[Looking for Charlie's main web site?]

Announcing Java updates of Oct 2024 for 8, 11, 17, 21, and 23: thoughts and resources

It's that time again: there are new JVM updates released today (Oct 15, 2024) for the current long-term support (LTS) releases of Oracle Java, 8, 11, 17, and 21, as well as the new short-term release 23. (The previous short-term release, Java 22, is no longer updated.)

TLDR: The new updates are 1.8.0_431 (aka 8u431), 11.0.25, 17.0.13, 21.0.5, and 23.0.1 respectively. Crazy that there are now 5 current Java releases, I realize. More below, including more on each of them including what changed as well as bug fixes and the security fixes each version contains (including their CVE scores regarding urgency of concerns), which are offered in Oracle resources I list below.

Oracle calls these updates "critical patch updates" (yep, "CPU"), but they are in fact scheduled quarterly updates, so that the "critical" aspect of this nomenclature may sometimes be a bit overstated. As is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

Whether this your first time updating Java or your fiftieth, there are some things that you may or may not know.

Topics:

Finding more info on these most recent Java updates

As for what changed in the updates, see the release notes for each of 1.8.0_431, 11.0.25, 17.0.13, 21.0.5, and 23.0.1. Again, the Java 22 updated previously in July is now no longer updated by Oracle.

These notes have sections on each of "New Features", "Known Issues", "Issues Fixed", "Other notes", and "Bug Fixes"--each as may apply to that specific update, which is why I am not listing all these changes here. See the release note for the update you are considering applying. That said, some changes may indeed be (and typically are) found in all four versions.

Key changes discussed in the release notes

Before discussing obtaining and applying the update, let's talk first about some of the key changes identified in the release notes.

New security debug args, at least for Java 17 and 21

I've noticed that the release notes for this update of Java 17 and 21 (but not 11 or 8, nor curiously 23) indicate that there are new arguments available to control the output created using Java security debugging, including showing timestamps and more. Take a look, for example, at the discussion of the topic in the update release notes for Java 17.0.13.

A change in "New Default Limits in the JDK HTTP Implementations"

I do want to call out one particular change. All the release notes for each of the updates above have a section labelled, "New Default Limits in the JDK HTTP Implementations". To be clear, this is about a change in calls made OUT to other resources from within Java, such as via HttpClient or HttpURLConnection (or within CFML, via cfhttp or the like). With the change, such calls out "now have a default limit on the maximum response headers size they will accept from a remote party".

Various changes related to tls/https/certificate issues

Like most Java updates, this update (for all versions) discuss also various changes related to tls/https/certificate issues. Most may not affect everyone, but some may affect you. I'll leave you to look into the release notes for your specific version to understand more on this.

A major change in licensing of Java 17

As of this Oct 2024 update, the license for Java 17 (specifically, not the earlier or the later updates) is changing. For more, see the specific section on the change in the Java 17 release notes. (Users of Adobe ColdFusion 2023, which uses Java 17, need not be concerned as Adobe has licensed Oracle Java for use with CF.)

Let's get back now to general info about getting the updates...

Finding more on security matters addressed in these Java updates

As for security fixes included in this update, that's covered elsewhere. You will (soon, if not now) be able to see the single document listing Java security fixes in these most recent updates and the Text Form of Risk Matrix for Oracle Java SE, for this most recent update.

Pay close attention to "notes" offered there for each vulnerability, as that may temper the severity. Watch that many times the listed issues indicate that they "[do] not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator)", which may reduce the concern for you about them depending on your perspective. Or they may be indicated as being about a vulnerability that may be "difficult to exploit".

That said, these documents could also change between now and when you see this post, so it's your responsibility to assess that information carefully. And regardless of whether such vulnerabilities may seem to apply to you, generally folks should seek to keep their JVM updated, or at least avoid falling too far behind.

(Note as well that while both these documents cover ALL Oracle products, I have offered in the fist paragraph above links to the Java-specific sections of the pages. Focus on references to "Java SE" rather than any specific to GraalVM, which is not the focus of the discussion in this post.)

Obtaining the JVM update, from Oracle

As for obtaining downloads of Java updates, you can find all the current versions on this one page. Note that there are tabs for the installers for each supported OS (Linux, macOS, and Windows).

That said, note that while the TOP of the page offers the LATEST Java versions (Java 21 and above), you will find Java 17, Java 11 and 8 are offered LATER down the page (which is easy to miss).

And while you DO need to sign in there to obtain the Java 17, 11 and 8 download files, an account is free. (The updates for Java 21 and above do NOT require a login on the Oracle site.) All this has to do with licensing of Java--but users of Adobe ColdFusion (my primary audience) should note that Adobe licenses Oracle Java for our use of it with CF. More in another blog post that I discuss below.

Obtaining the JVM update, from Adobe

And since the focus of my blog and work is indeed mostly focused on those using Adobe ColdFusion (coldfusion.com), I will clarify for them that Adobe also offers the Java downloads as well, so that CF users need not log into the Oracle site as discussed above. Sometimes Adobe gets these downloads posted as soon as Oracle releases them, but often it may take some days.

See the CF Downloads page, and its last section offering Java installers, which includes the installers or zip/archive options, for each of Windows, Linux, and MacOS.

As an update since my original post, the Adobe downloads page for CF-related installers DOES now have the downloads for this latest update (it did not have them when I wrote this post.)

And while some assert that CF folks "must use those from the CF downloads page", every time I've done a binary compare of the files, they have been identical (at least for the identical build number, which may change slightly over time on the Oracle site though not the Adobe site). As this installer includes the Java license, I can't see how anyone could assert that it matters WHERE you get an identical installer.

Other topics you may be interested to know, and where I discuss them

Some readers may find the above so far to have been "a lot to consider" already, but there is indeed far more that you could and should consider before applying a Java update. And for a few years, I would cover such additional topics within this sort of blog post, each time I announced the new JVM update. But I've decided recently to split that off into its own blog entry, and I will point to that instead in each of these such JVM update announcement posts, in order to keep this relatively "brief".

In that other post, I address such issues as :

  • Obtaining and learning still more about available JVM updates
  • What about other JVM distributions besides Oracle?
  • News for my CF audience (which CF versions support what JVM versions, how to apply the update, why you should NOT for now use Java 21 with CF, etc)
  • Should you apply the update? how soon?

Then I cover a few things that you should be aware of if skipping over previous JVM updates:

Again, that other post of mine with more info is here: Several things to consider when applying JVM updates.

Wrapping up, getting more help

I hope all that may be helpful for you.

Finally, feel free to ask questions or raise comments below, or for direct help note that I offer remote screenshare consulting help, where I am usually able to quickly fix problems (that might take many folks hours to resolve--if they don't deal with these issues daily like I do in helping people).

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting