[Looking for Charlie's main web site?]

Announcing Java updates of Jul 2023 for 8, 11, 17, and 20: resources and thoughts

It's that time again: there are new JVM updates released today (Jul 18, 2023) for the current long-term support (LTS) releases of Oracle Java, 8, 11, and 17, as well as the current interim update 20.

TLDR: The new updates are 1.8.0_381 (aka 8u381), 11.0.20, 17.0.8, and 20.0.2 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes across the 4 JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

(As for this set of Jul 2023 updates and their security fixes, I will at least note that in terms of their severity, the security bulletin discussed below indicates that all the vulnerabilities are "difficult to exploit". Still, generally folks should seek to keep their JVM updated.)

Overview

Here are the topics covered in this post, first a few on this update and JVM updates in general:

  • Finding more info on these Jul 2023 Java updates
  • What about other JVM distributions besides Oracle?
  • News for my CF audience (getting the Java updates from Adobe or Oracle, how to update, why you should NOT for now use Java 17 with CF, etc)
  • Should you apply the update? how soon?

Then several things that you should be aware of, whether about this update or recent JVM updates you may be skipping over:

  • Beware a change in this Jul 2023 JVM update regarding Zip64ExtraFieldValidation
  • Beware a change in the January 2023 JVM update regarding the JDK installer
  • Beware a change in the October 2022 JVM update regarding Java no longer trusting jars signed with SHA-1
  • Beware a change in the April 2021 JVM update
  • Wrapping up, getting more help

About the update and applying JVM updates in general

Here first are those few broad topics about this update in particular and some about applying JVM updates in general.

Finding more info on these Jul 2023 Java updates

First, as for what changed in the updates, see the technotes for each of 1.8.0_381, 11.0.20, and 17.0.8, and 20.0.2. Again, some changes may be in all 4 versions, while other changes may be only in a specific version/s. You should look carefully at the note for the version YOU are running.

(Note that prior to Java 9, releases of Java were known technically as 1.x, so 8 is referred to in many resources here as 1.8.)

Second, regarding security fixes included, see the Java security fixes in these Jul 2023 updates or Text Form of Risk Matrix for Oracle Java SE. And as always, see the "notes" offered for each vulnerability, as that may temper the severity. (Note that both those documents cover all Oracle products, but I have linked to the Java-specific sections of the pages.)

Third, see the listing of specific bug fixes included in each update, as offered in a link at the bottom of those update technotes for each release above. There may be some change that's important for you.

As for obtaining the Java downloads, you can find all the current versions on this one page. But do note that while the top of the page offers the LATEST Java versions (Java 17 and above), you will find Java 11 and 8 offered later down the page. And while you DO need to sign in there to obtain the download files, an account is free.

(As I discuss below, the Adobe ColdFusion team also provides Java downloads for the versions they support.)

What about other JVM distributions besides Oracle?

Before moving on, I want to acknowledge that of course I do realize there are other distributions of Java besides Oracle's, from the OpenJDK to alternatives from Azul, Amazon, Microsoft, and others.

And while SOME of what I share in my jvm update notes, like this one, may well apply to those other distributions, I choose here to focus specifically on the Oracle JVM, because that's what's supported by the primary community I support, users of Adobe ColdFusion. (And while users of the open source Lucee CFML engine MAY choose to use Oracle's JVM, they are free to use other implementations.) Adobe licenses Oracle Java for use by ColdFusion users.

(Before leaving this subject, I should note that some may be interested to hear that Oracle announced in Sep 2021 that Java 17 and above would again be free for commercial use. See the page and FAQ offered there for more specifics. And CF users, see the next section on the state of support in CF for Java 17.)

In any case, if you are not using Adobe ColdFusion, you can skip the next section. Continue below with "Should you apply the update? how soon?" and the subsequent sections.

News for my CF audience

Since the focus of my blog and work is indeed mostly focused on those using Adobe ColdFusion, I will clarify for them that:

  • Adobe also offers the Java downloads, so that CF users need not log into the Oracle site, as discussed above. Sometimes Adobe gets these posted as soon as Oracle releases them, but often it may take some days.
  • The Adobe downloads page for CF-related installers DOES now have the updated Java downloads in its bottom section. (It did not have them when I wrote this post, so this is an update to that.)
  • And while some assert that CF folks "must use those from the CF downloads page", every time I've done a binary compare of the files, they have been identical (at least for the identical build number, which may change slightly over time on the Oracle site though not the Adobe site). As this installer includes the Java license, I can't see how anyone could assert that it matters WHERE you get an identical installer.

