Reduce your TCO of building and using Spring Native applications with just 3 steps. Switch to the best Unified Java Runtime. Learn More.

Liberica 18.0.1, 17.0.3, 11.0.15, and 8u332 are out

Liberica 18.0.1, 17.0.3, 11.0.15, and 8u332 builds are generally available


Published April 21, 2022


Today we announce a Critical Patch Update (CPU) of Liberica JDK. CPU patches (versions 8u331, 11.0.14.1.1, 17.0.2.1, and 7u341) contain fixes for Common Vulnerabilities and Exposures (CVE) and help to keep the runtime secure and performant at all times. In addition to the CPU, we also release Patch Set Update (versions 18.0.1, 17.0.3, 11.0.15, and 8u332) with non-critical fixes.

The release contains 604 fixes and backports overall. BellSoft participated in eliminating 52 issues (31 in JDK and 21 in FX) in all releases.

Contents

  1. How to keep your runtime secure
  2. The summary of fixes
    1. List of security issues fixed
  3. Summary of fixes in Liberica JDK
  4. Upstream changes: highlights
  5. Supported platforms
  6. Enjoy the most stable runtime!
  7. Useful links

How to keep your runtime secure

BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.

CPUs are scheduled for release in January, April, June, and October every year.

Liberica JDK updates and patches are available at no cost.

The summary of fixes

  • 6 security issues (CVEs) fixed;
  • 86 total security fixes in CPU release:
    • in Liberica 7u341: 17 security fixes,
    • in Liberica 8u331: 20 security fixes + 3 FX,
    • in Liberica 11.0.14.1.1: 19 security fixes + 3 FX,
    • in Liberica 17.0.2.1: 21 security fixes + 3 FX.

In addition, PSU releases include a total of 518 bugs and backports fixed:

  • in Liberica 8u332: 23 security fixes (20 + 3 in FX) + 41 additional fixes,
  • in Liberica 11.0.15: 22 security fixes (19 + 3 in FX) + 181 additional fixes,
  • in Liberica 17.0.3: 24 security fixes (21 + 3 in FX) + 174 additional fixes,
  • in Liberica 18.0.1: 23 security fixes (20 + 3 in FX) + 30 additional fixes.

List of security issues fixed

CVE ID cvss score component module Attack vector (network/local) Complexity (low/high) Privileges (none/low) User interaction (none/required) Scope (changed/unchanged) Confidentiality (low/none/high) Integrity (low/none/high) Availability (low/none/high) Liberica JDK 8u332 Liberica JDK 11.0.15 Liberica JDK 17.0.3 Liberica JDK 18.0.1
CVE-2022-21449 7.5 security-libs java.security network low none none unchanged none high none
CVE-2022-21476 7.5 security-libs java.security network low none none unchanged high none none
CVE-2022-21426 5.3 xml jaxp network low none none unchanged none none low
CVE-2022-21434 5.3 core-libs java.lang network low none none unchanged none low none
CVE-2022-21496 5.3 core-libs javax.naming network low none none unchanged none low none
CVE-2022-21443 3.7 security-libs java.security network high none none unchanged none none low

Summary of fixes in Liberica JDK

CVEs fixed in Liberica per version:

CVE               JBS        CVSS       8    11   17   18
CVE-2022-21449    8277233    7.5        -    -    ●    ●
CVE-2022-21476    8278008    7.5        ●    ●    -    -
CVE-2022-21426    8270504    5.3        ●    ●    ●    ●
CVE-2022-21434    8277672    5.3        ●    ●    ●    ●
CVE-2022-21496    8278972    5.3        ●    ●    ●    ●
CVE-2022-21443    8275151    3.7        ●    ●    ●    ●

Upstream changes: highlights

This CPU release contains a number of important additions and updates. It also includes the first patched build of a non-LTS JDK 18. Minor releases are rarely used in enterprise development, but if you installed JDK 18 to try out new features, we recommend you to update it to keep your runtime environment safe and performant.

macOS/AArch64 Port

The most important enhancement is the implementation of JEP 391, which ports the JDK to macOS/AArch64 platform. Since Apple began the transition of its computers from x64_86 to its own ARM-based microprocessors (M1 or Apple Silicon), the demand for the macOS/AArch64 port has been growing among Java developers. Apple M1 chips outperform traditional Intel processors, but the need to use Rosetta 2 translator affected the Java app performance to a certain extent. Now the JEP 391 is backported to the jdk11u-dev and eliminates the need for translator software.

We at BellSoft have advocated ARM architecture for a long time. Our engineers contributed to the enhancement of AArch64 port by proposing and implementing JEP 315. Needless to say that our Liberica JDK has run natively on Apple Silicon since the introduction of this architecture.

Updated XML Security for Java

The java.xml.crypto module, which defines the API for XML cryptography, was updated to 2.3.0. It helps to preserve the security of cryptographic operations at the highest level. The version also matches the Apache XML Security v.2.3.0 (the Apache Santuario project) now.

A special note on XSLTC that introduces an upper limit for the number of groups in XPath expressions (-Djdk.xml.xpathExprGrpLimit=10) which may affect products like Apache Solr. If you ever encounter an error such as “JAXP0801001: the compiler encountered an XPath expression containing ‘X’ groups that exceeds the ‘Y’ limit”, this can be solved increasing the limit by setting “jdk.xml.xpathExprGrpLimit” property to X (add -Djdk.xml.xpathExprGrpLimit=X to java options).

Added support for ChaCha20 and Poly1305 to SunPKCS11 provider

The cryptographic interfaces in Java (JCA and JCE) are provider-based. SunPKS11 is a provider that serves as a link between the JCA/JCE APIs and the Cryptographic Token Interface Standard (PKCS#11). The support of ChaCha20 (stream cipher) and Poly1305 (authenticator) cryptographic algorithms will be a valuable addition to the SunPKC11 provider in JDK 11.

Jline upgrade

The Jline library handles the console input and is similar to Zsh Line Editor in terms of functionality. The Jline upgrade to version 3.20.0 will include the support for the rxvt terminal and some general updates.

Added support for RSASSA-PSS signatures in OCSP Response

The updated Liberica JDK versions allow RSASSA-PSS signed OCSP responses to be correctly verified. Former versions may have thrown exceptions whenever an attempt to verify an OCSP response signed with the RSASSA-PSS signature was encountered.

Supported platforms

Liberica JDK is tested and proven to work on a large number of platforms.

Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:

  • Docker
  • KVM
  • Microsoft Hyper-V (gen 1 and gen 2)
  • VirtualBox
  • VMware vSphere Hypervisor
  • Solaris Containers & Solaris LDOMs

Liberica JDK supports all major cloud providers, including but not limited to:

  • Amazon AWS
  • Digital Ocean
  • Google Cloud
  • Microsoft Azure
  • OVH
  • Packet
  • Scaleway
  • VMware Tanzu

Enjoy the most stable runtime!

The CPU release cycle enables the OpenJDK community to introduce security patches and bug fixes to Java as soon as possible, thus minimizing the risk of attacks on your applications. Download the new Liberica JDK builds now! Click on the button below to head over to Liberica Download Center.

  1. [JDK-8253795] macOS/AArch64 Port - Java Bug System
  2. [JDK-8275082] Update XML Security for Java to 2.3.0 - Java Bug System
  3. [JDK-8255410] ChaCha20 and Poly1305 support - Java Bug System
  4. [JDK-8274892] Upgrade Jline to 3.20.0 - Java Bug System
  5. [JDK-8274471] Support for RSASSA-PSS - Java Bug System
Announcements
Author image

Aleksei Voitylov

BellSoft CTO

 LinkedIn