Security update for java-1_8_0-ibm

Announcement ID:	SUSE-SU-2025:03236-1
Release Date:	2025-09-16T09:11:38Z
Rating:	important
References:	bsc#1246575 bsc#1246580 bsc#1246584 bsc#1246595 bsc#1246598 bsc#1247754
Cross-References:	CVE-2025-30749 CVE-2025-30754 CVE-2025-30761 CVE-2025-50059 CVE-2025-50106
CVSS scores:	CVE-2025-30749 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2025-30749 ( SUSE ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2025-30749 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-30754 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-30754 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-30754 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-30761 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-30761 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-50059 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2025-50059 ( NVD ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2025-50106 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-50106 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves five vulnerabilities and has one security fix can now be installed.

Description:

This update for java-1_8_0-ibm fixes the following issues:

Update to Java 8.0 Service Refresh 8 Fix Pack 50.

Security issues fixed:

• Oracle July 15 2025 CPU (bsc#1247754).
• CVE-2025-30749: heap corruption allows unauthenticated attacker with network access to compromise and takeover Java applications that load and run untrusted code (bsc#1246595).
• CVE-2025-30754: incomplete handshake allows unauthenticated attacker with network access via TLS to gain unauthorized update, insert, delete and read access to sensitive data (bsc#1246598).
• CVE-2025-30761: issue in the Scripting component allows unauthenticated attacker with network access to gain unauthorized creation, deletion or modification access to critical data (bsc#1246580).
• CVE-2025-50059: issue in the Networking component allows unauthenticated attacker with network access to gain unauthorized access to critical data (bsc#1246575).
• CVE-2025-50106: Glyph out-of-memory access allows unauthenticated attacker with network access to compromise and takeover Java applications that load and run untrusted code (bsc#1246584).

Other issues fixed.

• Class Libraries:
• Oracle Security Fix 8348989: Better Glyph drawing.
• Removal of Baltimore root certificate and TWO CAMERFIRMA root CA certificates from CACERTS.
• Update timezone information to the latest TZDATA2025B.
• Java Virtual Machine:
• Assertion failure at copyforwardscheme.cpp.
• JIT Compiler:
• GC assert due to an invalid object reference.
• SIGILL from JIT compiled method.
• Unexpected behaviour with very large arrays.
• Security:
• Deserialization of a serialized RSAPrivateCrtKey is throwing an exception.
• EDDSAsignature fails when doing multiple update.
• HTTPS channel binding support.
• IBMJCEPlus provider supports post quantum cryptography algorithms ML-KEM (key encapsulation) and ML-DSA (digital signature).
• Key certificate management: Extended key usage cannot be set without having key usage extension in certificate request.
• MessageDigest.update API does not throw the correct exception.
• Oracle Security Fix 8349594: Enhance TLS protocol support.
• Problem getting key in PKCS12 keystore on MAC.
• TLS support for the EDDSA signature algorithm.
• Wrong algorithm name returned for EDDSA keys.
• z/OS Extentions:
• IBMJCEHybridException with hybrid provider in GCM mode.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-3236=1
• SUSE Linux Enterprise Server 12 SP5 LTSS
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-3236=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (nosrc x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.50-30.138.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • java-1_8_0-ibm-plugin-1.8.0_sr8.50-30.138.1
  • java-1_8_0-ibm-alsa-1.8.0_sr8.50-30.138.1
  • java-1_8_0-ibm-devel-1.8.0_sr8.50-30.138.1
• SUSE Linux Enterprise Server 12 SP5 LTSS (nosrc ppc64le s390x x86_64)
  • java-1_8_0-ibm-1.8.0_sr8.50-30.138.1
• SUSE Linux Enterprise Server 12 SP5 LTSS (ppc64le s390x x86_64)
  • java-1_8_0-ibm-devel-1.8.0_sr8.50-30.138.1
• SUSE Linux Enterprise Server 12 SP5 LTSS (x86_64)
  • java-1_8_0-ibm-plugin-1.8.0_sr8.50-30.138.1
  • java-1_8_0-ibm-alsa-1.8.0_sr8.50-30.138.1

References:

• https://www.suse.com/security/cve/CVE-2025-30749.html
• https://www.suse.com/security/cve/CVE-2025-30754.html
• https://www.suse.com/security/cve/CVE-2025-30761.html
• https://www.suse.com/security/cve/CVE-2025-50059.html
• https://www.suse.com/security/cve/CVE-2025-50106.html
• https://bugzilla.suse.com/show_bug.cgi?id=1246575
• https://bugzilla.suse.com/show_bug.cgi?id=1246580
• https://bugzilla.suse.com/show_bug.cgi?id=1246584
• https://bugzilla.suse.com/show_bug.cgi?id=1246595
• https://bugzilla.suse.com/show_bug.cgi?id=1246598
• https://bugzilla.suse.com/show_bug.cgi?id=1247754