We are happy to announce that today we release Liberica JDK versions 17.0.2, 11.0.14, and 8u322 as part of the quarterly CPU cadence. CPU (Critical Patch Update) releases help keep the runtime secure and performant as they contain CVE and bug fixes, whereas PSU releases contain non-critical fixes.
The release contains 790 fixes and backports. 9 security issues were fixed with the participation of BellSoft (8 in JDK and 1 in FX).
Contents
- How to keep your runtime secure
- The summary of fixes
- Summary of fixes in Liberica JDK
- Notable upstream changes
- Supported platforms
- Enjoy the most stable runtime!
- Useful links
How to keep your runtime secure
BellSoft recommends updating Liberica JDK with each Critical Patch Update (CPU) to ensure the stable work and secure performance of the runtime.
CPUs are scheduled for release in January, April, June, and October every year.
Liberica JDK updated and patches are available at no cost.
The summary of fixes
- 16 security issues (CVEs) fixed;
- 93 total security fixes in CPU release:
- in Liberica 8u321: 30 security fixes (28 + 2 in FX),
- in Liberica 11.0.13.0.1: 33 security fixes (31 + 2 in FX),
- in Liberica 17.0.1.0.1: 30 security fixes (28 + 2 in FX).
In addition, PSU releases include a total of 790 bugs and backports fixed:
- in Liberica 8u322: 30 security fixes (28 + 2 in FX) + 52 additional fixes,
- in Liberica 11.0.14: 33 security fixes (31 + 2 in FX) + 353 additional fixes,
- in Liberica 17.0.2: 30 security fixes (28 + 2 in FX) + 292 additional fixes.
List of security issues fixed
| CVE ID | cvss score | component | module | Attack vector (network/local) | Complexity (low/high) | Privileges (none/low) | User interaction (none/required) | Scope (changed/unchanged) | Confidentiality (low/none/high) | Integrity (low/none/high) | Availability (low/none/high) |
|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2022-21341 | 5.3 | core-libs | java.io:serialization | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21365 | 5.3 | client-libs | javax.imageio | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21282 | 5.3 | xml | jaxp | network | low | none | none | unchanged | low | none | none |
| CVE-2022-21291 | 5.3 | hotspot | runtime | network | low | none | none | unchanged | none | low | none |
| CVE-2022-21277 | 5.3 | client-libs | javax.imageio | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21305 | 5.3 | hotspot | compiler | network | low | none | none | unchanged | none | low | none |
| CVE-2022-21299 | 5.3 | xml | jaxp | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21296 | 5.3 | xml | jaxp | network | low | none | none | unchanged | low | none | none |
| CVE-2022-21349 | 5.3 | client-libs | 2d | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21283 | 5.3 | core-libs | java.util | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21340 | 5.3 | security-libs | java.security | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21293 | 5.3 | core-libs | java.lang | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21294 | 5.3 | core-libs | java.util | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21360 | 5.3 | client-libs | javax.imageio | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21366 | 5.3 | client-libs | javax.imageio | network | low | none | none | unchanged | none | none | low |
| CVE-2022-21248 | 3.7 | core-libs | java.io:serialization | network | high | none | none | unchanged | none | low | none |
Summary of fixes in Liberica JDK
CVEs fixed in Liberica per version:
- 17.0.2: 15 (15 + 0 in FX);
- 11.0.14: 15 (15 + 0 in FX);
- 8u322: 13 (13 + 0 in FX).
Notable upstream changes
Updated Timezone Data to 2021e
The issue is related to the time zone rules, which were updated by the IANA Time Zone Database in 2021. Some changes introduced in 2021b caused compatibility problems and contained several typos. The issue is resolved by updating to the 2021e release.
Corrected Files.walkFileTree method
In cases where a zip file contained the directory with “.” name, the Files.walkFileTree would walk infinitely. A bug causing a similar problem with “/” in the directory was fixed earlier.
The solution to this issue is to reject the zip files with “.” and “..” in name elements to be utilized as a file system. When the java.nio.file.FileSystems.newFileSystem(...) methods are invoked, such folders make them return the ZipException.
Fixed accidental cleaning of valid megamorphic vtable inline cache by GC
The issue was related to the GC behavior. A 10-year-old bug causing long “Concurrent Process Non-Strong References” times with ZGC (Z Garbage Collector) could trigger major latency and throughput issues for applications. In summary, the GC cleaned the megamorphic vtable call cache in some cases (see detailed description in Java Bug System) and after that, Java threads corrected the cleaned caches using ICStubs. Those caches then became megamorphic vtable calls again. As a result, the GC and Java threads continuously changed the inline cache between clean and megamorphic vtable calls and scheduled ICBufferFull safepoints. This could last for many seconds or several minutes. To verify that the issue was fixed, examine the logs after running with -Xlog:gc* safepoint.
Supported platforms
Liberica JDK is tested and proven to work on a large number of platforms.
Liberica JDK can be run in virtual and cloud environments. The following hypervisors are supported:
- Docker
- KVM
- Microsoft Hyper-V (gen 1 and gen 2)
- VirtualBox
- VMware vSphere Hypervisor
- Solaris Containers & Solaris LDOMs
Liberica JDK supports all major cloud providers, including but not limited to:
- Amazon AWS
- Digital Ocean
- Google Cloud
- Microsoft Azure
- OVH
- Packet
- Scaleway
- VMware Tanzu
- Yandex Cloud
Enjoy the most stable runtime!
BellSoft is committed to providing developers with the utmost Java experience. Therefore, we work constantly on improving the security and performance of our products, as well as keeping your runtime safe at all times.
The new Liberica JDK builds are available for download! Click here or on the button below to head over to Liberica Download Center.
