Announcing Java updates of Jan 2024 for 8, 11, 17, and 21: resources and thoughts
TLDR: The new updates are 1.8.0_401 (aka 8u401), 11.0.22, 17.0.10, and 21.0.2 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. Again, more details below. And as is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.
For some folks, that's all they need to hear. For others, read on.
Finding more info on these Jan 2024 Java updates
As for what changed in the updates, see the technotes for each of 1.8.0_401, 11.0.22, and 17.0.10, and 21.0.2.
These notes have sections on each of "New Features", "Known Issues", "Issues Fixed", "Other notes", and "Bug Fixes"--each as may apply to that specific update, which is why I am not listing all these changes here. See the technote for the update you are considering applying. That said, some changes may indeed be (and typically are) found in all four versions.
Finding more on security matters addressed in these Jan 2024 Java updates
As for security fixes included in this update, that's covered elsewhere.
See the single document listing Java security fixes in these Jan 2024 updates and the Text Form of Risk Matrix for Oracle Java SE.
Pay close attention to "notes" offered there for each vulnerability, as that may temper the severity. (Note as well that while both these documents cover ALL Oracle products, I have offered here links to the Java-specific sections of the pages. Focus on references to "Java SE" rather than any specific to GraalVM, which is not related to the discussion in this post.)
As for this set of Jan 2024 updates and their security fixes, I can also note that in terms of their severity, the risk matrix linked to above indicates that highest CVE score is 7.5 and that all the vulnerabilities are "difficult to exploit"--and many "[do] not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).".
That said, these documents could change between now and when you see this post, so it's your responsibility to assess that information carefully. And regardless of whether such vulnerabilities may seem to apply to you, generally folks should seek to keep their JVM updated, or at least avoid falling too far behind.
Obtaining the JVM update, from Oracle
As for obtaining downloads of Java updates, you can find all the current versions on this one page.
But do note that while the top of the page offers the LATEST Java versions (Java 17 and above), you will find Java 11 and 8 offered later down the page.
And while you DO need to sign in there to obtain the download files, an account is free.
Obtaining the JVM update, from Adobe
Since the focus of my blog and work is indeed mostly focused on those using Adobe ColdFusion (coldfusion.com), I will clarify for them that Adobe also offers the Java downloads as well, so that CF users need not log into the Oracle site as discussed above. Sometimes Adobe gets these posted as soon as Oracle releases them, but often it may take some days.
See the CF Downloads page, and its last section offering Java installers, which includes the installers or zip/archive options.
That said, as of my posting this today, the Adobe downloads page for CF-related installers does not yet have the downloads for this latest update.
And while some assert that CF folks "must use those from the CF downloads page", every time I've done a binary compare of the files, they have been identical (at least for the identical build number, which may change slightly over time on the Oracle site though not the Adobe site). As this installer includes the Java license, I can't see how anyone could assert that it matters WHERE you get an identical installer.
Other topics you may be interested to know, and where I discuss them
Some may find the above to have been "a lot to consider", but there is indeed far more you could and should consider before applying a Java update. And for a few years, I would cover such topics ALSO within this sort of blog post, each time I announced the new JVM update. I've decided now to split that off into its own blog entry, and I will point to it instead in each of these such update announcements, to try to keep this relatively "brief".
In that other post, I address such issues as :
- Obtaining, learning more about available JVM updates
- What about other JVM distributions besides Oracle?
- News for my CF audience (what CF versions support what JVM updates, how to apply the update, why you should NOT for now use Java 21 with CF, etc)
- Should you apply the update? how soon?
Then I cover a few things that you should be aware of if skipping over previous JVM updates:
- Beware a change in this Jul 2023 JVM update, regarding Zip64ExtraFieldValidation
- Beware a change in the January 2023 JVM update, regarding a change in how the JDK installer works
- Beware a change in the October 2022 JVM update, regarding Java no longer trusting jars signed with SHA-1
- Beware a change in the April 2021 JVM update, regarding calls out to anything running TLS 1.1 or earlier
That post is here: Several things to consider when applying JVM updates.
Wrapping up, getting more help
Finally, feel free to ask questions or raise comments below, or for direct help I offer remote screenshare consulting help, where I am usually able to quickly fix problems (that might take many folks hours to resolve them--if they don't deal with these issues daily like I do in helping people).
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
There are no comments for this entry.
[Add Comment]