Posts

Liberica 17.0.2, 11.0.14, and 8u322 builds are out

Jan 19, 2022
Aleksei Voitylov
14.4

We are happy to announce that today we release Liberica JDK versions 17.0.2, 11.0.14, and 8u322 as part of the quarterly CPU cadence. CPU (Critical Patch Update) releases help keep the runtime secure and performant as they contain CVE and bug fixes, whereas PSU releases contain non-critical fixes.

The release contains 790 fixes and backports. 9 security issues were fixed with the participation of BellSoft (8 in JDK and 1 in FX).

Contents

  1. How to keep your runtime secure
  2. The summary of fixes
    1. List of security issues fixed
  3. Summary of fixes in Liberica JDK
  4. Notable upstream changes
  5. Supported platforms
  6. Enjoy the most stable runtime!
  7. Useful links

How to keep your runtime secure

BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.

CPUs are scheduled for release in January, April, June, and October every year.

Liberica JDK updated and patches are available at no cost.

Download Liberica JDK

The summary of fixes

  • 16 security issues (CVEs) fixed;
  • 93 total security fixes in CPU release:
    • in Liberica 8u321: 30 security fixes (28 + 2 in FX),
    • in Liberica 11.0.13.0.1: 33 security fixes (31 + 2 in FX),
    • in Liberica 17.0.1.0.1: 30 security fixes (28 + 2 in FX).

    In addition, PSU releases include a total of 790 bugs and backports fixed:

    • in Liberica 8u322: 30 security fixes (28 + 2 in FX) + 52 additional fixes,
    • in Liberica 11.0.14: 33 security fixes (31 + 2 in FX) + 353 additional fixes,
    • in Liberica 17.0.2: 30 security fixes (28 + 2 in FX) + 292 additional fixes.

Download Liberica JDK

List of security issues fixed

CVE ID cvss score component module Attack vector (network/local) Complexity (low/high) Privileges (none/low) User interaction (none/required) Scope (changed/unchanged) Confidentiality (low/none/high) Integrity (low/none/high) Availability (low/none/high)
CVE-2022-21341 5.3 core-libs java.io:serialization network low none none unchanged none none low
CVE-2022-21365 5.3 client-libs javax.imageio network low none none unchanged none none low
CVE-2022-21282 5.3 xml jaxp network low none none unchanged low none none
CVE-2022-21291 5.3 hotspot runtime network low none none unchanged none low none
CVE-2022-21277 5.3 client-libs javax.imageio network low none none unchanged none none low
CVE-2022-21305 5.3 hotspot compiler network low none none unchanged none low none
CVE-2022-21299 5.3 xml jaxp network low none none unchanged none none low
CVE-2022-21296 5.3 xml jaxp network low none none unchanged low none none
CVE-2022-21349 5.3 client-libs 2d network low none none unchanged none none low
CVE-2022-21283 5.3 core-libs java.util network low none none unchanged none none low
CVE-2022-21340 5.3 security-libs java.security network low none none unchanged none none low
CVE-2022-21293 5.3 core-libs java.lang network low none none unchanged none none low
CVE-2022-21294 5.3 core-libs java.util network low none none unchanged none none low
CVE-2022-21360 5.3 client-libs javax.imageio network low none none unchanged none none low
CVE-2022-21366 5.3 client-libs javax.imageio network low none none unchanged none none low
CVE-2022-21248 3.7 core-libs java.io:serialization network high none none unchanged none low none

Summary of fixes in Liberica JDK

CVEs fixed in Liberica per version:

  • 17.0.2: 15 (15 + 0 in FX);
  • 11.0.14: 15 (15 + 0 in FX);
  • 8u322: 13 (13 + 0 in FX).

Notable upstream changes

Updated Timezone Data to 2021e

The issue is related to the time zone rules, which were updated by the IANA Time Zone Database in 2021. Some changes introduced in 2021b caused compatibility problems and contained several typos. The issue is resolved by updating to the 2021e release.

