Visit Azul.com Support

Release Notes of Azul Zing Stream and Stable Builds of OpenJDK

Table of Contents
Need help?
Schedule a consultation with an Azul performance expert.
Contact Us
Note
This page contains release notes for versions 20.02.1.0 and newer.

Azul Zing Builds of OpenJDK (Zing) are available in two versions:

  1. Stream Builds: Fast-moving monthly releases (end of the month) that include all of the latest features and changes that are part of PSU releases. Free for development and evaluation. Use in production requires an active subscription.

    Current latest: 24.10.0.0

  2. Stable Builds: Builds that incorporate only CPUs, PSUs, and Azul Platform Prime critical fixes and do not uptake new features and non-critical enhancements from Stream Builds. Stable Builds are our primary vehicle for delivering time-sensitive bug-fixes to customers and are only available to Azul customers.

    Current latest: 24.08.201.0 and 24.02.501.0



Latest Stream Build

24.10.0.0

Release Notes PDF

Release date: November 5, 2024

This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 24.09.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_431-b4

11

11.0.24.0.101+1-LTS

17

17.0.12.0.101+1-LTS

21

21.0.4.0.101+1-LTS

What’s New

  • Zing 24.10.0.0 features an update to JVMTI behavior in order to bring it to the modern standard. Previously, a few commercial Java application performance monitoring tools have been reporting too long GC pause times because Zing was reporting non-pausing concurrent GC durations wrongly as GC pauses over JVMTI events JVMTI_EVENT_GARBAGE_COLLECTION_START (GarbageCollectionStart) and JVMTI_EVENT_GARBAGE_COLLECTION_FINISH (GarbageCollectionFinish).

    The new correct reporting may increase the actual GC pauses slightly if monitoring software attached with -javaagent using JVMTI is active.

  • Zing 24.10.0.0 enables the previously implemented command line option OptimizeIdentityHashForDistribution by default. This option implements an optimization to the distribution of identity hash codes. Enabling this option optimizes the protocol for distributing hash codes. Otherwise, some hash table implementations are prone to an unreasonable number of collisions.

  • The version of libstdc++ packaged with Zing has been upgraded from libstdc++.so.6.0.24 to libstdc++.so.6.0.32.

  • October 2024 CPU and PSU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-21208

Networking

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 1

CVE-2024-21217

Serialization

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 2

CVE-2024-36138 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

Multiple

Yes

8.1

Network

High

None

None

Unchanged

High

High

High

None

CVE-2023-42950 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (WebKitGTK)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

High

High

None

Note 1

CVE-2024-25062 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (libxml2)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

Note 1

CVE-2024-21235 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

Note 2

CVE-2024-21210 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

Note 2

CVE-2024-21211 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

Note 2

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-31914

Disable limit on CNC reconnection attempts

ZVM-32504

Crash when multiple threads race to fill the last slot available in VM internal constant table

ZVM-32164

Make sure RN’s initialization order is not affected by parallel application activity

ZVM-31866

ReadyNow threads should not cause OOM

ZVM-31197

Null returned in unixSystem.getUsername()


Latest Stable Builds

24.08.201.0

Release Notes PDF

Release date: December 2, 2024

This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.200.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_432-b1

11

11.0.25+9-LTS

17

17.0.13+11-LTS

21

21.0.5+11-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-32844

VM state reset followed by failure to reconnect makes CNC client stuck


24.02.501.0

Release Notes PDF

Release date: November 11, 2024

This release is based on the Azul Zing Build of OpenJDK (Zing) 24.02.500.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_431-b1

11

11.0.24.0.101+1-LTS

17

17.0.12.0.101+1-LTS

21

21.0.4.0.101+1-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-32704

Revert BufferTier1CompileRequests


Previous Stream Builds

24.09.0.0

Release Notes PDF

Release date: October 3, 2024

This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_422-b5

11

11.0.24+8-LTS

17

17.0.12+7-LTS

21

21.0.4+4-LTS

What’s New

  • Zing 24.09.0.0 increases the maximum code cache supported from 1758 MB to 4 GB. You can now set both ReservedCodeCacheSize and InitialCodeCacheSize to a value up to 4 GB.

  • In case you need to disable Extended Native Memory Tracking (NMT), Zing 24.09.0.0 includes new command line option UseExtendedNMT, which you can use to disable Zing’s Extended NMT, and EnableNMTIntegrityChecks, which you can use to disable checks on allocations. Zing runs in Extended NMT mode and includes integrity checks by default. Using -XX:-UseExtendedNMT tells Zing to run NMT in a Zulu-like mode. We do not recommend disabling Extended NMT except in very specific cases.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-31884

Memory reservation fails on 6.8 kernel with dense encoding in non-ZST mode

ZVM-32021

Malformed characters as part of cgroup data in GC log header

ZVM-31803

[Inliner] AlwaysInline can cause code explosion in the inliner

ZVM-31859

Don’t hold JVM lock while performing Falcon context reset

ZVM-31812

Expensive JNI method handle resolution in CompileQueue::scan_for_task may delay application threads

ZVM-31705

Frequent chunk sending re-tries


24.08.0.0

Release Notes PDF

Release date: August 30, 2024

This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 24.07.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_422-b5

11

11.0.24+8-LTS

17

17.0.12+7-LTS

21

21.0.4+4-LTS

What’s New

  • The command line option ProfileLogName has been deprecated and replaced with ProfileName. ProfileName supports all existing macros available for ProfileLogName. It is still possible to use ProfileLogName, however, we recommend that you update your configuration in order to guarantee that you have access to all of the latest features implemented in ProfileName.

    Note that using ProfileName overrides ProfileLogName, ProfileLogIn, and ProfileLogOut.

  • Zing 24.08.0.0 introduces a new feature to the Falcon compiler called Multi-Tiering. Multi-Tiering allows Falcon to schedule methods for compilation under different optimization levels, based on method hotness.

    Multi-Tiering assigns hot and active methods to final-tier compilation and cold or inactive methods to mid-tier compilation. Final-tier uses the default Falcon optimization level (usually Falcon optimization level 2) while Mid-tier uses Falcon optimization level 0.

    Enable Multi-Tiering using the command line option -XX:+UseMultiTiering.