As for keeping posted on updates, as a CFer (other than my blog posts or news shared from others), note that if you use Pete Freitag's wonderful HackmyCF service, he generally gets it updated within the day or two of the release of a new JVM version, warning if you are not running that latest supported Java version for your given CF version.

As for keeping track of what CF versions support what Java versions:

  • See first a past blog post I've done with a table of what CF versions formally support what Oracle Java versions.
  • While Java 17 is indeed a new long-term support release for Java, so also are Java 8 and 11 still LTS releases. And while the new CF2023 (released in May) DOES come with Java 17, note that ColdFusion 2021 and 2018 (the previous two CF versions) do NOT support Java 17. They only support Java 11. And note that updates to CF2018 have ended as of July 2023, so we will not see an update adding Java 17 support.)
  • As for Java 20, that is a short-term updates (like updates 12-16 and 18-19 had been), and I don't expect Adobe to support that . As for the next LTS release, Java 21, we'll see how things go when we get there in Sept 2023.
  • And in a post I did on the Apr 2019 jvm updates (which I point to in that "table" post), I cover such things as how CF only formally supports Oracle Java and not others, the short-lived Java 12 support, and more.
  • Before moving on, let me note that if you ARE on an older, unsupported versions of CF (CF2016 or earlier) or Java (older updates to Java 11 or 8, or Java 7 or earlier), you're playing a dangerous game of Russian Roulette. You may not have been struck yet, but in Oct 2021 I offered a post about a nasty ransomware vulnerability hitting those who had failed to update CF with a fix Adobe had provided years ago! Even CF2016, last updated in March 2021, does not have security fixes in the updates for CF2018 and 2021 that Adobe released in Sept 2021, and any beyond. Don't be "that person", still running such older CF versions.

As for how you would go about updating Java within CF:

  • There are varying steps depending on how you installed CF (or Lucee, where it also depends on whether you're running it on Tomcat as a service), and so on. See the PDF or recording of my presentation, Updating the Java underlying ColdFusion
  • I'll note that if you're using Commandbox, it can update the JVM automatically if you like.
  • I can also offer direct remote consulting help. See the bottom section here..

Should you apply the update? how soon?

(This and the remaining sections apply whether one may be using CF or not.)

As whether you "should" apply this JVM update (going from some earlier point release of a given version to another), of course each org has to decide for themselves whether the security fixes bug fixes, and any feature changes are of concern for them. Some folks/orgs tend to wait for some period of time to "let others be the guinea pigs", while others are concerned about security and so apply any new update with security fixes right away.

Of course, the best approach is to try things in a testing environment first, but many eschew that (for any of many reasons, at their peril). Even then, of course some problems don't show themselves in testing but only in production.

As noted in the security discussion above, even if you may not think you "need the changes in this update", do beware that you would be vulnerable also to problems fixed in PREVIOUS updates, that you've not yet applied. So it's always best to be on the latest update to the JVM version (like Java 8 or 11) that you're using, as soon as possible.

I'll add that the Oracle security technotes above may speak of how the fixes included in this update address vulns in the immediately preceding point release, which could mislead some. They may think, "oh, well since I am not ON that immediately preceding update, then I don't need this update!". No, no, no. You'd really need to look at the technotes for THAT preceding point release and so on--all the preceding ones, back to the point release you ARE now running--to decide if these updates to that version "affect you". But really, for most people, they should just stay updated, for the sake of ensuring they have all the latest security updates and bug fixes.

As for whether there are any "issues" arising out of the new update, only time will tell, as more and more implement it, and share their experiences, whether in the community, or below or to me directly. If I learn of anything significant, I may create a new blog post and link to it here.

Along those lines I want to take a moment to point out some issues that may hit folks if they are moving to this update from prior ones (or these may also entail changes that were made in current JVM implementations you have where a change was made that needs to be made again in this new update.)

Topics to beware if skipping from earlier JVM updates

Next are a few topics you should consider if you are skipping to this JVM update either from earlier updates of this JVM (like Java 11.0.10 to 11.0.20, for example) or perhaps even earlier JVM versions (like Java 8 to 11).

