Announcing Java updates of Oct 2021 for 8, 11, and 17: resources and thoughts
Note: This blog post is from 2021. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.New JVM updates have been released yesterday (Oct 19, 2021) for the current long-term support (LTS) releases of Oracle Java, 8, 11, and 17. (Note that prior to Java 9, releases of Java were known technically as 1.x, to 8 is referred to in resources below as 1.8.) While the news has been announced by Oracle and shared in the IT press, I know that some of my readers don't necessarily follow those sources closely.
The new updates are 1.8.0_311, (aka 8u311), 11.0.13, and 17.0.1, respectively).
For more on them, including information on the security fixes and bug fixes they each contain, see the Oracle resources I list below, as well as some additional info I offer for if you may be skipping to this from a JVM update from before Apr 2021, as well as info for Adobe ColdFusion users on where to find the updated Java versions, what JVM versions Adobe CF supports, and more.
Finding more info on these Oct 2021 Java updates
First, see the technotes for each of 1.8.0_311, 11.0.13, and 17.0.1.
Second, see the Java security fixes in these Oct 2021 updates, and a more elaborated discussion of these Java security issues . Both those documents cover all Oracle products, but I have linked to the JAva-specific sections of the pages
Finally, see the several dozen bug fixes in each: bug fixes for 1.8.0_311, bug fixes for 11.0.1 and bug fixes for 17.0.1.
If you are not using Adobe ColdFusion, you can skip the next section.
News for my CF audience (you CAN get the Java updates from Adobe now, you should NOT for now use Java 17)
Since the focus of my blog and work is indeed mostly focused on those using Adobe ColdFusion, I will clarify for them that:
- The Adobe downloads page does indeed already have the downloads today for Java 11.0.13 and 1.8.0_311. Thanks for that quick reaction, Adobe! (In the past, it's taken days or even weeks, causing a lot of confusion and heartburn.)
- If you use Pete Freitag's wonderful HackmyCF service, he too has already updated his service to detect if you are not yet running the updated versions of either Java 1.8 or 11. You can expect a notification warning you about that soon, if you have not already gotten one. Pete's good like that!
- While Java 17 is indeed a new long-term support release for Java, so too still are Java 8 and 11. And ColdFusion 2021 and 2018 (the currently supported CF versions) do NOT yet support Java 17. They only support Java 11. (While CF2018 did support Java 12 for a time, that version lived only for 6 months, like all version between 11 and 17, so Adobe did not "keep up" with all those short-term versions.) We can expect a coming update to CF 2021 (and hopefully 2018) to add support for Java 17, as has been the pattern in the past.
- If it may help you, see a past blog post I've done with a table of what CF versions formally support what Oracle Java versions. And in a post I did on the Apr 2019 jvm updates (which I point to in that "table" post), I cover such things as how
CF only formally supports Oracle Java and not others, the short-lived Java 12 support, and more. - Finally, if you are on older, unsupported versions of CF (CF2016 or earlier) or Java (older updates to Java 11 or 8, or Java 7 or earlier), you are playing a dangerous game of Russian Roulette. You may not have been struck yet, but just last week I shared a post about a nasty ransomware vulnerability hitting those who had failed to update CF with a fix Adobe provided 10 years ago!. Even CF2016, last updated in March 2021, does not have security fixes in the updates for CF2018 and 2021 that Adobe released in Sept 2021, and any beyond.
Should you apply the update? how soon?
This and the next section apply whether you may be using CF or not. Each org has to decide for themselves if the security fixes bug fixes, and any feature changes are of concern for them. Some folks/orgs tend to wait for some period of time to "let others be the guinea pigs", while others are concerned about security and so apply any new update with security fixes right away.
Of course, the best approach is to try things in a testing environment first, but many eschew that (for any of many reasons, at their peril). Even then, of course some problems don't show themselves in testing but only in production.
As noted in the security page above, even if you may not think you "need the changes in this update", do beware that you would be vulnerable to problems fixed in PREVIOUS updates. So it's always best to be on the latest update to the JVM version (like Java 8 or 11) you're using, as soon as possible.
And I can help with that. I have various other resources I have created (blog posts, presentations), and I can also offer direct remote consulting help. I list several resources related to update CF and the JVM at my cfupdate page.
Beware a change in the April 2021 JVM update, if you may be skipping over it
Finally, I want to point out that if you may be moving to this JVM update from an older one from before the JVM updates released in April 2021 (Java 11.0.11 and 1.8.0_291, respectively), do note that when you apply this update you will therefore inherit a rather important change that was introduced in those updates (and which remains, after them.)
Briefly, Java now no longer supports calling out (via https/tls) to servers that don't support at least TLS 1.2 or above. If you may be calling out to servers (via cfhttp or Java's httpclient, or via configuration of the CF Admin pointing to database servers, mail server, ldap servers, and the like), such requests will break upon applying those or later JVM updates.
Of course, you may not be responsible for and may have no control over those other servers, so you may prefer to tell Java to allow calling out to those. You can do that, via a simple one-line configuration change in a Java configuration file (not JVM args). That said, you are removing a protection that Oracle thinks is in your interest (modern browsers do also warn or even reject attempts to access servers via https if they don't support at least TLS 1.2 or above. This change is about how Java itself reacts to them.)
For more on this Java security change, and that configuration change needed to "undo it", see my post from April 2021 on those JVM updates released then.
Again, for direct help on any of these, I can offer remote screenshare consulting, and am usually able to quickly fix problems that might take many folks hours to resolve them (if they don't deal with these issues daily like I do, helping people). Or of course, comments and questions are welcome below.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
There are no comments for this entry.
[Add Comment]