    For more information on Multi-Tiering, see Analyzing and Tuning Warm-Up, Using Multiple Compiler Tiers

  • Zing 24.08.0.0 introduces the ability to apply ReadyNow transformations at runtime. This is done using the newly implemented command line options -XX:ApplyReadyNowTransformations or -XX:ApplyReadyNowTransformationsFile. You can specify which transformations are used on which generation of your ReadyNow profiles.

    A transformation profile can be stored on your machine in yaml format and called using -XX:ApplyReadyNowTransformationsFile=//path/to/file.yaml. or you can apply your transformation options directly in the parameters on the command line using -XX:ApplyReadyNowTransformations="\{transformations\:\[\{data: 0\}\]\}".

  • Zing 24.08.0.0 raises the maximum java heap size (Xmx) supported with non-ZST mode to 14000 GB (14 TB) on Intel Ice Lake and newer x86 processors when 5-level paging (LA57) is enabled at the OS level.

  • Zing 24.08.0.0 handles requests for PrintJNI without safepoint pause, allowing PrintJNI to run concurrently with your VM process.

  • July 2024 PSU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-21145

2D

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21131

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21138

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 1

CVE-2024-21144

Concurrency

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

11, 8

Note 2

CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK

HTTP/2

Yes

8.2

Network

Low

None

None

Unchanged

None

Low

High

None

CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Note 1

CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

Note 1

Notes:

ID Notes

1

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024

  • Zing 24.08.0.0 introduces a new parameter PrintGCHeadersGuaranteedIntervalSecs which can be used to specify a time interval for periodic output of headers in GC log. This helps open partial GC logs in GC log analyzer, for example those pulled from Splunk.

  • Zing 24.08.0.0 introduces Periodic NMT logging. With this feature, you can output NMT logs to the NMT output folder periodically. Since periodic NMT logging is a diagnostic feature, you must first unlock diagnostic VM Options using -XX:+UnlockDiagnosticVMOptions.

    To specify the output directory for NMT logs, use -XX:PrintNMTStatisticsRoot=<dir_name>. Setting this option enables periodic dumping.

    To specify the interval for printing the new report to the directory, use -XX:PrintNMTStatisticsAtIntervalSec=<interval in seconds>. The default value is 10 sec.

    Example settings for periodic NMT logging:

     
    java -XX:+UnlockDiagnosticVMOptions -XX:NativeMemoryTracking=summary -XX:PrintNMTStatisticsRoot=nmt -XX:PrintNMTStatisticsAtIntervalSec=20 Main

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-30741

Don’t disable THP for java heap with -XX:+ThpDisable unless UseTransparentHugePages is also disabled

ZVM-31300

Fix a data race related to java threads interruptions and parking


24.07.0.0

Release Notes PDF

Release date: July 31, 2024

This CPU release is based on the Azul Zing Build of OpenJDK (Zing) 24.06.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_421-b3

11

11.0.23.0.101+2-LTS

17

17.0.11.0.101+3-LTS

21

21.0.3.0.101+4-LTS

What’s New

  • Zing 24.07.0.0 implements an intrinsification of the method java.lang.reflect.Array.get, leading to a significant performance improvement in some cases.

  • The logic around InlineTree has been greatly improved. This change allows the decisions reached by inlining to be reconstructed on request, instead of running through the tree with each query which sometimes leads to bloated recursive inlinings.

  • The MXBean PersistentProfileMXBean has been extended with getReadyNowTier1CompilesRate() and getReadyNowTier2CompilesRate(). These methods allow you to see what percentage of compiles are happening in ReadyNow, when compared to all compiles including non-ReadyNow.

  • July 2024 CPU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-21145

2D

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21131

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21138

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 1

CVE-2024-21144

Concurrency

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

11, 8

Note 2

CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK

HTTP/2

Yes

8.2

Network

Low

None

None

Unchanged

None

Low

High

None

CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Note 1

CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

Note 1

Notes:

ID Notes

1

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-31343

Don’t query cgroup_subsytem_path() unless Cgroup support exists

ZVM-31328

Falcon compilation ends with Stack Memory Failure

ZVM-31299

Port JDK-8175318 from OpenJDK to avoid unnecessary cleaning of JNI handles

ZVM-31265

DebugInfo for cc-compiler-engine.zip is incompatible with the debuginfo shipped with the JDK

ZVM-31239

[CNC] java.lang.Object should be always pre-registered in ProtoUniverse

ZVM-31238

Missing RCD debug symbols for release builds

ZVM-26110

[NMT] Make intercepted allocations honor alignment parameter


24.06.0.0

Release Notes PDF

Release date: June 28, 2024

This release is based on the Azul Zing Build of OpenJDK (Zing) 24.05.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_412-b2

11

11.0.23+9-LTS

17

17.0.11+9-LTS

21

21.0.3+9-LTS

What’s New

  • Several methods have been added to Zing MXBean extensions which can request several metrics from a running JVM. The following methods have been added to Zing MXBeans:

    MXBean method

    CompilationMXBean

    getTotalOutstandingCompiles()
    getTotalPerformedTier1Compiles()
    getTotalPerformedTier2Compiles()

    PersistentProfileMXBean

    getVmUnmatchedClassRate()
    getProfileClassMatchRate()

    CompilationMXBean can return the total number of enqueued and in-progress compilations, and can return the total number of tier 1 and tier 2 compilations at the time of request.

    PersistentProfileMXBean can return the ratio of matched or unmatched classes to the number of classes loaded in the VM at the time of request.

    You can find a general overview of Zing MXBeans in the Zing MXBeans documentation, or a complete description of all Zing MXBeans methods in the Zing MXBeans API documentation or in the Javadocs included in the Zing documentation bundle found on the Zing customer downloads page.

  • GC Log Analyzer’s summary page now includes the ID of the current run from Ready Now Orchestrator, listed as Current VM ID.

  • GC Log Analyzer’s info page now includes the container OS along with the node OS.

  • Azul Zing 24.06.0.0 includes a significant improvement to Zing’s crash handler which allows it to properly generate diagnostic data when Falcon threads reach stack memory failure.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-30813

Zing ARM64 reports on start 5.5TB (5632GB) as supported max heapsize

ZVM-30976

Backport JDK-8211061: Tests fail with assert(VM_Version::supports_sse4_1()) on ThreadRipper CPU

ZVM-30975

Backport JDK-8194494: SHA-512 stub uses AVX 2 instructions on non-supporting CPUs

ZVM-30972

CPU use and throttling information missing with cgroupsV2

ZVM-30233

Properly categorize RN memory allocations


24.05.0.0

Release Notes PDF

Release date: May 31, 2024

This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 24.04.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_412-b4

11

11.0.23+9-LTS

17

17.0.11+9-LTS

21

21.0.3+9-LTS

What’s New

  • April 2024 PSU release security fixes.

