We are happy to announce the general availability of a Critical Patch Update (CPU) of Liberica JDK versions 8u411, 11.0.22.0.1, 17.0.10.0.1, and 21.0.2.0.1 CPU releases are stabilized builds that include patches for Common Vulnerabilities and Exposures (CVE) described in the relevant CVE entries in BellSoft’s Security Advisory.
BellSoft is one of only three companies including Oracle that release CPU builds aimed at eliminating known security issues without disrupting the production environment.
In addition, we release PSU versions 8u412, 11.0.23, 17.0.11, 21.0.3, and 22.0.1 with non-critical fixes and general improvements.
The release contains 904 fixes and backports overall. BellSoft participated in eliminating 8 issues in all releases.
How to keep your runtime secure
BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.
CPUs are scheduled for release in January, April, June, and October every year.
Liberica JDK updates and patches are available at no cost.
[ link | Download Liberica JDK | https://bell-sw.com/pages/downloads ]
The summary of fixes
- 10 security issues (CVEs) fixed.
- 23 total security fixes (+ 14 additional non-security fixes) in CPU release:
- in Liberica 6u421: 2 security fixes + 9 additional fixes;
- in Liberica 7u421: 2 security fixes + 4 additional fix;
- in Liberica 8u411: 5 security fixes;
- in Liberica 11.0.22.0.1: 6 security fixes + 1 additional fix;
- in Liberica 17.0.10.0.1: 4 security fixes;
- in Liberica 21.0.2.0.1: 4 security fixes.
In addition, PSU releases include a total of 867 bugs and backports fixed:
- in Liberica 8u412: 5 security fixes (+ 5 in FX) + 48 additional fixes (+ 20 in FX);
- in Liberica 11.0.23: 6 security fixes (+ 5 in FX) + 247 additional fixes;
- in Liberica 17.0.11: 4 security fixes (+ 5 in FX) + 222 additional fixes (+ 14 in FX);
- in Liberica 21.0.3: 4 security fixes (+ 6 in FX) + 264 additional fixes (+ 12 in FX).
- in Liberica 22.0.1: 4 security fixes (+ 6 in FX) + 64 additional fixes (+ 22 in FX).
List of security issues fixed
|
CVE ID |
cvss score |
component |
module |
Attack vector (network/local) |
Complexity (low/high) |
Privileges (none/low) |
User interaction (none/required) |
Scope (changed/unchanged) |
Confidentiality (low/none/high) |
Integrity (low/none/high) |
Availability (low/none/high) |
|
CVE-2023-41993 |
7.5 |
javafx |
web |
network |
high |
none |
required |
unchanged |
high |
high |
high |
|
CVE-2024-21094 |
3.7 |
hotspot |
compiler |
network |
high |
none |
none |
unchanged |
none |
low |
none |
|
CVE-2024-21085 |
3.7 |
core-libs |
ava.util |
network |
high |
none |
none |
unchanged |
none |
none |
low |
|
CVE-2024-21011 |
3.7 |
hotspot |
runtime |
network |
high |
none |
none |
unchanged |
none |
none |
low |
|
CVE-2024-21068 |
3.7 |
hotspot |
compiler |
network |
high |
none |
none |
unchanged |
none |
low |
none |
|
CVE-2024-21012 |
3.7 |
core-libs |
ava.net |
network |
high |
none |
none |
unchanged |
none |
low |
none |
|
CVE-2024-21003 |
3.1 |
javafx |
graphics |
network |
high |
none |
required |
unchanged |
none |
low |
none |
|
CVE-2024-21005 |
3.1 |
javafx |
graphics |
network |
high |
none |
required |
unchanged |
none |
low |
none |
|
CVE-2024-21002 |
2.5 |
javafx |
graphics |
local |
high |
none |
required |
unchanged |
none |
low |
none |
|
CVE-2024-21004 |
2.5 |
javafx |
window-toolkit |
local |
high |
none |
required |
unchanged |
none |
low |
none |
Summary of fixes in Liberica JDK
CVEs fixed in Liberica per version:
|
CVE ID |
8 |
11 |
17 |
21 |
22 |
|
CVE-2023-41993 |
• |
• |
• |
• |
• |
|
CVE-2024-21094 |
• |
• |
• |
• | |
|
CVE-2024-21085 |
• |
• | |||
|
CVE-2024-21011 |
• |
• |
• |
• |
• |
|
CVE-2024-21068 |
• |
• |
• |
• |
• |
|
CVE-2024-21012 |
• |
• |
• |
• | |
|
CVE-2024-21003 |
• |
• |
• |
• |
• |
|
CVE-2024-21005 |
• |
• |
• |
• |
• |
|
CVE-2024-21002 |
• |
• |
• |
• |
• |
|
CVE-2024-21004 |
• |
• |
• |
• |
• |
Supported platforms
Liberica JDK is tested and proven to work on a large number of platforms.
Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:
- Docker
- KVM
- Microsoft Hyper-V (gen 1 and gen 2)
- VirtualBox
- VMware vSphere Hypervisor
- Solaris Containers & Solaris LDOMs
Liberica JDK supports all major cloud providers, including but not limited to:
- Amazon AWS
- Digital Ocean
- Google Cloud
- Microsoft Azure
- OVH
- Packet
- Scaleway
- VMware Tanzu
Enjoy the most stable runtime!
The CPU release cycle enables the OpenJDK community to introduce security patches and bug fixes to Java as soon as possible, thus minimizing the risk of attacks on your applications. Download the new Liberica JDK builds now! Click on the button below to head over to Liberica Download Center.
