- How to keep your runtime secure
- The summary of fixes
- List of security issues fixed
- Notable changes in Liberica JDK
- Upstream changes: highlights
- Supported platforms
- Enjoy the most stable runtime!
This is a Critical Patch Update (CPU) release of Liberica JDK, the Open JDK instance produced by BellSoft. CPU patches are released quarterly for LTS versions of Liberica JDK (8, 11, 17) with a goal to keep the runtime secure and stable. These patches contain a number of Common Vulnerabilities and Exposure (CVE) fixes and defect fixes.
In addition to CPUs, PSU releases contain non-critical fixes.
The release contains 669 fixes and backports overall. Five security issues were fixed with the participation of BellSoft (3 in JDK and 2 in FX).
How to keep your runtime secure
BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.
CPUs are scheduled for release in January, April, June, and October every year.
Liberica JDK updated and patches are available at no cost.
The summary of fixes
- 13 security issues (CVEs) fixed;
- 29 total security fixes;
- 84 backports and bugs fixed:
- in Liberica 8u311: 27 + 2 in FX,
- in Liberica 126.96.36.199.1: 26 + 2 in FX,
- in Liberica 188.8.131.52.1: 25 + 2 in FX.
In addition, PSU releases include a total of 543 bugs and backports fixed:
- in Liberica 8u312: 29 security fixes (27 + 2 in FX) + 109,
- in Liberica 11.0.13: 28 security fixes (26 + 2 in FX) + 303.
- in Liberica 17.0.1: 27 security fixes (25 + 2 in FX) + 47.
List of security issues fixed
|CVE ID||cvss score||component||module||Attack vector (network/local)||Complexity (low/high)||Privileges (none/low)||User interaction (none/required)||Scope (changed/unchanged)||Confidentiality (low/none/high)||Integrity (low/none/high)||Availability (low/none/high)|
Notable changes in Liberica JDK
Liberica JDK has the widest range of supported platforms. This CPU update includes support for Windows 11, so you can update your Windows version and continue developing seamless applications. In addition, Docker images now have updated base images for Debian and Alpine Linux:
- Debian 10
- Alpine Linux 3.14
CVEs fixed in Liberica per version:
- 17.0.1: 11 (9 + 2 in FX);
- 11.0.13: 12 (10 + 2 in FX);
- 8u311: 13 (11 + 2 in FX);
- 7u321: 9 (9 + 0 in FX).
Upstream changes: highlights
1. Transfer to Git/Scara (JDK 11)
With this CPU release, the JDK 11 updates project was moved to git on Github, so all Scara tools are now available for that release. The move to Git/Github is a significant step forward in terms of JDK11u maintenance, as it greatly simplifies the workflows for developers working on OpenJDK 11 updates.
2. Updated preference of the default enabled cipher suites
Cipher suites are sets of algorithms aimed at securing a network connection through SSL or TLS. During the SSL handshake, client and server exchange the preferred cipher suites and choose the strongest one supported by both sides.
It was proposed to update the default enabled cipher suites preference in order to prevent SSL stripping and similar attacks. The compatibility impact should be minimal. Forward secrecy should be preferable first.
Moreover, new Chacha20-Poly1305 AEAD cipher suites are now supported in JDK 11. This is an important enhancement, as Google Chrome now prefers these suites most.
3. Corrected response of methods related to CPU load (JDK 8 & 11)
The issues are related to containers. The first issue resides in the fact that the method
getSystemCpuLoad() sometimes returned -1 when several CPUs on Linux machines were offline and
cpusets.effective_cpus was absent.
The second issue was that the method
OperatingSystemImpl.getCpuLoad()could return 1.0 in a container, even though the CPU load was below 100%. The problem was caused by the usage of elapsed time instead of the total CPU time. The latter one is specified by
cpu.cfs_quota_us, so the CPUs should be divided by “quotaNanos”.
4. Fixed Kerberos credential retrieval in cross-realm setup
The problem was related to Kerberos constrained delegation when the backend and the middleware were in different realms. When the client requested the middleware, it received a ticket for constrained delegation to the backend, requested it on behalf of the client, and then the backend returned a response to the middleware. Due to the usage of tickets from the referrals cache, the first request succeeded; however, the subsequent ones did not. The solution is to not retrieve credentials from the cache for proxy requests.
5. Adjusted cgroup initialization (JDK 8 & 11)
This particular problem was related to failing support of croups in Kubernetes: pods failed to start due to the exception that was thrown when reading cgroups information.
The purpose of cgroups (or control groups) in Linux kernel is to allocate resources among processes (task groups) on a system. To initialize cgroups, it is necessary to find the mount points from
/proc/self/mountinfo and read cgroup subsystem paths from
/proc/self/cgroup. The latter file is a line-based text file with 3 fields, split by a colon. The file is parsed with a bare split, which results in
cgroupPath containing a colon. In this case, the extra portion of the path is ignored, so the path is left as null during initialization. As a result, a
NullPointerException is thrown at the attempt to read a configuration file and call
Liberica JDK is tested and proven to work on a large number of platforms.
Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:
- Microsoft Hyper-V (gen 1 and gen 2)
- VMware vSphere Hypervisor
- Solaris Containers & Solaris LDOMs
Liberica JDK supports all major cloud providers, including but not limited to:
- Amazon AWS
- Digital Ocean
- Google Cloud
- Microsoft Azure
- VMware Tanzu
- Yandex Cloud
Enjoy the most stable runtime!
We, at BellSoft, are committed to making our products more secure, efficient, and stable allowing you to continue developing the most high-end applications.
You can download the new builds right now! Click here or on the button below to head over to Liberica Download Center.
- [11u] Proposal: Switch jdk11u development to Git/Skara
- [JDK-8163326] Update the default enabled cipher suites preference - Java Bug System
- [JDK-8140466] ChaCha20 and Poly1305 TLS Cipher Suites - Java Bug System
- [JDK-8270137] Kerberos Credential Retrieval from Cache in Cross-Realm Setup - Java Bug System
- [JDK-8247469] getSystemCpuLoad() issue - Java Bug System
- [JDK-8265836] OperatingSystemImpl.getCpuLoad() issue - Java Bug System
- [JDK-8272124] Failing cgroup v1 initialization - Java Bug System