  • The default value of -XX:ProfileStartupLimitInSeconds has changed from 60 to 0. This follows from a previous change where 0 was changed from "infinite" to actually 0 seconds. For more information on ProfileStartupLimitInSeconds, see Command Line Options, Advanced Miscellaneous Options.

  • Azul Zing 24.05.0.0 implements some behavioral changes to the command line option VMFootprintLevel. In order to reduce memory footprint, malloc arenas now use half the number of CPU cores when setting a non-default value of VMFootprintLevel; L, M, or S

  • The minimum value supported for Xms (initial heap size) was lowered drastically from 512 MB to 128 MB. Previously, the minimum supported Xms was 512 MB. The minimum supported Xmx (maximum heap size) remains unchanged at 512 MB. The purpose of this change is to reduce memory consumption from small utility processes which don’t require a high amount of memory.

    Note
    In case Xms and Xmx are set to the same value, while setting Xms somewhere between 128 MB and 512 MB, both values are rounded up to 512 MB in order to satisfy the minimum allowable Xmx.
  • Azul Zing 24.05.0.0 introduces a new command line option, -XX:ThpDisable, which can be used to disable Transparent Huge Pages (THP) in the entire JVM process, even when system THP settings are enabled. When -XX:+ThpDisable is set, THP is turned off, overriding the system default.

  • Azul Zing 24.05.0.0 is now able to collect Falcon diagnostics during OOM (Out of memory) errors.

  • Thread-local backoff for secondary_super_cache updates has been ported from OpenJDK, based on JDK-8316180 and is disabled by default. To enable this feature, use the option -XX:SecondarySuperMissBackoff=1000.

  • A new command line option, OptimizeIdentityHashForDistribution has been introduced in Zing 24.05.0.0. This option enables an alternate implementation for System.identityHashCode() which provides better distribution of objects at the cost of making the identity hash calculation itself slower. This option is disabled by default and can be enabled using -XX:+OptimizeIdentityHashForDistribution.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-30696

Backport ZULU-61542 to a BPR on Zing 24.02.100 Java 17

ZVM-30695

Backport ZULU-61544 to a BPR on Zing 24.02.100 Java 17

ZVM-30653

Fix stack walker TTSP profiler that collects interpreter frame methods

ZVM-30566

Local queue is not cleared when local fallback is disabled

ZVM-30407

Linear search at LoaderProfileApplicator::has_recorded_load


24.04.0.0

Release Notes PDF

Release date: April 30, 2024

This CPU release is based on the Azul Zing Build of OpenJDK (Zing) 24.03.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_411-b3

11

11.0.22.0.101+2-LTS

17

17.0.10.0.101+3-LTS

21

21.0.2.0.101+2-LTS

What’s New

  • Zing 24.04.0.0 implements a new command line option, MallocArenaMax, which is used to define the maximum amount of memory pools available for glibc. The default value is 0.

  • The command line option UseDefensiveHeapShrinking is now disabled by default in cgroups where memory limiting is set. You can disable this option manually by using -XX:-UseDefensiveHeapShrinking. For more information about defensive heap shrinking, see Command Line Options, Defensive Heap Shrinking.

  • Zing 24.04.0.0 implements a more efficient way to encode deopt bundles, improving system performance.

  • Prime JIT compilation logs (LogCompilation) are now fully supported for JITWatch for Zing.

  • April 2024 CPU and PSU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-21011

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 2

CVE-2024-21012

Networking

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

21, 17, 11

Note 1

CVE-2024-21068

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

21, 17, 11, 8

Note 2

CVE-2024-21085

Concurrency

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

11, 8

Note 2

CVE-2023-41993 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (WebKitGTK)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

High

High

None

Note 1

CVE-2024-21892 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK

None

No

7.5

Local

High

Low

None

Changed

High

High

None

None

CVE-2024-20954 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

CVE-2024-21094 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

CVE-2024-21098 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

None

CVE-2024-21003 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

None

CVE-2024-21005 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

None

CVE-2024-21002 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

None

No

2.5

Local

High

None

Required

Unchanged

None

Low

None

None

CVE-2024-21004 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

None

No

2.5

Local

High

None

Required

Unchanged

None

Low

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-24839

[JTReg] jdk/test/jdk/jdk/jfr/startupargs/TestStartDuration.java crashes with 'C (nil)'


24.03.0.0

Release Notes PDF

Release date: April 3, 2024

This release is based on the Azul Zing Build of OpenJDK (Zing) 24.02.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_402-b3

11

11.0.22+7-LTS

17

17.0.10+7-LTS

21

21.0.2+13-LTS

What’s New

  • In order to establish a better client/server relationship between Zing and Optimizer Hub, Zing now sends its version to Optimizer Hub, making the current version of Zing available and viewable in Optimizer Hub.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-30054

The "Compiler Statistics"/"Code Cache Details"/ReadyNow Statistics" graphs do not properly show with latest GCLA

ZVM-29997

JTReg21 - jdk/test/hotspot/jtreg/vmTestbase/nsk/jdwp/ReferenceType/Instances/instances001/instances001.java crashed due to "C [libjdwp.so+0x2e946] classSignature+0x36"

ZVM-29278

Java21 crashes due to " C [libjdwp.so+0x2d72f] jvmtiAllocate+0x2f"

ZVM-29277

Java21 crashes due to "C [libjdwp.so+0x2b734] debugMonitorEnter+0x24"


24.02.0.0

Release Notes PDF

Release date: March 13, 2024

This release is based on the Azul Zing Build of OpenJDK (Zing) 24.01.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_402-b6

11

11.0.22+7-LTS

17

17.0.10+7-LTS

21

21.0.2+13-LTS

What’s New

  • Zing 24.02.0.0 includes new options for defensive heap shrinking. Defensive heap shrinking dynamically reduces committed Java heap in order to avoid Out-of-memory (OOM) errors in container environments, which ordinarily lead to OOM kills and crashes.

    You can enable defensive heap shrinking using the flag -XX:+UseDefensiveHeapShrinking. See Command Line Options, Defensive Heap Shrinking for more information on tuning this option:

    Specifying VMFootprintLevel enables UseDefensiveHeapShrinking by default.

