Reduce your TCO of building and using Spring Native applications with just 3 steps. Switch to the best Unified Java Runtime. Learn More.

Liberica 18.0.2, 17.0.4, 11.0.16, and 8u342 are out

Liberica 18.0.2, 17.0.4, 11.0.16, and 8u342 builds are generally available


Published July 21, 2022


Today we announce a Critical Patch Update (CPU) of Liberica JDK versions 8u341, 11.0.15.1.1, and 17.0.3.1.1. CPU patches contain fixes for Common Vulnerabilities and Exposures (CVE) and help to keep the runtime secure and performant at all times. In addition, we release PSU versions (18.0.2, 17.0.4, 11.0.16, and 8u342) with non-critical fixes.

The release contains 848 fixes and backports overall. BellSoft participated in eliminating 34 issues (32 in JDK and 2 in FX) in all releases.

Contents

  1. How to keep your runtime secure
  2. The summary of fixes
    1. List of security issues fixed
  3. Summary of fixes in Liberica JDK
  4. Notable upstream changes
  5. Supported platforms
  6. Enjoy the most stable runtime!
  7. Useful links

How to keep your runtime secure

BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.

CPUs are scheduled for release in January, April, June, and October every year.

Liberica JDK updates and patches are available at no cost.

The summary of fixes

  • 4 security issues (CVEs) fixed
  • 31 total security fixes in CPU release:
    • in Liberica 8u341: 9 security fixes + 2 in FX
    • in Liberica 11.0.15.1.1: 8 security fixes + 2 in FX
    • in Liberica 17.0.3.1.1: 8 security fixes + 2 in FX

In addition, PSU releases include a total of 817 bugs and backports fixed:

  • in Liberica 8u342: 11 security fixes (9 + 2 in FX) + 84 additional fixes
  • in Liberica 11.0.16: 10 security fixes (8 + 2 in FX) + 287 additional fixes
  • in Liberica 17.0.4: 10 security fixes (8 + 2 in FX) + 270 additional fixes
  • in Liberica 18.0.2: 13 security fixes (11 + 2 in FX) + 132 additional fixes

List of security issues fixed

CVE ID cvss score component module Attack vector (network/local) Complexity (low/high) Privileges (none/low) User interaction (none/required) Scope (changed/unchanged) Confidentiality (low/none/high) Integrity (low/none/high) Availability (low/none/high)
CVE-2022-34169 7.5 xml java.xml network low none none unchanged none high none
CVE-2022-21540 5.3 core-libs java.base network low none none unchanged low none none
CVE-2022-21541 5.9 core-libs java.base network high none none unchanged none high none
CVE-2022-21549 5.3 core-libs java.base network low none none unchanged none low none

Summary of fixes in Liberica JDK

CVEs fixed in Liberica per version:

CVE                 JBS        CVSS   8   11    17   18

CVE-2022-34169      8285407    7.5    ●    ●    ●    ●
CVE-2022-21540      8281859    5.3    ●    ●    ●    ●
CVE-2022-21541      281866     5.9    ●    ●    ●    ●
CVE-2022-21549      8283875    5.3    -    -    ●    ●

Notable upstream changes

This CPU release contains a number of important additions and updates.

Customizing the generation of a PKCS12 keystore

In Java 8, the KeyStore.load API allowed the supplied password to be null. This value was to signal the skipping of the keystore integrity check. Yet when the password was null, the PKCS12 implementation returned no certificates. This behavior was fixed.

Infinite loop in ZipOutputStream.close()

In Java 11 and 17, in some cases, when the client disconnected or the socket write timed out, the closing of the underlying output stream happened too soon, and the zip file could not be completely written. It led to the infinite loop in ZipOutputStream.close() loop.

Issues with cpu.shares

There were two fixed issues with cpu.shares in the container environment. The first one was about incorrect calculation of the number of CPUs for the processes to use, which could result in CPU underutilization and some unexpected behavior. The second one was related to the faulty computation of ActiveProcessorCount, which in turn made the JVM use only some of available CPUs.

Lambda deserialization failed for Object method references on interfaces

Deserialization of serialized method references to Object methods that used an interface as the type on which the method was invoked became possible again. Note that the class files must be recompiled to allow the deserialization.

Supported platforms

Liberica JDK is tested and proven to work on a large number of platforms.

Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:

  • Docker
  • KVM
  • Microsoft Hyper-V (gen 1 and gen 2)
  • VirtualBox
  • VMware vSphere Hypervisor
  • Solaris Containers & Solaris LDOMs

Liberica JDK supports all major cloud providers, including but not limited to:

  • Amazon AWS
  • Digital Ocean
  • Google Cloud
  • Microsoft Azure
  • OVH
  • Packet
  • Scaleway
  • VMware Tanzu

Enjoy the most stable runtime!

The CPU release cycle enables the OpenJDK community to introduce security patches and bug fixes to Java as soon as possible, thus minimizing the risk of attacks on your applications. Download the new Liberica JDK builds now! Click on the button below to head over to Liberica Download Center.

  1. [JDK-8266526] Customizing the generation of a PKCS12 keystore
  2. [JDK-8283522] Infinite loop in ZipOutputStream.close()
  3. [JDK-8283355] cpu.shares does not correctly calculate the number of CPUs for the processes to use
  4. [JDK-8288604] cpu.shares did not compute ActiveProcessorCount correctly
  5. [JDK-8288605] Lambda deserialization failed for Object method references on interfaces
Announcements
Author image

Aleksei Voitylov

BellSoft CTO

 LinkedIn