Several things to consider when applying updates to Java (aka the JVM, JDK, JRE)
And as important, if you may have skipped some Java updates before this one, there are some additional points to consider regarding some potentially important changes in updates you may be skipping.
In this post, I cover several topics in both those areas.
As you may know, Java updates happen quarterly, and while some people may do them regularly, many folks do not. This post is especially for them.
Here are the topics covered in this post. Most apply to anyone using (and updating) Java, but a couple apply specifically to users of Adobe ColdFusion (coldfusion.com), who are my primary audience in this blog:
- Obtaining, learning more about available JVM updates
- What about other JVM distributions besides Oracle?
- News for my CF audience (getting the Java updates from Adobe or Oracle, what CF versions support what JVM updates, how to apply the update, why you should NOT for now use Java 21 with CF, etc)
- Should you apply the update? how soon?
- Some things you may (or may not) want to carry forward to the new update
Then I cover a few things that you should be aware of if in moving to a later update you may be skipping over prior ones:
- Beware a change in the Jul 2023 JVM update, regarding Zip64ExtraFieldValidation
- Beware a change in the Jan 2023 JVM update, regarding a change in how the JDK installer works
- Beware a change in the Oct 2022 JVM update, regarding Java no longer trusting jars signed with SHA-1
- Beware a change in the Apr 2021 JVM update, regarding calls out to anything running TLS 1.1 or earlier
- Wrapping up, getting more help
I'll update this list above as later JVM updates may come out and have such key issues to beware.
I used to lay out all this information in a post I'd do on each update, but it made the posts very long--and only a small percentage of each post was about what was new in that specific JVM update. So I've decided to break out all that information into this post, and I will point to it when there are new JVM updates (in fact there was one today, which prompted me to write this).
Considerations about performing JVM updates
Let's focus first on those few general topics that apply for anyone considering applying any JVM update.
Obtaining, learning more about available JVM updates
As for obtaining the Java downloads from Oracle, you can find all the current versions on this one page. Note that while the top of the page offers the LATEST Java versions (Java 21 and 17 and above), those who may still be seeking Java 11 or 8 will find them offered later down the page. You DO need to sign in to the Oracle site to obtain the download files, an account is free. (And as I discuss below, the Adobe ColdFusion team also provides Oracle Java downloads for the versions they support.)
Note that there are available installers (or zips/archives you can extract) for Windows, MacOS, Linux, and more. Do pay attention to choose the right architecture for your OS (ARM64 vs x64 for Linux and macOS; 64-bit vs 32-bit on older Windows, etc.) Note that the installer (if available) walks one through installation, while the zip/archives can just be extracted. See available documentation offered there for more. Users of Java 8 should not (for as long as it remains supported) that the site above offers both a JRE as well as a JDK (where later versions only offer a JDK there). Again, see the docs for more on that. (Note also that prior to Java 9, releases of Java were referred to as versions 1.x, so Java 8 is referred to in many resources here as 1.8.)
Finally, as of this post in Jan 2024, Oracle regards Java 21, 17, 11, and 8 all as "long term support" or LTS releases, which still get updates. As for the versions "in between", 9-10, 12-16. 18-20, and 22 and beyond, Oracle had switched in 2018 to such short-term versions, which are released every 6 months, and are supported only for 6 months. See the Oracle site and other resources for more on all that.)
What about other JVM distributions besides Oracle?
Before moving on, I want to acknowledge that of course I do realize there are other distributions of Java besides Oracle's, from the OpenJDK to alternatives from Azul, Amazon, Microsoft, and others. Most of what I have shared in this post (and other Java posts I write) does apply to you regardless of where you get your JVM.
And I should note that some may be interested to hear that Oracle announced in Sep 2021 that Java 17 and above would again be free for commercial use, changing the policy starting with Java 11 and Java 8 updates from Apr 2019. See the page and FAQ offered on that page for more specifics.
FWIW, I choose to focus specifically on the Oracle JVM, because that's what's supported by the primary community I support, users of Adobe ColdFusion. (And while users of the open source Lucee CFML engine MAY choose to use Oracle's JVM, they are free to use other implementations--more below.) To be clear, Adobe licenses Oracle Java for use by ColdFusion users. They also have a FAQ with more on the topic.
Finally, see the discussion below on the state of support in CF for Java 17, 21, and above.
In any case, if you are not using Adobe ColdFusion, you can skip the next section. Continue below with "Should you apply the update? how soon?" and the subsequent sections.
News for my CF audience
Since the focus of my blog and work is indeed mostly focused on those using Adobe ColdFusion, let me turn attention briefly to a few points for them:
- Adobe also offers the Java downloads, so that CF users need not log into the Oracle site, as discussed above. Sometimes Adobe gets these posted as soon as Oracle releases them, but often it may take some days. See the CF Downloads page, and its last section offering Java installers, which includes the installers or zip/archive options
- While some assert that CF folks "must use those from the CF downloads page", every time I've done a binary compare of the files, they have been identical (at least for the identical build number, which may change slightly over time on the Oracle site though not the Adobe site). As this installer includes the Java license, I can't see how anyone (Even Adobe) could assert that it matters WHERE you get an identical installer or archive.
As for keeping posted on updates, as a CFer (other than my blog posts or news shared from others), note that if you use Pete Freitag's wonderful HackmyCF service, he generally gets it updated within the day or two of the release of a new JVM version, warning if you are not running that latest supported Java version for your given CF version.
As for what CF versions support what Java versions, and recalling how (as of this post) the current Java LTS versions include Java 21, 17, 11, and 8:
- See first and foremost a past blog post I've done with a table of what CF versions formally support what Oracle Java versions, which I try to keep updated as new major Java versions come out--and when CF support for them may change.
- In brief, again as of this post in Jan 2024, CF does not yet support Java 21 (or above). That may change in time. As for Java 17, only CF2023 (released in May 2023) comes with and supports that. As for the other currently supported version, ColdFusion 2021, it for now supports only Java 11 (just as the two prior CF versions do, CF2018 and 2016. (And note that updates to CF2018 have ended as of July 2023, so we will not see an update adding Java 17 support.)
- We should not expect Adobe to support anything but the LTS versions, not the short-term interim versions.
And before moving on, note that Adobe only formally supports using Oracle Java, not others, including OpenJDK.
(As I mentioned above, Lucee DOES support you using openJDK implementations, though note that as of early 2024 even Lucee 6 still supports at most only Java 11. Keep an eye on the Lucee system requirements page for any changes on this.)
Finally, as for how you would go about updating Java within CF:
- There are varying steps depending on how you installed CF (or Lucee, where it also depends on whether you're running it on Tomcat as a service), and so on. See the PDF or recording of my presentation, Updating the Java underlying ColdFusion
- I'll note that if you're using Commandbox, it can update the JVM automatically if you like.
- I can also offer direct remote consulting help. See the bottom section here..
Please note I also keep a page with notes about updating CF, including updating the JVM, the web server connector and more. The section on updating the Java underlying CF is here.
Let's move back to discussing topics beyond those specific to CF.
Should you apply the update? how soon?
(This and the remaining sections apply whether one may be using ColdFusion or not.)
As whether you "should" apply this JVM update (going from some earlier point release of a given version to another), of course each org has to decide for themselves whether the security fixes bug fixes, and any feature changes are of concern for them. Some folks/orgs tend to wait for some period of time to "let others be the guinea pigs", while others are concerned about security and so apply any new update with security fixes right away.
Of course, the best approach is to try things in a testing environment first, but many eschew that (for any of many reasons, at their peril). Even then, of course some problems don't show themselves in testing but only in production.
Even if you may not think you "need the changes in this update", do beware that this update would address issues (and vulnerabilities) fixed in PREVIOUS Java updates that you may have skipped. So it's always best to be on the latest update as soon as possible to the major JVM version that your software supports (whether Java 21 or 17, or perhaps still only Java 11 or 8).