Beware a change in this Jul 2023 JVM update regarding Zip64ExtraFieldValidation

Update: this item is an update since my original post. And while what I'm about to say applies for now only to users of Adobe ColdFusion (my main audience), time may show that the issue applies more broadly.

Just after the release of this Java update, I and others found that if we changed CF to use it, then when attempting to download CF updates via the CF Admin they would fail with "Failed Signature verification" (CF is based on Java, and the update downloader is downloading the CF update via a java httpclient call under the covers). Then installing the CF update from the Admin would seem to "do nothing".

I found the problem to be related to a change implemented in this Jul 2023 JVM update, and it's related to Zip64ExtraFieldValidation. I also offer a solution and some thoughts in a post with more on that.

Beware a change in the January 2023 JVM update regarding the JDK installer

As I mentioned briefly above, note that if you use the JDK installer to install Java and may be skipping to these latest updates of Java 11 and 17 (11.0.19 or 17.0.7) without having applied the updates in Jan 2023, (11.0.18 and 17.0.6), please note there was an important change in the installer (for all OSs) as of those Jan 2023 updates. The JDK installer will attempt to remove any previous updates of that JVM version implemented by prior updates of that installer. (That means it could remove the JVM pointed to by some existing app, which will fail to start when next restarted.)

The JDK installer will also now use a folder name that does not hold the specific update number in the folder name, but only the major version.

For more on all this, see my post from that time, see my post from Jan 2023 on those JVM updates released then.

Update: I can confirm after having applied this update (11.0.19), the installer also removes and replaces ALL files in the folder it creates. So in the case of the matter I discuss in the next section here (about modifying the java.security file, if needed), I can confirm that the new installer DID remove the change I had made to that file after the last installer. So any such changes need to be made after all subsequent JVM updates. It wasn't clear if this would be the case, since the JDK installer from Jan 2023 was the first time it changed to using a single folder for all subsequent updates to that version.

Beware a change in the Oct 2022 JVM update regarding Java no longer trusting jars signed with SHA-1

Similarly, if you may be moving to this JVM update from an older one from before the JVM updates released in Oct 2022 (Java 11.0.17 and 1.8.0_351, respectively), note also that when you apply this update you will therefore inherit a rather important change that was introduced in those updates (and which remains, after them.)

As discussed in the release notes, from this point forward Java would no longer trust jars signed with SHA-1, if created since 2019. For more on this Java security change--and an available configuration change to "undo that protection" (via the jvm's java.security file) if needed, see my post from Oct 2022 on those JVM updates released then.

Beware a change in the April 2021 JVM update, if you may be skipping over it

Finally, if you may be moving to this JVM update from an older one from before the JVM updates released in April 2021 (Java 11.0.11 and 1.8.0_291, respectively), that had another rather important change you would inheret.

Briefly, Java now no longer supports calling out (via https/tls) to servers that don't support at least TLS 1.2 or above. If you may be calling out to servers (via cfhttp or Java's httpclient, or via configuration of the CF Admin pointing to database servers, mail server, ldap servers, and the like), such requests will break upon applying those or later JVM updates, if those servers don't yet support at least TLS 1.2 or above.

Of course, you may not be responsible for and may have no control over those other servers you're calling out to, so you may prefer to tell Java to allow you to keep calling out to those for now. You can do that, via a simple one-line configuration change in a Java configuration file (not JVM args). More in a moment. That said, you are removing a protection that Oracle thinks is in your interest (modern browsers do also warn or even reject attempts to access servers via https if they don't support at least TLS 1.2 or above. This change is about how Java itself reacts to them.)

For more on this Java security change, and the java.security file configuration change needed to "undo it", see my post from April 2021 on those JVM updates released then.

Wrapping up, getting more help

Again, for direct help on any of these, I can offer remote screenshare consulting help and am usually able to quickly fix problems that might take many folks hours to resolve them (if they don't deal with these issues daily like I do, helping people). Or of course, comments and questions are welcome below.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Hi Charlie, thanks for your posts on Java updates, always a good reminder! Just noticed 21.0.1, 17.0.9, 11.0.21 and 8u391 were released last week and the relevant ones are already available to download via Adobe.
# Posted By Chris | 10/24/23 12:11 AM
Yep on both counts, Chris, and thanks. I've been slammed in recent days/weeks,and I have posts to do on that update, as well as the recent cf update, and the fr 11 release, to name just a few.
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting