posts

Liberica 8u322, 11.0.14, and 17.0.2 are released

figure
Jan 19, 2022
Aleksei Voitylov

We are happy to announce that today we release Liberica JDK versions 17.0.2, 11.0.14, and 8u322 as part of the quarterly CPU cadence. CPU (Critical Patch Update) releases help keep the runtime secure and performant as they contain CVE and bug fixes, whereas PSU releases contain non-critical fixes.

The release contains 790 fixes and backports. 9 security issues were fixed with the participation of BellSoft (8 in JDK and 1 in FX).

Contents

  1. How to keep your runtime secure
  2. The summary of fixes
    1. List of security issues fixed
  3. Summary of fixes in Liberica JDK
  4. Notable upstream changes
  5. Supported platforms
  6. Enjoy the most stable runtime!
  7. Useful links

How to keep your runtime secure

BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.

CPUs are scheduled for release in January, April, June, and October every year.

Liberica JDK updated and patches are available at no cost.

The summary of fixes

  • 16 security issues (CVEs) fixed;
  • 93 total security fixes in CPU release:
    • in Liberica 8u321: 30 security fixes (28 + 2 in FX),
    • in Liberica 11.0.13.0.1: 33 security fixes (31 + 2 in FX),
    • in Liberica 17.0.1.0.1: 30 security fixes (28 + 2 in FX).

    In addition, PSU releases include a total of 790 bugs and backports fixed:

    • in Liberica 8u322: 30 security fixes (28 + 2 in FX) + 52 additional fixes,
    • in Liberica 11.0.14: 33 security fixes (31 + 2 in FX) + 353 additional fixes,
    • in Liberica 17.0.2: 30 security fixes (28 + 2 in FX) + 292 additional fixes.

List of security issues fixed

CVE ID cvss score component module Attack vector (network/local) Complexity (low/high) Privileges (none/low) User interaction (none/required) Scope (changed/unchanged) Confidentiality (low/none/high) Integrity (low/none/high) Availability (low/none/high)
CVE-2022-21341 5.3 core-libs java.io:serialization network low none none unchanged none none low
CVE-2022-21365 5.3 client-libs javax.imageio network low none none unchanged none none low
CVE-2022-21282 5.3 xml jaxp network low none none unchanged low none none
CVE-2022-21291 5.3 hotspot runtime network low none none unchanged none low none
CVE-2022-21277 5.3 client-libs javax.imageio network low none none unchanged none none low
CVE-2022-21305 5.3 hotspot compiler network low none none unchanged none low none
CVE-2022-21299 5.3 xml jaxp network low none none unchanged none none low
CVE-2022-21296 5.3 xml jaxp network low none none unchanged low none none
CVE-2022-21349 5.3 client-libs 2d network low none none unchanged none none low
CVE-2022-21283 5.3 core-libs java.util network low none none unchanged none none low
CVE-2022-21340 5.3 security-libs java.security network low none none unchanged none none low
CVE-2022-21293 5.3 core-libs java.lang network low none none unchanged none none low
CVE-2022-21294 5.3 core-libs java.util network low none none unchanged none none low
CVE-2022-21360 5.3 client-libs javax.imageio network low none none unchanged none none low
CVE-2022-21366 5.3 client-libs javax.imageio network low none none unchanged none none low
CVE-2022-21248 3.7 core-libs java.io:serialization network high none none unchanged none low none

Summary of fixes in Liberica JDK

CVEs fixed in Liberica per version:

  • 17.0.2: 15 (15 + 0 in FX);
  • 11.0.14: 15 (15 + 0 in FX);
  • 8u322: 13 (13 + 0 in FX).

Notable upstream changes

Updated Timezone Data to 2021e

The issue is related to the time zone rules, which were updated by the IANA Time Zone Database in 2021. Some changes introduced in 2021b caused compatibility problems and contained several typos. The issue is resolved by updating to the 2021e release.

Corrected Files.walkFileTree method

In cases where a zip file contained the directory with “.” name, the Files.walkFileTree would walk infinitely. A bug causing a similar problem with “/” in the directory was fixed earlier.

The solution to this issue is to reject the zip files with “.” and “..” in name elements to be utilized as a file system. When the java.nio.file.FileSystems.newFileSystem(...) methods are invoked, such folders make them return the ZipException.

Fixed accidental cleaning of valid megamorphic vtable inline cache by GC

The issue was related to the GC behavior. A 10-year-old bug causing long “Concurrent Process Non-Strong References” times with ZGC (Z Garbage Collector) could trigger major latency and throughput issues for applications. In summary, the GC cleaned the megamorphic vtable call cache in some cases (see detailed description in Java Bug System) and after that, Java threads corrected the cleaned caches using ICStubs. Those caches then became megamorphic vtable calls again. As a result, the GC and Java threads continuously changed the inline cache between clean and megamorphic vtable calls and scheduled ICBufferFull safepoints. This could last for many seconds or several minutes. To verify that the issue was fixed, examine the logs after running with -Xlog:gc* safepoint.

Supported platforms

Liberica JDK is tested and proven to work on a large number of platforms.

Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:

  • Docker
  • KVM
  • Microsoft Hyper-V (gen 1 and gen 2)
  • VirtualBox
  • VMware vSphere Hypervisor
  • Solaris Containers & Solaris LDOMs

Liberica JDK supports all major cloud providers, including but not limited to:

  • Amazon AWS
  • Digital Ocean
  • Google Cloud
  • Microsoft Azure
  • OVH
  • Packet
  • Scaleway
  • VMware Tanzu
  • Yandex Cloud

Enjoy the most stable runtime!

BellSoft is committed to providing developers with the utmost Java experience. Therefore, we work constantly on improving the security and performance of our products, as well as keeping your runtime safe at all times.

The new Liberica JDK builds are available for download! Click here or on the button below to head over to Liberica Download Center.

  1. [JDK-8275766] Update Timezone Data to 2021e - Java Bug System
  2. [JDK-8251329] Files.walkFileTree issue - Java Bug System
  3. [JDK-8277212] GC issue - Java Bug System