We are happy to announce the general availability of Liberica Native Image Kit (NIK) versions 22.3.0 and 21.3.4 as part of Critical Patch Update (CPU) release cycle. The builds contain several security fixes and enhancements.
All Liberica NIK builds contain the latest version of Liberica JDK with fixes and eliminated security issues.
Notable changes
- Improved module system support. When building JavaFX native images with the Full version, there is no need to list JavaFX modules on the command line with --add-modules javafx.controls,... because all modules that are part of JDK are visible by default
- Added support for JFR events: jdk.JavaMonitorEnter, jdk.JavaMonitorWait, jdk.ThreadSleep
- Added support for heap dumps
- Added new class initialization strategy that allows all classes to be used at image build time
- Added support for ThreadMXBean#getThreadCpuTime
- Introduced the --enable-monitoring option
Summary of fixes and enhancements
List of security issues fixed
CVE ID |
cvss score |
component |
module |
Attack vector (network/local) |
Complexity (low/high) |
Privileges (none/low) |
User interaction (none/required) |
Scope (changed/unchanged) |
Confidentiality (low/none/high) |
Integrity (low/none/high) |
Availability (low/none/high) |
CVE-2022-21618 |
5.3 |
security-libs |
org.ietf.jgss |
network |
low |
none |
none |
unchanged |
none |
low |
none |
CVE-2022-21619 |
3.7 |
security-libs |
java.security |
network |
high |
none |
none |
unchanged |
none |
low |
none |
CVE-2022-21624 |
3.7 |
core-libs |
javax.naming |
network |
high |
none |
none |
unchanged |
none |
low |
none |
CVE-2022-21626 |
5.3 |
security-libs |
java.security |
network |
low |
none |
none |
unchanged |
none |
none |
low |
CVE-2022-21628 |
5.3 |
core-libs |
java.net |
network |
low |
none |
none |
unchanged |
none |
none |
low |
CVE-2022-39399 |
3.7 |
core-libs |
java.net |
network |
high |
none |
none |
unchanged |
none |
low |
none |
Summary of fixes in Liberica NIK
CVEs fixed in Liberica NIK per version:
CVE ID |
22.3.0 (JDK 11) |
22.3.0 (JDK 11) |
21.3.4 (JDK 17) |
21.3.4 (JDK 17) |
CVE-2022-21626 |
• |
• |
- |
- |
CVE-2022-21618 |
• |
• |
• |
• |
CVE-2022-21628 |
• |
• |
• |
• |
CVE-2022-39399 |
• |
• |
• |
• |
CVE-2022-21619 |
• |
• |
• |
• |
CVE-2022-21624 |
• |
• |
• |
• |
Conclusion
BellSoft strives to provide Java developers with a full stack of secure and affordable technologies suitable for creating a wide range of applications. And thanks to the CPU release cycle, your applications will be secure at all times. Download the latest version of Liberica NIK now!