posts

Liberica 18.0.2, 17.0.4, 11.0.16, and 8u342 builds are generally available

figure
Jul 21, 2022
Aleksei Voitylov

Today we announce a Critical Patch Update (CPU) of Liberica JDK versions 8u341, 11.0.15.1.1, and 17.0.3.1.1. CPU patches contain fixes for Common Vulnerabilities and Exposures (CVE) and help to keep the runtime secure and performant at all times. In addition, we release PSU versions (18.0.2, 17.0.4, 11.0.16, and 8u342) with non-critical fixes.

The release contains 848 fixes and backports overall. BellSoft participated in eliminating 34 issues (32 in JDK and 2 in FX) in all releases.

Contents

  1. How to keep your runtime secure
  2. The summary of fixes
    1. List of security issues fixed
  3. Summary of fixes in Liberica JDK
  4. Notable upstream changes
  5. Supported platforms
  6. Enjoy the most stable runtime!
  7. Useful links

How to keep your runtime secure

BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.

CPUs are scheduled for release in January, April, June, and October every year.

Liberica JDK updates and patches are available at no cost.

The summary of fixes

  • 4 security issues (CVEs) fixed
  • 31 total security fixes in CPU release:
    • in Liberica 8u341: 9 security fixes + 2 in FX
    • in Liberica 11.0.15.1.1: 8 security fixes + 2 in FX
    • in Liberica 17.0.3.1.1: 8 security fixes + 2 in FX

In addition, PSU releases include a total of 817 bugs and backports fixed:

  • in Liberica 8u342: 11 security fixes (9 + 2 in FX) + 84 additional fixes
  • in Liberica 11.0.16: 10 security fixes (8 + 2 in FX) + 287 additional fixes
  • in Liberica 17.0.4: 10 security fixes (8 + 2 in FX) + 270 additional fixes
  • in Liberica 18.0.2: 13 security fixes (11 + 2 in FX) + 132 additional fixes

List of security issues fixed

CVE IDcvss scorecomponentmoduleAttack vector (network/local)Complexity (low/high)Privileges (none/low)User interaction (none/required)Scope (changed/unchanged)Confidentiality (low/none/high)Integrity (low/none/high)Availability (low/none/high)
CVE-2022-341697.5xmljava.xmlnetworklownonenoneunchangednonehighnone
CVE-2022-215405.3core-libsjava.basenetworklownonenoneunchangedlownonenone
CVE-2022-215415.9core-libsjava.basenetworkhighnonenoneunchangednonehighnone
CVE-2022-215495.3core-libsjava.basenetworklownonenoneunchangednonelownone

Summary of fixes in Liberica JDK

CVEs fixed in Liberica per version:

CVE                   CVSS   8   11    17   18

CVE-2022-34169         7.5    ●    ●    ●    ●

CVE-2022-21540         5.3    ●    ●    ●    ●

CVE-2022-21541         5.9    ●    ●    ●    ●

CVE-2022-21549         5.3    -    -    ●    ●

Notable upstream changes

This CPU release contains a number of important additions and updates.

Customizing the generation of a PKCS12 keystore

In Java 8, the KeyStore.load API allowed the supplied password to be null. This value was to signal the skipping of the keystore integrity check. Yet when the password was null, the PKCS12 implementation returned no certificates. This behavior was fixed.

Infinite loop in ZipOutputStream.close()

In Java 11 and 17, in some cases, when the client disconnected or the socket write timed out, the closing of the underlying output stream happened too soon, and the zip file could not be completely written. It led to the infinite loop in ZipOutputStream.close() loop.

Issues with cpu.shares

There were two fixed issues with cpu.shares in the container environment. The first one was about incorrect calculation of the number of CPUs for the processes to use, which could result in CPU underutilization and some unexpected behavior. The second one was related to the faulty computation of ActiveProcessorCount, which in turn made the JVM use only some of available CPUs.

Lambda deserialization failed for Object method references on interfaces

Deserialization of serialized method references to Object methods that used an interface as the type on which the method was invoked became possible again. Note that the class files must be recompiled to allow the deserialization.

Supported platforms

Liberica JDK is tested and proven to work on a large number of platforms.

Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:

  • Docker
  • KVM
  • Microsoft Hyper-V (gen 1 and gen 2)
  • VirtualBox
  • VMware vSphere Hypervisor
  • Solaris Containers & Solaris LDOMs

Liberica JDK supports all major cloud providers, including but not limited to:

  • Amazon AWS
  • Digital Ocean
  • Google Cloud
  • Microsoft Azure
  • OVH
  • Packet
  • Scaleway
  • VMware Tanzu

Enjoy the most stable runtime!

The CPU release cycle enables the OpenJDK community to introduce security patches and bug fixes to Java as soon as possible, thus minimizing the risk of attacks on your applications. Download the new Liberica JDK builds now! Click on the button below to head over to Liberica Download Center.

  1. [JDK-8266526] Customizing the generation of a PKCS12 keystore
  2. [JDK-8283522] Infinite loop in ZipOutputStream.close()
  3. [JDK-8283355] cpu.shares does not correctly calculate the number of CPUs for the processes to use
  4. [JDK-8288604] cpu.shares did not compute ActiveProcessorCount correctly
  5. [JDK-8288605] Lambda deserialization failed for Object method references on interfaces
posts
Alpaquita vs Alpine: a head-to-head comparison
figure
Nov 10, 2022
Dmitry Chuyko
shorts
Critical vulnerabilities in OpenSSL 3.0
Nov 11, 2022
Sergey Chernyshev

Find out about the newest CVEs discovered in OpenSSL 3.0 and how to eliminate the risk of exploits

Subcribe to our newsletter

figure

Read the industry news, receive solutions to your problems, and find the ways to save money.