openSUSE Security Update: Security update for java-17-openj9 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0067-1 Rating: important References: #1204468 #1204471 #1204472 #1204473 #1204475 #1204480 #1204703 #1206549 #1207246 #1207248 #1207922 #1210628 #1210631 #1210632 #1210634 #1210635 #1210636 #1210637 #1211615 #1213470 #1213473 #1213474 #1213475 #1213479 #1213481 #1213482 #1216339 #1216374 #1217214 #1218903 #1218905 #1218907 #1218908 #1218909 #1218911 #1222979 #1222983 #1222986 #1222987 #1228046 #1228047 #1228048 #1228051 #1228052 #1231702 #1231711 #1231716 #1231719 #1236278 #1236804 Cross-References: CVE-2022-21618 CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-3676 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843 CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-22006 CVE-2023-22025 CVE-2023-22036 CVE-2023-22041 CVE-2023-22044 CVE-2023-22045 CVE-2023-22049 CVE-2023-22081 CVE-2023-25193 CVE-2023-2597 CVE-2023-5676 CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20932 CVE-2024-20945 CVE-2024-20952 CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21094 CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21145 CVE-2024-21147 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235 CVE-2025-21502 CVSS scores: CVE-2022-21618 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2022-21619 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2022-21624 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2022-21626 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2022-21628 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2022-3676 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2022-39399 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21835 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-21843 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21930 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-21937 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21938 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21939 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21954 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-21967 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-21968 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-22006 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2023-22025 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-22036 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-22041 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-22044 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2023-22045 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2023-22049 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-22081 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-25193 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-2597 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-5676 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2024-20918 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2024-20919 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2024-20921 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-20932 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2024-20945 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2024-20952 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2024-21011 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2024-21012 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-21068 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-21094 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-21131 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-21138 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2024-21140 (SUSE): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2024-21145 (SUSE): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2024-21147 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2024-21208 (SUSE): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2024-21210 (SUSE): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2024-21217 (SUSE): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2024-21235 (SUSE): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-21502 (SUSE): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that solves 47 vulnerabilities and has three fixes is now available. Description: This update for java-17-openj9 fixes the following issues: - Update to OpenJDK 17.0.14 with OpenJ9 0.49.0 virtual machine - Including Oracle October 2024 and January 2025 CPU changes * CVE-2024-21208 (boo#1231702), CVE-2024-21210 (boo#1231711), CVE-2024-21217 (boo#1231716), CVE-2024-21235 (boo#1231719), CVE-2025-21502 (boo#1236278) * OpenJ9 changes, see https://www.eclipse.org/openj9/docs/version0.49/ - Update to OpenJDK 17.0.12 with OpenJ9 0.46.0 virtual machine - Including Oracle July 2024 CPU changes * CVE-2024-21131 (boo#1228046), CVE-2024-21138 (boo#1228047), CVE-2024-21140 (boo#1228048), CVE-2024-21147 (boo#1228052), CVE-2024-21145 (boo#1228051) * OpenJ9 changes, see https://www.eclipse.org/openj9/docs/version0.46/ - Update to OpenJDK 17.0.11 with OpenJ9 0.44.0 virtual machine - Including Oracle April 2024 CPU changes * CVE-2024-21012 (boo#1222987), CVE-2024-21094 (boo#1222986), CVE-2024-21011 (boo#1222979), CVE-2024-21068 (boo#1222983) * OpenJ9 changes, see https://www.eclipse.org/openj9/docs/version0.44/ - Update to OpenJDK 17.0.10 with OpenJ9 0.43.0 virtual machine - Including Oracle January 2024 CPU changes * CVE-2024-20918 (boo#1218907), CVE-2024-20919 (boo#1218903), CVE-2024-20921 (boo#1218905), CVE-2024-20932 (boo#1218908), CVE-2024-20945 (boo#1218909), CVE-2024-20952 (boo#1218911) * OpenJ9 changes, see https://www.eclipse.org/openj9/docs/version0.43/ - Update to OpenJDK 17.0.9 with OpenJ9 0.41.0 virtual machine - Including Oracle October 2023 CPU changes * CVE-2023-22081, boo#1216374 * CVE-2023-22025, boo#1216339 - Including Openj9 0.41.0 fixes of CVE-2023-5676, boo#1217214 * For other OpenJ9 changes, see https://www.eclipse.org/openj9/docs/version0.41 - Update to OpenJDK 17.0.8.1 with OpenJ9 0.40.0 virtual machine * JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) - Update to OpenJDK 17.0.8 with OpenJ9 0.40.0 virtual machine - Including Oracle July 2023 CPU changes * CVE-2023-22006 (boo#1213473), CVE-2023-22036 (boo#1213474), CVE-2023-22041 (boo#1213475), CVE-2023-22044 (boo#1213479), CVE-2023-22045 (boo#1213481), CVE-2023-22049 (boo#1213482), CVE-2023-25193 (boo#1207922) * OpenJ9 changes, see https://www.eclipse.org/openj9/docs/version0.40 - Update to OpenJDK 17.0.7 with OpenJ9 0.38.0 virtual machine - Including Oracle April 2023 CPU changes * CVE-2023-21930 (boo#1210628), CVE-2023-21937 (boo#1210631), CVE-2023-21938 (boo#1210632), CVE-2023-21939 (boo#1210634), CVE-2023-21954 (boo#1210635), CVE-2023-21967 (boo#1210636), CVE-2023-21968 (boo#1210637) * OpenJ9 specific vulnerability: CVE-2023-2597 (boo#1211615) * OpenJ9 changes, see https://www.eclipse.org/openj9/docs/version0.38 - Update to OpenJDK 17.0.6 with OpenJ9 0.36.0 virtual machine * including Oracle January 2023 CPU changes + CVE-2023-21835, boo#1207246 + CVE-2023-21843, boo#1207248 * OpenJ9 changes, see https://www.eclipse.org/openj9/docs/version0.36 - Update to OpenJDK 17.0.5 with OpenJ9 0.35.0 virtual machine * Including Oracle October 2022 CPU changes CVE-2022-21618 (boo#1204468), CVE-2022-21619 (boo#1204473), CVE-2022-21626 (boo#1204471), CVE-2022-21624 (boo#1204475), CVE-2022-21628 (boo#1204472), CVE-2022-39399 (boo#1204480) * Fixes OpenJ9 vulnerability boo#1204703, CVE-2022-3676 * OpenJ9 changes, see https://www.eclipse.org/openj9/docs/version0.35 Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2025-67=1 Package List: - openSUSE Backports SLE-15-SP6 (aarch64 ppc64le s390x x86_64): java-17-openj9-17.0.14.0-bp156.3.3.1 java-17-openj9-demo-17.0.14.0-bp156.3.3.1 java-17-openj9-devel-17.0.14.0-bp156.3.3.1 java-17-openj9-headless-17.0.14.0-bp156.3.3.1 java-17-openj9-jmods-17.0.14.0-bp156.3.3.1 java-17-openj9-src-17.0.14.0-bp156.3.3.1 - openSUSE Backports SLE-15-SP6 (noarch): java-17-openj9-javadoc-17.0.14.0-bp156.3.3.1 References: https://www.suse.com/security/cve/CVE-2022-21618.html https://www.suse.com/security/cve/CVE-2022-21619.html