The reason is you are querying the object instead of the package. Don't query Java to find out what package it came from. It doesn't know.
You must do this:
then you should see the package name coincide with the CVE alert. You can then download the new version and update it by running YUM or RPM.