Today we announce a Critical Patch Update (CPU) of Liberica JDK versions 8u341, 11.0.15.1.1, and 17.0.3.1.1. CPU patches contain fixes for Common Vulnerabilities and Exposures (CVE) and help to keep the runtime secure and performant at all times. In addition, we release PSU versions (18.0.2, 17.0.4, 11.0.16, and 8u342) with non-critical fixes.
The release contains 848 fixes and backports overall. BellSoft participated in eliminating 34 issues (32 in JDK and 2 in FX) in all releases.
Contents
- How to keep your runtime secure
- The summary of fixes
- Summary of fixes in Liberica JDK
- Notable upstream changes
- Supported platforms
- Enjoy the most stable runtime!
- Useful links
How to keep your runtime secure
BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.
CPUs are scheduled for release in January, April, June, and October every year.
Liberica JDK updates and patches are available at no cost.
The summary of fixes
- 4 security issues (CVEs) fixed
- 31 total security fixes in CPU release:
- in Liberica 8u341: 9 security fixes + 2 in FX
- in Liberica 11.0.15.1.1: 8 security fixes + 2 in FX
- in Liberica 17.0.3.1.1: 8 security fixes + 2 in FX
In addition, PSU releases include a total of 817 bugs and backports fixed:
- in Liberica 8u342: 11 security fixes (9 + 2 in FX) + 84 additional fixes
- in Liberica 11.0.16: 10 security fixes (8 + 2 in FX) + 287 additional fixes
- in Liberica 17.0.4: 10 security fixes (8 + 2 in FX) + 270 additional fixes
- in Liberica 18.0.2: 13 security fixes (11 + 2 in FX) + 132 additional fixes
List of security issues fixed
CVE ID | cvss score | component | module | Attack vector (network/local) | Complexity (low/high) | Privileges (none/low) | User interaction (none/required) | Scope (changed/unchanged) | Confidentiality (low/none/high) | Integrity (low/none/high) | Availability (low/none/high) |
---|---|---|---|---|---|---|---|---|---|---|---|
CVE-2022-34169 | 7.5 | xml | java.xml | network | low | none | none | unchanged | none | high | none |
CVE-2022-21540 | 5.3 | core-libs | java.base | network | low | none | none | unchanged | low | none | none |
CVE-2022-21541 | 5.9 | core-libs | java.base | network | high | none | none | unchanged | none | high | none |
CVE-2022-21549 | 5.3 | core-libs | java.base | network | low | none | none | unchanged | none | low | none |
Summary of fixes in Liberica JDK
CVEs fixed in Liberica per version:
CVE CVSS 8 11 17 18
CVE-2022-34169 7.5 ● ● ● ●
CVE-2022-21540 5.3 ● ● ● ●
CVE-2022-21541 5.9 ● ● ● ●
CVE-2022-21549 5.3 - - ● ●
Notable upstream changes
This CPU release contains a number of important additions and updates.
Customizing the generation of a PKCS12 keystore
In Java 8, the KeyStore.load API allowed the supplied password to be null. This value was to signal the skipping of the keystore integrity check. Yet when the password was null, the PKCS12 implementation returned no certificates. This behavior was fixed.
Infinite loop in ZipOutputStream.close()
In Java 11 and 17, in some cases, when the client disconnected or the socket write timed out, the closing of the underlying output stream happened too soon, and the zip file could not be completely written. It led to the infinite loop in ZipOutputStream.close() loop.
Issues with cpu.shares
There were two fixed issues with cpu.shares in the container environment. The first one was about incorrect calculation of the number of CPUs for the processes to use, which could result in CPU underutilization and some unexpected behavior. The second one was related to the faulty computation of ActiveProcessorCount, which in turn made the JVM use only some of available CPUs.
Lambda deserialization failed for Object method references on interfaces
Deserialization of serialized method references to Object methods that used an interface as the type on which the method was invoked became possible again. Note that the class files must be recompiled to allow the deserialization.
Supported platforms
Liberica JDK is tested and proven to work on a large number of platforms.
Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:
- Docker
- KVM
- Microsoft Hyper-V (gen 1 and gen 2)
- VirtualBox
- VMware vSphere Hypervisor
- Solaris Containers & Solaris LDOMs
Liberica JDK supports all major cloud providers, including but not limited to:
- Amazon AWS
- Digital Ocean
- Google Cloud
- Microsoft Azure
- OVH
- Packet
- Scaleway
- VMware Tanzu
Enjoy the most stable runtime!
The CPU release cycle enables the OpenJDK community to introduce security patches and bug fixes to Java as soon as possible, thus minimizing the risk of attacks on your applications. Download the new Liberica JDK builds now! Click on the button below to head over to Liberica Download Center.
Useful links
- [JDK-8266526] Customizing the generation of a PKCS12 keystore
- [JDK-8283522] Infinite loop in ZipOutputStream.close()
- [JDK-8283355] cpu.shares does not correctly calculate the number of CPUs for the processes to use
- [JDK-8288604] cpu.shares did not compute ActiveProcessorCount correctly
- [JDK-8288605] Lambda deserialization failed for Object method references on interfaces