https://www.suse.com/security/cve/CVE-2022-21624.html https://www.suse.com/security/cve/CVE-2022-21626.html https://www.suse.com/security/cve/CVE-2022-21628.html https://www.suse.com/security/cve/CVE-2022-3676.html https://www.suse.com/security/cve/CVE-2022-39399.html https://www.suse.com/security/cve/CVE-2023-21835.html https://www.suse.com/security/cve/CVE-2023-21843.html https://www.suse.com/security/cve/CVE-2023-21930.html https://www.suse.com/security/cve/CVE-2023-21937.html https://www.suse.com/security/cve/CVE-2023-21938.html https://www.suse.com/security/cve/CVE-2023-21939.html https://www.suse.com/security/cve/CVE-2023-21954.html https://www.suse.com/security/cve/CVE-2023-21967.html https://www.suse.com/security/cve/CVE-2023-21968.html https://www.suse.com/security/cve/CVE-2023-22006.html https://www.suse.com/security/cve/CVE-2023-22025.html https://www.suse.com/security/cve/CVE-2023-22036.html https://www.suse.com/security/cve/CVE-2023-22041.html https://www.suse.com/security/cve/CVE-2023-22044.html https://www.suse.com/security/cve/CVE-2023-22045.html https://www.suse.com/security/cve/CVE-2023-22049.html https://www.suse.com/security/cve/CVE-2023-22081.html https://www.suse.com/security/cve/CVE-2023-25193.html https://www.suse.com/security/cve/CVE-2023-2597.html https://www.suse.com/security/cve/CVE-2023-5676.html https://www.suse.com/security/cve/CVE-2024-20918.html https://www.suse.com/security/cve/CVE-2024-20919.html https://www.suse.com/security/cve/CVE-2024-20921.html https://www.suse.com/security/cve/CVE-2024-20932.html https://www.suse.com/security/cve/CVE-2024-20945.html https://www.suse.com/security/cve/CVE-2024-20952.html https://www.suse.com/security/cve/CVE-2024-21011.html https://www.suse.com/security/cve/CVE-2024-21012.html https://www.suse.com/security/cve/CVE-2024-21068.html https://www.suse.com/security/cve/CVE-2024-21094.html https://www.suse.com/security/cve/CVE-2024-21131.html https://www.suse.com/security/cve/CVE-2024-21138.html https://www.suse.com/security/cve/CVE-2024-21140.html https://www.suse.com/security/cve/CVE-2024-21145.html https://www.suse.com/security/cve/CVE-2024-21147.html https://www.suse.com/security/cve/CVE-2024-21208.html https://www.suse.com/security/cve/CVE-2024-21210.html https://www.suse.com/security/cve/CVE-2024-21217.html https://www.suse.com/security/cve/CVE-2024-21235.html https://www.suse.com/security/cve/CVE-2025-21502.html https://bugzilla.suse.com/1204468 https://bugzilla.suse.com/1204471 https://bugzilla.suse.com/1204472 https://bugzilla.suse.com/1204473 https://bugzilla.suse.com/1204475 https://bugzilla.suse.com/1204480 https://bugzilla.suse.com/1204703 https://bugzilla.suse.com/1206549 https://bugzilla.suse.com/1207246 https://bugzilla.suse.com/1207248 https://bugzilla.suse.com/1207922 https://bugzilla.suse.com/1210628 https://bugzilla.suse.com/1210631 https://bugzilla.suse.com/1210632 https://bugzilla.suse.com/1210634 https://bugzilla.suse.com/1210635 https://bugzilla.suse.com/1210636 https://bugzilla.suse.com/1210637 https://bugzilla.suse.com/1211615 https://bugzilla.suse.com/1213470 https://bugzilla.suse.com/1213473 https://bugzilla.suse.com/1213474 https://bugzilla.suse.com/1213475 https://bugzilla.suse.com/1213479 https://bugzilla.suse.com/1213481 https://bugzilla.suse.com/1213482 https://bugzilla.suse.com/1216339 https://bugzilla.suse.com/1216374 https://bugzilla.suse.com/1217214 https://bugzilla.suse.com/1218903 https://bugzilla.suse.com/1218905 https://bugzilla.suse.com/1218907 https://bugzilla.suse.com/1218908 https://bugzilla.suse.com/1218909 https://bugzilla.suse.com/1218911 https://bugzilla.suse.com/1222979 https://bugzilla.suse.com/1222983 https://bugzilla.suse.com/1222986 https://bugzilla.suse.com/1222987 https://bugzilla.suse.com/1228046 https://bugzilla.suse.com/1228047 https://bugzilla.suse.com/1228048 https://bugzilla.suse.com/1228051 https://bugzilla.suse.com/1228052 https://bugzilla.suse.com/1231702 https://bugzilla.suse.com/1231711 https://bugzilla.suse.com/1231716 https://bugzilla.suse.com/1231719 https://bugzilla.suse.com/1236278 https://bugzilla.suse.com/1236804