Be careful also in considering what you may read in the Oracle security technotes: they may speak of how the fixes included in that update address vulns that were in the immediately preceding point release, which could mislead some. They may think, "oh, well since I am not ON that immediately preceding update, then I don't need this update!". No, the updates are cumulative--so those points may apply even if you are updating from a previous update. You really should look at the technotes for any preceding updates you've skipped to decide if that and those updates "affect you". But really, for most people, they should just stay updated, for the sake of ensuring they have all the latest security updates and bug fixes.
Some things you may (or may not) want to carry forward to the new update
One more thing to consider, before you may apply a new JVM update, is that there may well be changes you made to the current JVM that you may want to consider carrying forward to the new updated version.
For example, if you have imported certificates into your current JVM's keystore (lib/security/cacerts, by default), you may want to import those certificates into the NEW JVM once the update is completed. But then again, do beware that sometimes the reason that you "need" to import a cert is really because the old JVM is quite dated--such that merely updating the JVM may alone solve what led you to think you "needed" to import a new cert. I've seen it happen many times. (In fact, I have another blog post on the matter, on the Adobe site and written for my ColdFusion audience.) That said, don't make the mistake of merely copying the cacerts from one JVM update to another: that would be unwise, as the cacerts file itself changes with new root and intermediate certificates in each JVM update. Again, just give some thought (or perform testing) about whether you need to carry that "boat anchor" of a "new" cert needing to be imported again and again into new JVMs.
Or as I discuss below, if you have made modification to JVM settings stored WITHIN files of the JVM, such as in the file conf/security/java.security, then if you make such changes and later apply an update to that JVM, you will likely want to carry that change forward. But do be careful to note that (as I noted above) you should NOT just copy that java.security file from one JVM update to another: the default values in that file may change between updates. You should (carefully) apply any such change to the new file.
Topics to beware if skipping from earlier JVM updates
Next are a few topics you should consider if you are skipping to this JVM update either from earlier updates of this JVM (like Java 11.0.11 to 11.0.22, for example) or perhaps even from earlier JVM versions (like Java 8 to 11). I present them in chronological order with the most recent first, so that you can skip to the conclusion here after considering any that apply per whatever updates you may be skipping.
Note that I am not identifying here ALL the changes in each update, nor even each KEY change. My focus is on any change among any of updates in the past few years where I've helped many people overcome problems when they've moved to (or skipped past) the update that implemented the key change.
Beware a change in the Jul 2023 JVM update, regarding Zip64ExtraFieldValidation
If you may be skipping from a JVM update earlier than the one from July 2023 (which was versions 1.8.0_381, 11.0.20, 17.0.8, and 20.0.2), be aware that that release added what was regarded by Oracle as "improved validation of the ZIP64 Extra Fields contained within zip files and jar files. Files which do not satisfy these new validation checks may result in `ZipException : Invalid CEN header (invalid zip64 extra data field size)`".
As is noted in each of the release notes for those versions, "This validation may be disabled by setting the system property jdk.util.zip.disableZip64ExtraFieldValidation to true." Curiously, the release notes for those four listed JVM versions (such as for Java 17 and for Java 11 don't offer as much detail about the issue as that above, which is from the Java 21 release notes. That's odd.
Anyway, that first link goes on to discuss how this issue has impacted users of various applications, some of which have implemented solutions. (And for my CF users, I discussed its initial and later impact on CF in a blog post when that Jul 2023 update came out. (And at the bottom of that post I'd also pointed out public discussions about the impact of this issue on other apps, wholly unrelated to CF.
Again, most affected apps have updates since then, and as for CF, the impact on download of CF updates was fixed within weeks of my initial post, and then the impact related to applying updates to CF was fixed by the CF updates released in Nov 2023--at least if you were on the update release in Oct 2023. For more, see the discussion of this in my blog post about the Nov 2023 CF updates.