  • The C2 Compiler SeaOfNodesC2 has been deprecated in Zing 24.02.0.0. When you use the option -XX:+UseC2, the JVM uses KestrelC2 for C2 compilation.

  • The command line option UseOptimizedThreadLookup has been disabled by default due to its impact on virtual and physical memory consumption in some cases. This change can negatively effect the lookup times of threads such as with jmm_getThreadCpuTimeWithKind(). The optimization can be turned back on by default with -XX:+UseOptimizedThreadLookup.

  • Zing 24.02.0.0 implements a significant improvement to code cache segmentation. This improvement makes code cache segmentation elastic instead of fully committing the entire segment, greatly reducing the amount of wasted memory from code cache segmentation.

  • Following up from our previous deprecation of ZVision and ZVRobot components in Zing 23.08.0.0, we have now removed ZVision and ZVRobot components completely in Zing 24.02.0.0. This means that you are no longer able to use ZVision and ZVRobot with Zing. We recommend using Java Flight Recorder and Azul Mission Control for recording and viewing performance metrics for your JVM.

  • Zing 24.02.0.0 includes support for Optimizer Hub (formerly Cloud Native Compiler) on ARM64 system architecture.

  • The compilation ranking feature has been enabled again by default. Compilation ranking was disabled in Zing 23.08.201.0 due to performance issues in particular cases. If you are upgrading from a previous stream release, there is no change in behavior.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-29800

The 'libjvm.so' file is significantly larger in the aarch64 build compared to the x64 build

ZVM-29652

SHMEM-THP config file doesn’t work when copied from the doc page

ZVM-28886

(ZVM-28209) RN profile takes the 11-13 to load.


24.01.0.0

Release Notes PDF

Release date: January 31, 2024

This release is based on Azul Platform Prime 23.12.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_402-b3

11

11.0.22+7-LTS

17

17.0.10+7-LTS

21

21.0.2+13-MTS

What’s New

  • From Azul Platform Prime 24.01.0.0, the garbage collector’s (GC) CPU usage is logged by default. Previously, you had to use the option -XX+:PrintGCDetails. You can view these metrics now by default in GC Log Analyzer in the GC CPU Usage graph. GC CPU Usage is split into 3 metrics, "marking CPU usage," "relocation CPU usage," and "fixup pass," which appear as "New GC Mark," "New GC Reloc," and "New GC Fixup" in the GC CPU Usage graph.

  • Azul Platform Prime 24.01.0.0 includes a new lightweight, fully functional distribution of the Java Runtime Environment (JRE) for Java 8, 11, 17 and 21. The new Java JREs saves a significant amount of space by removing various debugging options and developer options. The Azul Platform Prime Builds of JRE still fully supports Optimizer Hub and Azul Vulnerability Detection (AVD).

  • Azul Platform Prime 24.01.0.0 introduces a small but significant change to the behavior of -XX:ProfileStartupLimitInSeconds. Now, when you set this option to 0, it means 0 seconds. Previously, if you set this flag to 0, it would be interpreted as "infinite". You can still specify "infinite" by using any negative number, for example -1. The default behavior without setting this option remains the same, i.e. the default remains 60.

  • January 2024 CPU and PSU release security fixes.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-20932

Security

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

17

Note 1

CVE-2024-20952

Security

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

21, 17, 11, 8

Note 1

CVE-2024-20919

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

21, 17, 11, 8

Note 3

CVE-2024-20926

Scripting

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

11, 8

Note 2

CVE-2024-20945

Security

None

No

4.7

Local

High

Low

None

Unchanged

High

None

None

21, 17, 11, 8

Note 1

CVE-2024-20923

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

Low

None

None

21, 17, 11, 8

Note 1

CVE-2024-20925

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-20922

JavaFX

None

No

2.5

Local

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Note 2

CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

None

Note 2

CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

3

This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-29440

VM fails to remove stale hsperfdata files after backport of JDK-8286030

ZVM-19215

Backport JDK-8215451: IsSameObject should not keep objects alive.

ZVM-29526

[JCK-runtime-21] JCK test crashed api/javax_net/ssl/SSLSocket/Description.html with V [libjvm.so+0x6339b8] void GPGC_MarkAlgorithm::drain_stacks(GPGC_GCManagerOldStrong*)+0x638

ZVM-29388

aarch64 builds contain debug symbols - much larger than x64

ZVM-29384

Backport JDK-8153413: Exceptions::_throw always logs exceptions, penalizing performance

ZVM-4337

[JVMTI] Zing does not provide inlining data on CompiledMethodLoad

23.12.0.0

Release Notes PDF

Release date: December 15, 2023

This release is based on Azul Platform Prime 23.10.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_392-b3

11

11.0.21+8-LTS

17

17.0.9+8-LTS

21

21.0.1+11-MTS

What’s New

  • Azul platform Prime 23.12.0.0 includes several performance fixes including improvements to handling of arrays such as ArraysFill and ArrayCopy.

  • More concise logging of the Compilation Ranking feature has been implemented in order to better asses the behavior and impact of this feature. This applies to Falcon compilations only. Newly collected data has been added to the pre-existing charts in GC Log Analyzer, Compiler Statistics > Compiler Queues and Compiler Statistic > Tier 2 Compiler Counts. Newly collected and viewable data includes the following:

    • The total number of hot and warm methods which have made it to the compile queue, split from the total number of methods.

    • The total number of hot and warm methods which have begun compilation, split from the total number of methods.

    • The total number of methods which were not promoted to the compiler queue due to being identified as cold methods. These are methods which have reached the compile threshold, but not quickly enough to be considered warm or hot methods.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues to report in this release.


23.10.0.0

Release Notes PDF

Release date: November 2, 2023

This PSU release is based on Azul Platform Prime 23.09.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_392-b3

11

11.0.21+8-LTS

17

17.0.9+8-LTS

21

21.0.1+11-MTS

What’s New

  • Zing 23.10.0.0 contains the General Availability (GA) release of Azul Prime Builds of OpenJDK 21.

  • October 2023 CPU and PSU release security fixes, including CPU and PSU fixes for Azul Prime Builds of OpenJDK 21.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2023-22067

CORBA

CORBA

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

8

Note 1

CVE-2023-22081

JSSE

HTTPS

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 2

CVE-2023-30589 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

None

CVE-2023-22091 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Compiler

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

CVE-2023-22025 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

Note 3

Notes:

ID Notes

1

This vulnerability can only be exploited by supplying data to APIs in the specified Component, e.g., through a web service.

