Posts

Liberica JDK 8u312, 11.0.13, and 17.0.1 builds are out

Oct 20, 2021
Aleksei Voitylov
16.3

Contents

  1. Description
  2. How to keep your runtime secure
  3. The summary of fixes
  4. List of security issues fixed
  5. Notable changes in Liberica JDK
  6. Upstream changes: highlights
    1. Transfer to Git/Scara (JDK 11)
    2. Updated preference of the default enabled cipher suites
    3. Corrected response of methods related to CPU load (JDK 8 & 11)
    4. Fixed Kerberos credential retrieval in cross-realm setup
    5. Adjusted cgroup initialization (JDK 8 & 11)
  7. Supported platforms
  8. Enjoy the most stable runtime!

Description

This is a Critical Patch Update (CPU) release of Liberica JDK, the Open JDK instance produced by BellSoft. CPU patches are released quarterly for LTS versions of Liberica JDK (8, 11, 17) with a goal to keep the runtime secure and stable. These patches contain a number of Common Vulnerabilities and Exposure (CVE) fixes and defect fixes.

In addition to CPUs, PSU releases contain non-critical fixes.

The release contains 669 fixes and backports overall. Five security issues were fixed with the participation of BellSoft (3 in JDK and 2 in FX).

How to keep your runtime secure

BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.

CPUs are scheduled for release in January, April, June, and October every year.

Liberica JDK updated and patches are available at no cost.

The summary of fixes

  • 13 security issues (CVEs) fixed;
  • 29 total security fixes;
  • 84 backports and bugs fixed:
    • in Liberica 8u311: 27 + 2 in FX,
    • in Liberica 11.0.12.0.1: 26 + 2 in FX,
    • in Liberica 17.0.0.0.1: 25 + 2 in FX.

In addition, PSU releases include a total of 543 bugs and backports fixed:

  • in Liberica 8u312: 29 security fixes (27 + 2 in FX) + 109,
  • in Liberica 11.0.13: 28 security fixes (26 + 2 in FX) + 303.
  • in Liberica 17.0.1: 27 security fixes (25 + 2 in FX) + 47.

List of security issues fixed

CVE IDcvss scorecomponentmoduleAttack vector (network/local)Complexity (low/high)Privileges (none/low)User interaction (none/required)Scope (changed/unchanged)Confidentiality (low/none/high)Integrity (low/none/high)Availability (low/none/high)
CVE-2021-3517 8.6 javafx web network low none none unchanged low low high
CVE-2021-35567 6.8 security-libs java.security network low low required changed high none none
CVE-2021-35550 5.9 security-libs javax.net.ssl network high none none unchanged high none none
CVE-2021-3522 5.5 javafx media local low none required unchanged none none high
CVE-2021-35586 5.3 client-libs javax.imageio network low none none unchanged none none low
CVE-2021-35564 5.3 security-libs java.security network low none none unchanged none low none
CVE-2021-35561 5.3 core-libs java.util network low none none unchanged none none low
CVE-2021-35565 5.3 core-libs java.net network low none none unchanged none none low
CVE-2021-35559 5.3 client-libs javax.swing network low none none unchanged none none low
CVE-2021-35578 5.3 security-libs javax.net.ssl network low none none unchanged none none low
CVE-2021-35556 5.3 client-libs javax.swing network low none none unchanged none none low
CVE-2021-35603 3.7 security-libs javax.net.ssl network high none none unchanged low none none
CVE-2021-35588 3.1 hotspot runtime network high none required unchanged none none low

Notable changes in Liberica JDK

Liberica JDK has the widest range of supported platforms. This CPU update includes support for Windows 11, so you can update your Windows version and continue developing seamless applications. In addition, Docker images now have updated base images for Debian and Alpine Linux:

  • Debian 10
  • Alpine Linux 3.14

CVEs fixed in Liberica per version:

  • 17.0.1: 11 (9 + 2 in FX);
  • 11.0.13: 12 (10 + 2 in FX);
  • 8u311: 13 (11 + 2 in FX);
  • 7u321: 9 (9 + 0 in FX).