Let's move on to other issues, that some people may hit based on changes in still-earlier Java updates.
Beware a change in the Jan 2023 JVM update, regarding the JDK installer
This next issue applies only if you use the JDK installer (versus the zip/archive extraction approach to installing Java), and has to do with a change in how that installer works as of Jan 2023, for Java 11 (as of that month's 11.0.18 update) or Java 17 (as of that month's 17.0.6 update). It's not a change in Java (the runtime), but just in how the installer works (for all OSs).
The JDK 11 and 17 installers will now attempt to remove any previous updates of that JVM version (as implemented by prior updates of that installer). If you're not expecting that, it could be quite a surprise. Indeed, it could try to remove a JVM that is pointed to by some existing app running on your machine, which may then fail to start when next restarted.
And to be clear, the JDK installer will also now use a folder name that does not hold the specific update number in the folder name, but only the major version (such as jdk11, versus previously jdk-11.0.17).
For more on all this, see my post from then in Jan 2023 .
Beware a change in the Oct 2022 JVM update, regarding Java no longer trusting jars signed with SHA-1
If you may be skipping from a JVM update earlier than the one from Oct 2022 (which was versions 1.8.0_351, 11.0.17, 17.0.5, and 19.0.1), be aware that as of that release Java no longer by default trusts jars signed with SHA-1, if created since 2019.
For more on this Java security change--and an available configuration change to "undo that protection" if needed (via a one-line tweak to your updated jvm's java.security file), see my post from Oct 2022 on that JVM updates.
BTW, relating this back to the previous topic, I confirmed that after using the new installer (from Jan 2023) and then applying the next update in Mar 2023, that installer did remove all JVM files currently in place in that new centrally named JDK folder (in my case, the jdk-11 folder). So that installer DID remove the change I'd made in the java.security file regarding this SHA-1 issue. So beware that any such changes to jvm files need to be made again after all subsequent JVM updates--assuming you use the JDK installer, and let it default to storing the new JVM update in the same folder that held the previous JVM update. Again, if you use the zip/archive approach to implementing a JVM update, this matter does not apply to you
Beware a change in the April 2021 JVM update, regarding calls out to anything running TLS 1.1 or earlier
Finally, If you may be skipping from a JVM update earlier than the one from April 2021 (Java 11.0.11 and 1.8.0_291, respectively), that had another rather important change you would inherit (in moving to newer JVM versions. It's also built into later JVM versions like Java 17 and 21, so you will also experience this in moving to those versions from earlier ones.)
Briefly, as of that update in Apr 2021 Java now no longer supports calling out (via https/tls) to servers that don't support at least TLS 1.2 or above. If you may have code be calling out to servers (via Java's httpclient, or cfhttp in CFML) or via configuration (such as the CF Admin pointing to database servers, mail server, ldap servers, and the like), then such requests will break if those servers don't yet support at least TLS 1.2 or above, once you apply this JVM update or later.
Of course, you may not be responsible for and may have no control over those other servers you're calling out to, so you may prefer to tell Java to allow you to keep calling out to those for now. You can do that, via a simple one-line configuration change in a Java configuration file (not JVM args). More in a moment. That said, note that you are removing a protection that Oracle thinks is in your interest (modern browsers had by then long warned of or even rejected https attempts to access servers if they didn't support at least TLS 1.2 or above. This change is about how Java itself reacts to them.)
For more on this Java security change, and the java.security file configuration change needed to "undo it", see my post from April 2021 on those JVM updates released then.
Wrapping up, getting more help
So there you have it, quite a few things to "keep in mind" before or upon applying JVM updates, whether that's updating your current JVM or moving to a newer version. Hope that's been helpful.
For direct help on any of these, I can offer remote screenshare consulting help and am usually able to quickly fix problems that might take many folks hours to resolve them (if they don't deal with these issues daily like I do, helping people).
Or of course, comments and questions are welcome below.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
There are no comments for this entry.
[Add Comment]