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

3

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2023

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-28960

Potential regression in compilation behaviors and times from 23.02.400 to 23.08.01

ZVM-29000

Fix missing files for SelfDiagnosticRunLevel=2

ZVM-28926

jlink creates debuginfo libraries

ZVM-28801

Prime jre17 fails to load management agent


23.09.0.0

Release Notes PDF

Release date: September 29, 2023

This release is based on Azul Platform Prime 23.08.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_382-b2

11

11.0.20.1+1-LTS

17

17.0.8.1+1-LTS

What’s New

  • A new option, GPGCSafepointWaitForMutatorResume, has been introduced and is set to true by default. This flag tells the Garbage Collector to pause and wait for mutator threads to be woken up before resuming, after every GC safepoint. If -XX:-GPGCSafepointWaitForMutatorResume is set, the Garbage Collector resumes its work in parallel with mutator threads waking up.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-28703

java.lang.UnsupportedOperationException Monitoring of Synchronizer Usage is not supported sun.management.ThreadImpl.findDeadlockedThreads(ThreadImpl.java:411)

ZVM-28639

Debug files/libraries not being excluded from release artifacts

ZVM-28588

weblogic crashed with "assert0(false) failed: [false expected]"


23.08.0.0

Release Notes PDF

Release date: September 11, 2023

This release is based on Azul Platform Prime 23.07.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_382-b2

11

11.0.20.1+1-LTS

17

17.0.8.1+1-LTS

What’s New

  • Compilation ranks by priority, which allows the JVM to assign compilation ranks to methods, has been introduced to Azul Platform Prime 23.08.0.0. This allows the Falcon compiler to assign ranks, hot, warm, or cold, to methods in order to prioritize system resources to methods depending on their hotness. The value of compilation ranking is that compiler activity is optimized later in an application run, not only reducing system load and freeing up resources for the running application but also reducing application outliers.

    For more information on compilation ranks, see Analyzing and Tuning Warmup. For newly added options, see Command Line Options.

  • As of Azul Platform Prime 23.08.0.0, ZVision and ZVRobot components have been deprecated and are no longer actively developed. While we still support these components, we encourage users to switch to Java Flight Recorder, as ZVision and ZVRobot are planned for End-of-Life with Azul Platform Prime 24.02.0.0.

  • Support for the latest features in Optimizer Hub (formerly Cloud Native Compiler) 1.8.0. As Cloud Native Compiler expands its scope to offer more functionality than just offloading compilations, it is time to rebrand the offering to better reflect what it does. Starting with release 1.8, we are using the following naming:

    • Optimizer Hub (was Cloud Native Compiler) - The name of the overall component that you install on your Kubernetes cluster.

    • Cloud Native Compiler (was Compiler Service) - The feature that performs the compilation on Optimizer Hub.

    • ReadyNow Orchestrator (was Profile Log Service) - The feature that records and serves ReadyNow profiles to JVMs.

  • In Optimizer Hub 1.8, all major artifacts and command line switches use the updated branding. This includes, but is not limited to:

    If you are using release 1.7 and earlier, all of the previous spellings of artifacts still work. Additionally, all of the pre-1.8 command-line arguments will continue to work for a period of one year from the release of 1.8.

  • The command line option PreferContainerQuotaForVMInternalCPUCount has been set to true by default in order to make calculations of internal thread counts, as well as budgeting options, more clear in container environments.

    In container environments where both CPU shares and CPU quota are specified, such as with Kubernetes where these are commonly specified, the VM now uses quota to calculate compiler and GC thread counts. Prior to Azul Platform Prime 23.08, it was using half of quota for the calculation.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-28301

Fix java_lang_String::hash_code

ZVM-28262

Remove default RSS cap for ProfileLogIn

ZVM-28242

JFR profiler does not collect stack traces

ZVM-28144

Exhausting java heap during early VM initialization causes a hang

ZVM-28121

JFR is not collecting jdk.ExecutionSample events on ARM

ZVM-27536

Enable per-thread CPU utilisation data collection in SelfDiagnosticRunLevel=3


23.07.0.0

Release Notes PDF

Release date: July 31, 2023

This PSU release is based on Azul Platform Prime 23.06.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_382-b5

11

11.0.20+8-LTS

17

17.0.8+7-LTS

What’s New

  • ZVision and ZVRobot have been separated from the Azul Platform Prime package due to a known vulnerability in jQuery 1.4.3, which is used in building the ZVision and ZVRobot utilities. At this time, Azul is not aware of any vulnerability in ZVision itself. For this reason, ZVision is still available for download for Azul Platform Prime subscribers at https://ftp.azul.com/releases/Zing/ZVision/ZVTools.zip

  • The command line option -XX:CompileCommand has been updated to use FalconCompileThreshold.

    This option is used in the following way:

    -XX:CompileCommand="option,<Class>::<method>,FalconCompileThreshold=<threshold value>"

  • July 2023 CPU release security fixes.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2023-22041

Hotspot

None

No

5.1

Local

High

None

None

Unchanged

High

None

None

17, 11

Note 1

CVE-2023-22036

Utility

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

17, 11

Note 2

CVE-2023-22049

Libraries

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 11, 8

Note 2

CVE-2023-25193

2D (Harfbuzz)

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

17, 11

Note 2

CVE-2023-22006

Networking

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

17, 11

Note 1

CVE-2023-22043 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

None

Note 1

CVE-2023-22044 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Note 2

CVE-2023-22045 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Note 2

CVE-2023-22051 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

GraalVM Compiler

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2023

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-27897

Hadoop fails with Prime when -XX:+UseAES is used

ZVM-27098

Incompatibility with Apache Flink with RocksDB


23.06.0.0

Release Notes PDF

Release date: June 30, 2023

This release is based on Azul Platform Prime 23.05.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_372-b2

11

11.0.19+7-LTS

17

17.0.7+7-LTS

What’s New

  • A new option, C2CompileThreshold, has been added. This option allows the C2 compile threshold to be specified for individual methods. This option was introduced because some methods that are rarely called are still important and need to undergo regular optimization. This is set using -XX:CompileCommand in the following way:

    -XX:CompileCommand="option,<Class>::<method>,C2CompileThreshold=<threshold>"

  • The maximum supported code cache size has been increased to 1758 MB when AllocCodeCacheInLower2G is disabled using -XX:-AllocCodeCacheInLower2G.