Upstream changes: highlights

1. Transfer to Git/Scara (JDK 11)

With this CPU release, the JDK 11 updates project was moved to git on Github, so all Scara tools are now available for that release. The move to Git/Github is a significant step forward in terms of JDK11u maintenance, as it greatly simplifies the workflows for developers working on OpenJDK 11 updates.

2. Updated preference of the default enabled cipher suites

Cipher suites are sets of algorithms aimed at securing a network connection through SSL or TLS. During the SSL handshake, client and server exchange the preferred cipher suites and choose the strongest one supported by both sides.

It was proposed to update the default enabled cipher suites preference in order to prevent SSL stripping and similar attacks. The compatibility impact should be minimal. Forward secrecy should be preferable first.

Moreover, new Chacha20-Poly1305 AEAD cipher suites are now supported in JDK 11. This is an important enhancement, as Google Chrome now prefers these suites most.

The issues are related to containers. The first issue resides in the fact that the method getSystemCpuLoad() sometimes returned -1 when several CPUs on Linux machines were offline and cpusets.effective_cpus was absent.

The second issue was that the method OperatingSystemImpl.getCpuLoad()could return 1.0 in a container, even though the CPU load was below 100%. The problem was caused by the usage of elapsed time instead of the total CPU time. The latter one is specified by cpu.cfs_quota_us, so the CPUs should be divided by “quotaNanos”.

4. Fixed Kerberos credential retrieval in cross-realm setup

The problem was related to Kerberos constrained delegation when the backend and the middleware were in different realms. When the client requested the middleware, it received a ticket for constrained delegation to the backend, requested it on behalf of the client, and then the backend returned a response to the middleware. Due to the usage of tickets from the referrals cache, the first request succeeded; however, the subsequent ones did not. The solution is to not retrieve credentials from the cache for proxy requests.

5. Adjusted cgroup initialization (JDK 8 & 11)

This particular problem was related to failing support of croups in Kubernetes: pods failed to start due to the exception that was thrown when reading cgroups information.

The purpose of cgroups (or control groups) in Linux kernel is to allocate resources among processes (task groups) on a system. To initialize cgroups, it is necessary to find the mount points from /proc/self/mountinfo and read cgroup subsystem paths from /proc/self/cgroup. The latter file is a line-based text file with 3 fields, split by a colon. The file is parsed with a bare split, which results in cgroupPath containing a colon. In this case, the extra portion of the path is ignored, so the path is left as null during initialization. As a result, a NullPointerException is thrown at the attempt to read a configuration file and call Paths.getPath().

Supported platforms

Liberica JDK is tested and proven to work on a large number of platforms.

Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:

  • Docker
  • KVM
  • Microsoft Hyper-V (gen 1 and gen 2)
  • VirtualBox
  • VMware vSphere Hypervisor
  • Solaris Containers & Solaris LDOMs

Liberica JDK supports all major cloud providers, including but not limited to:

  • Amazon AWS
  • Digital Ocean
  • Google Cloud
  • Microsoft Azure
  • OVH
  • Packet
  • Scaleway
  • VMware Tanzu
  • Yandex Cloud

Enjoy the most stable runtime!

We, at BellSoft, are committed to making our products more secure, efficient, and stable allowing you to continue developing the most high-end applications.

You can download the new builds right now! Click here or on the button below to head over to Liberica Download Center.

  1. [11u] Proposal: Switch jdk11u development to Git/Skara
  2. [JDK-8163326] Update the default enabled cipher suites preference - Java Bug System
  3. [JDK-8140466] ChaCha20 and Poly1305 TLS Cipher Suites - Java Bug System
  4. [JDK-8270137] Kerberos Credential Retrieval from Cache in Cross-Realm Setup - Java Bug System
  5. [JDK-8247469] getSystemCpuLoad() issue - Java Bug System
  6. [JDK-8265836] OperatingSystemImpl.getCpuLoad() issue - Java Bug System
  7. [JDK-8272124] Failing cgroup v1 initialization - Java Bug System

Subcribe to our newsletter

figure

Read the industry news, receive solutions to your problems, and find the ways to save money.

Further reading