bugzilla.suse.com/1112146 SUSE Bug 1112146 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112148 SUSE Bug 1112148 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1112152 SUSE Bug 1112152 https://bugzilla.suse.com/1116574 SUSE Bug 1116574 https://bugzilla.suse.com/1122292 SUSE Bug 1122292 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Utility). The supported version that is affected is Java SE: 11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2018-3150 openSUSE Leap 15.0:java-11-openjdk-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-src-11.0.1.0-lp150.2.6.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00041.html https://www.suse.com/security/cve/CVE-2018-3150.html CVE-2018-3150 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112145 SUSE Bug 1112145 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1122292 SUSE Bug 1122292 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Sound). The supported version that is affected is Java SE: 11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). CVE-2018-3157 openSUSE Leap 15.0:java-11-openjdk-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-src-11.0.1.0-lp150.2.6.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00041.html https://www.suse.com/security/cve/CVE-2018-3157.html CVE-2018-3157 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112149 SUSE Bug 1112149 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1122292 SUSE Bug 1122292 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). CVE-2018-3169 openSUSE Leap 15.0:java-11-openjdk-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-src-11.0.1.0-lp150.2.6.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00041.html https://www.suse.com/security/cve/CVE-2018-3169.html CVE-2018-3169 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112142 SUSE Bug 1112142 https://bugzilla.suse.com/1112143 SUSE Bug 1112143 https://bugzilla.suse.com/1112144 SUSE Bug 1112144 https://bugzilla.suse.com/1112146 SUSE Bug 1112146 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112148 SUSE Bug 1112148 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1112152 SUSE Bug 1112152 https://bugzilla.suse.com/1116574 SUSE Bug 1116574 https://bugzilla.suse.com/1122292 SUSE Bug 1122292 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). CVE-2018-3180 openSUSE Leap 15.0:java-11-openjdk-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-src-11.0.1.0-lp150.2.6.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00041.html https://www.suse.com/security/cve/CVE-2018-3180.html CVE-2018-3180 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112142 SUSE Bug 1112142 https://bugzilla.suse.com/1112143 SUSE Bug 1112143 https://bugzilla.suse.com/1112144 SUSE Bug 1112144 https://bugzilla.suse.com/1112146 SUSE Bug 1112146 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112148 SUSE Bug 1112148 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1112152 SUSE Bug 1112152 https://bugzilla.suse.com/1116574 SUSE Bug 1116574 https://bugzilla.suse.com/1122292 SUSE Bug 1122292 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). CVE-2018-3183 openSUSE Leap 15.0:java-11-openjdk-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-demo-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-devel-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-headless-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1 openSUSE Leap 15.0:java-11-openjdk-src-11.0.1.0-lp150.2.6.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00041.html https://www.suse.com/security/cve/CVE-2018-3183.html CVE-2018-3183 https://bugzilla.suse.com/1101651 SUSE Bug 1101651 https://bugzilla.suse.com/1101653 SUSE Bug 1101653 https://bugzilla.suse.com/1112142 SUSE Bug 1112142 https://bugzilla.suse.com/1112143 SUSE Bug 1112143 https://bugzilla.suse.com/1112144 SUSE Bug 1112144 https://bugzilla.suse.com/1112146 SUSE Bug 1112146 https://bugzilla.suse.com/1112147 SUSE Bug 1112147 https://bugzilla.suse.com/1112148 SUSE Bug 1112148 https://bugzilla.suse.com/1112151 SUSE Bug 1112151 https://bugzilla.suse.com/1112152 SUSE Bug 1112152 https://bugzilla.suse.com/1116574 SUSE Bug 1116574 https://bugzilla.suse.com/1120714 SUSE Bug 1120714 https://bugzilla.suse.com/1122292 SUSE Bug 1122292