  • It is no longer necessary to LD_PRELOAD the libnmt_hooks.so library in order to use extended Native Memory Tracking (NMT). The libnmt_hooks.so library is now linked by default.

  • Using Java Flight Recorder, you can now see exact JIT name for each stacktrace frame in Azul Mission Control in the Method Profiling tab. This uses the option JFRDistinguishJITTypes, which is set to true by default, and shows either C1, C2, or Falcon for each stacktrace frame. With JFRDistinguishJITTypes set to false, it shows JIT compiled.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-27634

Unify Prime’s "java.vendor" with Zulu

ZVM-27514

High JFRCheckpoint pauses seen on Prime

ZVM-27506

Turn on JFRDistinguishJITTypes flag by default

ZVM-27424

Prime 11+ doesn’t throw IncompatibleClassChangeError in instanceKlass::method_at_itable

ZVM-27785

Fix segmentation fault on StubRoutines::stringIndexOf

ZVM-27675

Prohibit inlining for methods with invalid method ID

ZVM-27624

Disable RSS workaround only once use of large pages are confirmed

ZVM-27388

objSizes.jar application crashes with "assert(m->is_abstract()) failed: should be public and abstract" in fastdebug mode

ZVM-27549

Avoid native method calls from VM.java class


23.05.0.0

Release Notes PDF

Release date: May 31, 2023

This release is based on Azul Platform Prime 23.04.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_372-b2

11

11.0.19+7-LTS

17

17.0.7+7-LTS

What’s New

  • Some Falcon CPU Budgeting options have been renamed according to the following table:

    Changed from: Changed to:

    CompilerTier2BudgetingThreadsPercent

    CompilerTier2BudgetingCPUPercent

    CompilerTier2BudgetingWarmupThreadsPercent

    CompilerTier2BudgetingWarmupCPUPercent

    CompilerTier2BudgetMaxMs

    CompilerTier2BudgetWindowDurationMs

    For more information on Falcon CPU Budgeting options, see Command Line Options, CPU Budgeting Options

  • The command line option UseTrueObjectsForUnsafe has been set to true by default. This option forces unsafe objects to be returned in their true object form instead of the equivalent java class object. For example, with UseTrueObjectsForUnsafe disabled, java.lang.Class can be returned instead of the true klassOop.

  • Azul Platform Prime 23.05.0.0 includes several performance optimizations including many intrinsic functions implemented in the Falcon compiler.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues to report in this release.


23.04.0.0

Release Notes PDF

Release date: April 28, 2023

This PSU release is based on Azul Platform Prime 23.03.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_372-b2

11

11.0.19+7-LTS

17

17.0.7+7-LTS

What’s New

  • April 2023 CPU and PSU release security fixes.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2023-21930

JSSE

TLS

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

17, 11, 8

Note 1

CVE-2023-21967

JSSE

HTTPS

Yes

5.9

Network

High

None

None

Unchanged

None

None

High

17, 11, 8

Note 1

CVE-2023-21939

Swing

HTTP

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

17, 11, 8

Note 1

CVE-2023-21937

Networking

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 11, 8

Note 1

CVE-2023-21938

Libraries

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 11, 8

Note 2

CVE-2023-21968

Libraries

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 11, 8

Note 1

CVE-2023-21954 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

None

Note 1

CVE-2023-21986 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Native Image

None

No

5.7

Local

Low

None

None

Changed

None

Low

Low

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2023

  • Cloud Native Compiler (CNC) 1.7 client support.

  • The command line option, AllocCodeCacheInLower2G, is now supported on the AArch64 system architecture, which is set to true by default. This option allocates code cache and related data structures at virtual address within 2 GB. To allow allocation to higher memory addresses, use -XX:-AllocCodeCacheinLower2G.

  • A new command line option, GPGCCommitInitialHeapLazily, has been introduced, which is set to false by default. When enabled, this option prevents the whole of the initial heap size, InitialHeapSize or -Xms, from being committed from the OS upfront.

    With this option enabled, use the option GPGCLazyInitialHeapCommitPercent to specify how much of Xms shall be committed from the OS upfront, at startup. The default value for GPGCLazyInitialHeapCommitPercent is 50. The remainder gets committed based on regular elastic heap heuristics.

  • The command line option InitialHeapSize is now incorporated in Azul Platform Prime in order to keep compatibility with OpenJDK. InitialHeapSize can be used instead of -Xms<size> on the command line.

Note
The command line argument MaxHeapSize can also be used instead of -Xmx<size>

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-25950

Backport JDK-7059899 Stack overflows in Java code cause 64-bit JVMs to exit due to SIGSEGV


23.03.0.0

Release Notes PDF

Release date: March 31, 2023

This release is based on Azul Platform Prime 23.02.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_362-b2

11

11.0.18+10-LTS

13

13.0.14+5-MTS

15

15.0.10+5-MTS

17

17.0.6+10-LTS

19

19.0.2+7-MTS

What’s New

  • Included in this release are the final set of JDK versions 13, 15 and 19. The next release will no longer contain these versions. Starting from 23.04.0.0, stream releases will include only JDK 8, 11, and 17. Starting from 23.02.100.0, stable releases will only include JDK 8, 11, and 17 CPU/PSU builds.

  • Oracle Linux (Centos 7.9) ARM is supported from Azul Platform Prime version 22.03.0.0.

  • The Command Line Option GPGCUseAllocationPacing has been disabled by default.

  • The Command Line Option CNCForceLocalCompiler has been deprecated and replaced with the new option CNCEnableRemoteCompiler.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-26650

Transform head of _freeThreads to a tagged reference to avoid ABA problems

ZVM-26648

Missing tag update in HeapRefBufferList::grab()

ZVM-26387

[Alpine] Failed to bundle core from alpine container

ZVM-26245

jlink on Prime converts library symlinks to files and increase the total size by 87MB


23.02.0.0

Release Notes PDF

Release date: March 1, 2023

This release is based on Azul Platform Prime 23.01.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_362-b2

11

11.0.18+10-LTS

13

13.0.14+5-MTS

15

15.0.10+5-MTS

17

17.0.6+10-LTS

19

19.0.2+7-MTS

Note
Version 1 of the GC Log Analyzer has reached its end-of-life and has been replaced with Version 2 of the GC Log Analyzer. GC Log Analyzer 2 is included in Zing packages and can be found at <installdir>/etc/GCLogAnalyzer2.jar. The latest version of GC Log Analyzer is also available for download at https://docs.azul.com/prime/gcla/about-gcla.

