Why is OpenJDK CVE patched version openjdk-lts/11.0.14+9-0ubuntu2~20.04 not available in the Security apt repo?

The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04

    openjdk-17-jdk - 17.0.2+8-1~20.04
    openjdk-17-jre-zero - 17.0.2+8-1~20.04
    openjdk-11-jre-zero - 11.0.14+9-0ubuntu2~20.04
    openjdk-11-jre-headless - 11.0.14+9-0ubuntu2~20.04
    openjdk-11-jdk - 11.0.14+9-0ubuntu2~20.04
    openjdk-17-jre-headless - 17.0.2+8-1~20.04
    openjdk-11-jre - 11.0.14+9-0ubuntu2~20.04
    openjdk-17-jre - 17.0.2+8-1~20.04
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21248
An attacker could possibly use this issue to obtain sensitive information.
Their are 13 more CVE vulnerabilities involved is why.
You will get a new version through your regular updates.

Well, yes that is what I want to do.

The problem is that the Ubuntu repos currently don't provide this newer version of the package of openjdk-11-jre.

See https://packages.ubuntu.com/search?lang=en&suite=focal&searchon=names&keywords=openjdk-11-jre

Package openjdk-11-jre
    focal (20.04LTS) (java): OpenJDK Java runtime, using Hotspot JIT
    11.0.14.1+1-0ubuntu1~20.04 [security]: amd64 i386
    11.0.7+10-3ubuntu1 [ports]: arm64 armhf ppc64el s390x

11.0.14+9-0ubuntu2~20.04 has already been superseded by 11.0.14.1+1-0ubuntu1~20.04

Please note that
11.0.14.1 ...+1-0ubuntu1~20.04 in terms of version numbers is greater than
11.0.14 ...+9-0ubuntu2~20.04

11.0.14.1+1-0ubuntu1~20.04 contains the changes for the CVE in question that have been introduced in 11.0.14+9-0ubuntu2~20.04

Snippet from the change log for 11.0.14.1+1-0ubuntu1~20.04:

openjdk-lts (11.0.14.1+1-0ubuntu1~20.04) focal-security; urgency=medium

  * Backport 11.0.14.1 to Ubuntu 20.04 LTS.

 -- Matthias Klose <email address hidden> Sun, 27 Mar 2022 12:06:41 +0200

openjdk-lts (11.0.14.1+1-0ubuntu1) jammy; urgency=medium

  * OpenJDK 11.0.14.1+1 build (release).
    - Fix JDK-8218546. LP: #1966338.

 -- Matthias Klose <email address hidden> Sun, 27 Mar 2022 11:32:03 +0200

openjdk-lts (11.0.14+9-0ubuntu2) jammy; urgency=medium

  * OpenJDK 11.0.14+9 build (release).
  * Security fixes
    - JDK-8217375: jarsigner breaks old signature with long lines in manifest.
    - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir
      named "." inside.
    - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization.
    - JDK-8268488: More valuable DerValues.
    - JDK-8268494: Better inlining of inlined interfaces.
    - JDK-8268512: More content for ContentInfo.
    - JDK-8268795: Enhance digests of Jar files.
    - JDK-8268801: Improve PKCS attribute handling.
    - JDK-8268813, CVE-2022-21283: Better String matching.
    - JDK-8269151: Better construction of EncryptedPrivateKeyInfo.
    - JDK-8269944: Better HTTP transport redux.
    - JDK-8270386, CVE-2022-21291: Better verification of scan methods.
    - JDK-8270392, CVE-2022-21293: Improve String constructions.
    - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps.
    - JDK-8270492, CVE-2022-21282: Better resolution of URIs.
    - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management.
    - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities.
    - JDK-8270952, CVE-2022-21277: Improve TIFF file handling.
    - JDK-8271962: Better TrueType font loading.
    - JDK-8271968: Better canonical naming.
    - JDK-8271987: Manifest improved manifest entries.
    - JDK-8272014, CVE-2022-21305: Better array indexing.
    - JDK-8272026, CVE-2022-21340: Verify Jar Verification.
    - JDK-8272236, CVE-2022-21341: Improve serial forms for transport.
    - JDK-8272272: Enhance jcmd communication.
    - JDK-8272462: Enhance image handling.
    - JDK-8273290: Enhance sound handling.
    - JDK-8273756, CVE-2022-21360: Enhance BMP image support.
    - JDK-8273838, CVE-2022-21365: Enhanced BMP processing.
    - JDK-8274096, CVE-2022-21366: Improve decoding of image files.
    - JDK-8279541: Improve HarfBuzz.

 -- Matthias Klose <email address hidden> Wed, 19 Jan 2022 10:24:04 +0100

openjdk-lts (11.0.13+8-0ubuntu1) jammy; urgency=medium
...

Oh thank you Manfred, now I got it.

So it seems the OpenSCAP reports we have on our side just don't know about this patch yet and claims we're still vulnerable.
I was mainly confused as the version numbering doesn't follow semantic versioning by adding a patch number to a patch number, but thank you for the clarification!

Remark:

The 11.0.14.1 release is an official version number from https://wiki.openjdk.java.net/display/JDKUpdates/JDK11u#JDK11u-Releases

If the OpenSCAP report does not know about it, then there is an update required In openscap, but it's not a fault in openjdk.