Corrected Files.walkFileTree method

In cases where a zip file contained the directory with “.” name, the Files.walkFileTree would walk infinitely. A bug causing a similar problem with “/” in the directory was fixed earlier.

The solution to this issue is to reject the zip files with “.” and “..” in name elements to be utilized as a file system. When the java.nio.file.FileSystems.newFileSystem(...) methods are invoked, such folders make them return the ZipException.

Fixed accidental cleaning of valid megamorphic vtable inline cache by GC

The issue was related to the GC behavior. A 10-year-old bug causing long “Concurrent Process Non-Strong References” times with ZGC (Z Garbage Collector) could trigger major latency and throughput issues for applications. In summary, the GC cleaned the megamorphic vtable call cache in some cases (see detailed description in Java Bug System) and after that, Java threads corrected the cleaned caches using ICStubs. Those caches then became megamorphic vtable calls again. As a result, the GC and Java threads continuously changed the inline cache between clean and megamorphic vtable calls and scheduled ICBufferFull safepoints. This could last for many seconds or several minutes. To verify that the issue was fixed, examine the logs after running with -Xlog:gc* safepoint.

Supported platforms

Liberica JDK is tested and proven to work on a large number of platforms.

Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:

  • Docker
  • KVM
  • Microsoft Hyper-V (gen 1 and gen 2)
  • VirtualBox
  • VMware vSphere Hypervisor
  • Solaris Containers & Solaris LDOMs

Liberica JDK supports all major cloud providers, including but not limited to:

  • Amazon AWS
  • Digital Ocean
  • Google Cloud
  • Microsoft Azure
  • OVH
  • Packet
  • Scaleway
  • VMware Tanzu
  • Yandex Cloud

Enjoy the most stable runtime!

BellSoft is committed to providing developers with the utmost Java experience. Therefore, we work constantly on improving the security and performance of our products, as well as keeping your runtime safe at all times.

The new Liberica JDK builds are available for download! Click here or on the button below to head over to Liberica Download Center.

Download Liberica JDK

  1. [JDK-8275766] Update Timezone Data to 2021e - Java Bug System
  2. [JDK-8251329] Files.walkFileTree issue - Java Bug System
  3. [JDK-8277212] GC issue - Java Bug System
Announcements
BellSoft Releases Container Images with Liberica JDK for Rocky Linux
card image
Oct 30, 2024
Aleksei Voitylov
0

Liberica JDK container images for Rocky Linux are aimed to substitute images for CentOS that which reached EOL.

Posts
Liberica Native Image Kit 23.0.6, 23.1.5, and 24.1.1 builds are released
card image
Oct 28, 2024
Peter Zhelezniakov
0

New Liberica NIK versions 23.0.6, 23.1.5, and 24.1.1 include several important fixes in the JDK.

Subcribe to our newsletter

figure

Read the industry news, receive solutions to your problems, and find the ways to save money.

Further reading

Posts
A guide to Java profiling: tools, techniques, best practices
card image
Nov 14, 2024
Catherine Edelveis
0

Discover Java profiling with JFR, VisualVM, Async Profiler, and more. Detailed setups and tips for production-ready applications.

News
BellSoft adds AArch64 support to Alpaquita Linux distribution and Alpaquita containers
card image
Nov 12, 2024
0

BellSoft’s Alpaquita Linux now includes AArch64 support, optimizing Java on Arm-based hardware for the cloud. Experience faster response, lower costs, and secure containerized Java applications with this powerful, lightweight Linux distribution tailored for modern workloads.

Posts
Java Developer Survey: Trends and Practices in Java Development
card image
Oct 31, 2024
Alex Belokrylov
0

Explore insights from BellSoft’s 2024 Java Developer Survey conducted at Devoxx Belgium. Discover current trends in Java development, including challenges with Java 11 performance, the role of AI tools like ChatGPT in coding, and the growing focus on green Java practices and cloud cost optimization.

Aleksei Voitylov
Aleksei Voitylov | BellSoft CTO