Today we announce a Critical Patch Update (CPU) of Liberica JDK. CPU patches (versions 8u331, 11.0.14.1.1, 17.0.2.1, and 7u341) contain fixes for Common Vulnerabilities and Exposures (CVE) and help to keep the runtime secure and performant at all times. In addition to the CPU, we also release Patch Set Update (versions 18.0.1, 17.0.3, 11.0.15, and 8u332) with non-critical fixes.
The release contains 604 fixes and backports overall. BellSoft participated in eliminating 52 issues (31 in JDK and 21 in FX) in all releases.
Contents
- How to keep your runtime secure
- The summary of fixes
- Summary of fixes in Liberica JDK
- Upstream changes: highlights
- Supported platforms
- Enjoy the most stable runtime!
- Useful links
How to keep your runtime secure
BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.
CPUs are scheduled for release in January, April, June, and October every year.
Liberica JDK updates and patches are available at no cost.
The summary of fixes
- 6 security issues (CVEs) fixed;
- 86 total security fixes in CPU release:
- in Liberica 7u341: 17 security fixes,
- in Liberica 8u331: 20 security fixes + 3 FX,
- in Liberica 11.0.14.1.1: 19 security fixes + 3 FX,
- in Liberica 17.0.2.1: 21 security fixes + 3 FX.
In addition, PSU releases include a total of 518 bugs and backports fixed:
- in Liberica 8u332: 23 security fixes (20 + 3 in FX) + 41 additional fixes,
- in Liberica 11.0.15: 22 security fixes (19 + 3 in FX) + 181 additional fixes,
- in Liberica 17.0.3: 24 security fixes (21 + 3 in FX) + 174 additional fixes,
- in Liberica 18.0.1: 23 security fixes (20 + 3 in FX) + 30 additional fixes.
List of security issues fixed
| CVE ID | cvss score | component | module | Attack vector (network/local) | Complexity (low/high) | Privileges (none/low) | User interaction (none/required) | Scope (changed/unchanged) | Confidentiality (low/none/high) | Integrity (low/none/high) | Availability (low/none/high) | Liberica JDK 8u332 | Liberica JDK 11.0.15 | Liberica JDK 17.0.3 | Liberica JDK 18.0.1 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2022-21449 | 7.5 | security-libs | java.security | network | low | none | none | unchanged | none | high | none | ● | ● | ||
| CVE-2022-21476 | 7.5 | security-libs | java.security | network | low | none | none | unchanged | high | none | none | ● | ● | ||
| CVE-2022-21426 | 5.3 | xml | jaxp | network | low | none | none | unchanged | none | none | low | ● | ● | ● | ● |
| CVE-2022-21434 | 5.3 | core-libs | java.lang | network | low | none | none | unchanged | none | low | none | ● | ● | ● | ● |
| CVE-2022-21496 | 5.3 | core-libs | javax.naming | network | low | none | none | unchanged | none | low | none | ● | ● | ● | ● |
| CVE-2022-21443 | 3.7 | security-libs | java.security | network | high | none | none | unchanged | none | none | low | ● | ● | ● | ● |
Summary of fixes in Liberica JDK
CVEs fixed in Liberica per version:
CVE CVSS 8 11 17 18
CVE-2022-21449 7.5 - - ● ●
CVE-2022-21476 7.5 ● ● - -
CVE-2022-21426 5.3 ● ● ● ●
CVE-2022-21434 5.3 ● ● ● ●
CVE-2022-21496 5.3 ● ● ● ●
CVE-2022-21443 3.7 ● ● ● ●
Upstream changes: highlights
This CPU release contains a number of important additions and updates. It also includes the first patched build of a non-LTS JDK 18. Minor releases are rarely used in enterprise development, but if you installed JDK 18 to try out new features, we recommend you to update it to keep your runtime environment safe and performant.
macOS/AArch64 Port
The most important enhancement is the implementation of JEP 391, which ports the JDK to macOS/AArch64 platform. Since Apple began the transition of its computers from x64_86 to its own ARM-based microprocessors (M1 or Apple Silicon), the demand for the macOS/AArch64 port has been growing among Java developers. Apple M1 chips outperform traditional Intel processors, but the need to use Rosetta 2 translator affected the Java app performance to a certain extent. Now the JEP 391 is backported to the jdk11u-dev and eliminates the need for translator software.
We at BellSoft have advocated ARM architecture for a long time. Our engineers contributed to the enhancement of AArch64 port by proposing and implementing JEP 315. Needless to say that our Liberica JDK has run natively on Apple Silicon since the introduction of this architecture.
Updated XML Security for Java
The java.xml.crypto module, which defines the API for XML cryptography, was updated to 2.3.0. It helps to preserve the security of cryptographic operations at the highest level. The version also matches the Apache XML Security v.2.3.0 (the Apache Santuario project) now.
A special note on XSLTC that introduces an upper limit for the number of groups in XPath expressions (-Djdk.xml.xpathExprGrpLimit=10) which may affect products like Apache Solr. If you ever encounter an error such as “JAXP0801001: the compiler encountered an XPath expression containing ‘X’ groups that exceeds the ‘Y’ limit”, this can be solved increasing the limit by setting “jdk.xml.xpathExprGrpLimit” property to X (add -Djdk.xml.xpathExprGrpLimit=X to java options).
Added support for ChaCha20 and Poly1305 to SunPKCS11 provider
The cryptographic interfaces in Java (JCA and JCE) are provider-based. SunPKS11 is a provider that serves as a link between the JCA/JCE APIs and the Cryptographic Token Interface Standard (PKCS#11). The support of ChaCha20 (stream cipher) and Poly1305 (authenticator) cryptographic algorithms will be a valuable addition to the SunPKC11 provider in JDK 11.
Jline upgrade
The Jline library handles the console input and is similar to Zsh Line Editor in terms of functionality. The Jline upgrade to version 3.20.0 will include the support for the rxvt terminal and some general updates.
Added support for RSASSA-PSS signatures in OCSP Response
The updated Liberica JDK versions allow RSASSA-PSS signed OCSP responses to be correctly verified. Former versions may have thrown exceptions whenever an attempt to verify an OCSP response signed with the RSASSA-PSS signature was encountered.
Supported platforms
Liberica JDK is tested and proven to work on a large number of platforms.
Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:
- Docker
- KVM
- Microsoft Hyper-V (gen 1 and gen 2)
- VirtualBox
- VMware vSphere Hypervisor
- Solaris Containers & Solaris LDOMs
Liberica JDK supports all major cloud providers, including but not limited to:
- Amazon AWS
- Digital Ocean
- Google Cloud
- Microsoft Azure
- OVH
- Packet
- Scaleway
- VMware Tanzu
Enjoy the most stable runtime!
The CPU release cycle enables the OpenJDK community to introduce security patches and bug fixes to Java as soon as possible, thus minimizing the risk of attacks on your applications. Download the new Liberica JDK builds now! Click on the button below to head over to Liberica Download Center.