What’s New

  • Zing 23.02.0.0 contains the General Availability (GA) release of Azul Prime Builds of OpenJDK 19 for x86_64 systems.

  • Cloud Native Compiler (CNC) 1.6.1 client support.

  • NativeMemoryTracking has been extended with further Falcon tracking support.

    To enable "extended tracking," set LD_PRELOAD=$JAVA_HOME/etc/zing/lib/libnmt_hooks.so in addition to regular NMT flags which are described in Native Memory Tracking Options and in the Oracle documentation.

  • Zing 23.02.0.0 introduces new CPU budgeting features for the Falcon Tier 2 compiler. CPU Budgeting tells the Tier 2 compiler when to run and how many CPU threads to use, pre and post warmup.

    With these new features, it is possible to specify allocated threads as a percent, meaning the compiler and the running application can share resources, resulting in less pauses and more stability for the running application. Previously, only whole numbers of threads could be allocated.

    To enable these new features, use the argument -XX:+EnableTier2CompilerBudgeting.

    New Falcon CPU Budgeting features are listed in Command Line Options, CPU Budgeting Options

  • A new command line option, AllocCodeCacheInLower2G has been introduced and is set to true by default. This option allocates code cache and related data structures at virtual address within 2 GB. To allow allocation to higher memory addresses, use -XX:-AllocCodeCacheinLower2G. This option is only available for x86_64 systems.

  • Lower GC pauses with JVMTI - JVMTI tag map clearing has been moved outside of safepoint pause by default. This is set by the command line argument ConcurrentJVMTITagMapClearing and is set to true by default.

  • Falcon improvement - Register allocation enhancement that improves code generation for derived pointers around GC safepoints. This allows derived pointers to rematerialize immediately before their use instead of after every safepoint. This is beneficial when a pointer is live across many statepoints but has few uses.

  • Allocation publication barrier optimizations for AArch64 in Falcon. Testing has yielded up to an 8.5% performance improvement from this optimization.

  • The output format for -Xlog:safepoint has been changed to match OpenJDK for JDK13 and above.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-26265

Add jcmd, jmap, jps, jstack tools to jdk8 jre tar.gz

ZVM-25703

backport JDK-8297028 (UseContainerCpuShares ) missing for Prime Java 8 Jan 2023 (Oracle 8u361 equivalent)

ZVM-26144

attaching agent generates error: Skipping cleaning of inline cache

ZVM-25902

ProfilePersistCodeProfilesOnUncommonTraps may introduce a significant overhead

ZVM-25844

Tune FalconContextReset to lower value - Resolution: Reset frequency is chosen using an ergonomics heuristic. There is no need to tune the default value.

ZVM-25437

jdk/test/hotspot/jtreg/serviceability/jvmti/RedefineClasses/RedefinePreviousVersions.java failed with "java.lang.RuntimeException: 'Class unloading: has_previous_versions = false' missing from stdout/stderr"

ZVM-22464

JTreg crashed with JvmtiEnvBase::get_stack_trace

ZVM-26017

-Xlog:safepoint output format differs between Zing 17 and OpenJDK 17


23.01.0.0

Release Notes PDF

Release date: January 31, 2023

This PSU release is based on Azul Platform Prime 22.12.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_362-b3

11

11.0.18+10-LTS

13

13.0.14+5-MTS

15

15.0.10+5-MTS

17

17.0.6+10-LTS

Note
Version 1 of the GC Log Analyzer has reached its end-of-life and has been replaced with Version 2 of the GC Log Analyzer. GC Log Analyzer 2 is included in Zing packages and can be found at <installdir>/etc/GCLogAnalyzer2.jar. The latest version of GC Log Analyzer is also available for download at https://docs.azul.com/prime/gcla/about-gcla.

What’s New

  • January 2023 CPU and PSU release security fixes.

  • Cloud Native Compiler (CNC) 1.6 client support.

  • You can now read and write ReadyNow profile logs to Cloud Native Compiler. This simplifies getting ReadyNow profile logs in and out of containers and other environments without persistent storage.

  • Compile stashing has been disabled by default, even when using ReadyNow.

    Existing ReadyNow users that want to maintain the same compile stashing behavior as in earlier releases should ensure the -XX:+FalconUseCompileStashing flag is set.

    Users who wish to use compile stashing with the new Profile Log Service must ensure both +FalconUseCompileStashing and +CNCEnableRemoteCompiler flags are set.

  • FalconContextReset is now set using ergonomics heuristic based on the number of Falcon compiler threads, unless specified explicitly. Falcon compiler threads reset the internal caches after every FalconContextReset number of compilations. This is a tradeoff between compilation speed and memory consumption. The more often the caches are reset, the less memory is consumed but more time is spent rebuilding the caches.

    Currently, the value of FalconContextReset is chosen as FalconContextResetFactor=<number of Falcon threads> nested between FalconContextResetLowerLimit and FalconContextResetUpperLimit.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2023-21830

Serialization

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

8

CVE-2023-21835

JSSE

DTLS

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11

CVE-2023-21843

Sound

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 15, 13, 11, 8

CVE-2022-43548 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (Node.js)

HTTPS

Yes

8.1

Network

High

None

None

Unchanged

High

High

High

None

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2023

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-25620

Disable compile stashing by default when ReadyNow on

ZVM-25974

CNC links OpenSSL 1.1.1c, creating conflict with 3rd party library

ZVM-24802

Memory Improvement - Make Falcon compiler context cleanup predictable disregarding the instance type


22.12.0.0

Release Notes PDF

Release date: December 19, 2022

This release is based on Azul Platform Prime 22.10.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_352-b2

11

11.0.17+8

13

13.0.13+5

15

15.0.9+5

17

17.0.5+8

Note
Version 1 of the GC Log Analyzer has reached its end-of-life and has been replaced with Version 2 of the GC Log Analyzer. GC Log Analyzer 2 is included in Zing packages and can be found at <installdir>/etc/GCLogAnalyzer2.jar. The latest version of GC Log Analyzer 2 is also available for download at https://docs.azul.com/prime/gcla/about-gcla.

What’s New

  • Zing 22.12.0.0, through various changed and updates, has been able to achieve 10% lower GC CPU usage on Cassandra.

  • Zing 22.12.0.0 lowers the amount of GC pauses with hidden classes.

