Running SDK 12.8SP7, the following vulnerabilities have been found in the following jars:

    10 Security-Critical Security axis : axis : 1.4
    10 Security-Critical Security log4j : log4j : 1.2.17
    10 Security-Critical Security xerces : xercesImpl : 2.12.2
    9 Security-High Security org.bouncycastle : bc-fips : 1.0.2.3
    9 Security-High Security xalan : xalan : 2.6.0

SDK 12.8SP7 on RedHat 7;

None of the vulnerabilities affects the SDK package:

The jar

  axis : 1.4
  xercesImpl : 2.12.2
  xalan : 2.6.0

aren't given by the SDK package.

The SDK package provides log4j 2.17.2, which is higher than 1.2.17, and bc-fips : 1.0.2.3 affects only importing certificate, which SDK package doesn't allow.