  • Falcon has been improved for Jackson as well as other optimizations to the Falcon JIT compiler.

  • New JMX MXBean metrics replace old metric name below java.lang.GarbageCollector to increase accuracy for GC monitoring added with JDK-8265136: Previously, metric "GPGC New/Old" was providing a sum of GC pauses and concurrent GC duration. This metric is replaced by the following:

    • GPGC New/Old Cycles: duration time in ms of the concurrent GC which runs in parallel to application threads and is not stopping the application.

    • GPGC New/Old Pauses: GC pause time in ms.

On Java 11 and 17, the new metrics are enabled by default and the old removed. If you need to switch back to the old metric, add -XX:+GPGCReportLegacyGarbageCollectorMXBean.

On Java 8, only the old metric is active by default. To switch to the new metric add -XX:-GPGCReportLegacyGarbageCollectorMXBean.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues to report in this release.


22.10.0.0

Release Notes PDF

Release date: October 31, 2022

This CPU/PSU release is based on Azul Platform Prime 22.09.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

8u352-b08

11

11.0.17+8

13

13.0.13+5

15

15.0.9+5

17

17.0.5+8

What’s New

  • October 2022 CPU and PSU release security fixes

  • Compatibility with Cloud Native Compiler (CNC) version 1.5

  • Support for the GA release of Azul Vulnerability Detection (AVD).

  • Changes for containers regarding thread pool size calculation and number of available CPUs.

    With the October 2022 release of Java 11 and 17, the default calculation of available CPU cores will change, following JDK-8281181. Previously, the number of available CPU cores was in some situations calculated based on the lower bound defined in the environment. With the change in this release, the lower bound won’t be used anymore and the calculation will only be based on the upper limit of the environment. If in container-based systems no upper limit is defined, the total number of CPUs on the host machine is read as upper limit.

    A situation where a change will occur is, for example, a Kubernetes container where neither CPU requests nor CPU Limits are set, as previously the JVM would select only 1 CPU core as available in this situation while after the chance, it will select all available CPU cores of the environment which can lead to higher resource usage as thread pools of various open source frameworks are using this calculation for sizing. To verify if your systems are effect, check especially those where no upper limit is defined.

    In case you need to switch back to the previous calculation, add -XX:+UseContainerCpuShares to the Java command line.

    Other terms used in the context of CPU definitions are for lower bound "CPU Requests" or "cgroups cpu.shares", and for upper limit "CPU Limits" or "cgroups cpu.cfs_quota_us".

    When both quota and shares are specified for a cgroup and UseContainerCpuShares is true, the number of GC and compiler threads are derived based on a total processor count calculated as (quota+shares)/2. When UseContainerCpuShares is false the number is derived based on a total processor count calculated as (quota/2).

    To check the current setting, for example, to compare previous and current Java versions in your environment, use the following example to display the actual number of CPUs as seen by application code and run it inside your container environment:

    File AvailableCPUs.java:

     
    public class AvailableCPUs { public static void main(String[] args) { System.out.println("CPUs: " + Runtime.getRuntime().availableProcessors()); } }

    To run it:

     
    java -showversion AvailableCPUs.java

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • ZVM-25268 - As a part of the PSU update, UseContainerCpuShares has been set to false (off) by default.

  • ZVM-22642 - The GC log now reports data from remote compilations which can be viewed in GC Log Analyzer.


22.09.0.0

Release Notes PDF

Release date: September 30, 2022

This release is based on Azul Platform Prime 22.08.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

8u345

11

11.0.16.1+1

13

13.0.12+4

15

15.0.8+4

17

17.0.4.1+1

What’s New

  • Internal bug fixes.

  • Improved accuracy of RSS metric reported in GC log (C heap usage). With this improvement, the reported memory usage in GC log will give more accurate results.

  • The Allocation Pacing feature is turned on by default in non-ZST mode. This will help reduce peak allocation delays while introducing smaller delays into allocation paths as heap usage approaches the total Java heap committed. To turn off the feature use -XX:-GPGCUseAllocationPacing.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


22.08.0.0

Release Notes PDF

Release date: August 30, 2022

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

8u345

11

11.0.16.1+1

13

13.0.12+4

15

15.0.8+4

17

17.0.4.1+1

What’s New

  • Internal bug fixes.

  • ZVM-24576 - New feature, Allocation Pacing, to help protect against long allocation delays. When enabled, the virtual machine adds smooth delays to allocations as the heap usage approaches the maximum. This new feature helps prevent long allocation delays caused by memory exhaustion and helps the garbage collector keep up. To enable the feature, use -XX:+GPGCUseAllocationPacing, available in non-ZST mode only.

  • ZVM-24277 - Implemented StringUTF16.compress

Resolved Issues

Issue ID Description

ZVM-24429

Using Xlog:safepoint could cause long pauses under I/O contention

ZVM-24614

PrintCodeCacheMap could cause application crash at exit time.

ZVM-24455

LockOpt::eliminateNestedLock could sometimes add an invalid/stale value to the deopt bundle which could potentially lead to crashes.

Known Issues

  • There are no new issues to report in this release.


22.07.1.0

Release Notes PDF

Release date: August 9, 2022

This release is based on Azul Platform Prime 22.07.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

8u345

11

11.0.16

13

13.0.12

15

15.0.8

17

17.0.4

What’s New

  • Internal bug fixes.

Resolved Issues

Issue ID Description

JDK-8290832

It was no longer possible to change user.dir in JDK8 due to changes in the previous release of OpenJDK, causing compatibility issues. Those changes have been rolled back so that user.dir may be changed.

Known Issues

  • There are no new issues to report in this release.


22.07.0.0

Release Notes PDF

Release date: July 29, 2022

This PSU release is based on Azul Platform Prime 22.06.0.0 and 22.02.300.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

8u342

11

11.0.16

13

13.0.12

15

15.0.8

17

17.0.4

What’s New

  • July 2022 PSU release fixes.

  • ZVM-24301 - New command line option UseContainerCpuShares, default true, to consider CPU shares when computing available processors inside a cgroup. This option was backported from OpenJDK 17 and it is important to note that while OpenJDK has a default value of false, the default value in Azul Platform Prime is true.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2022-34169

JAXP (Xalan-J)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

17, 15, 13, 11, 8

Note 1

CVE-2022-21541

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

17, 15, 13, 11, 8

Note 1

CVE-2022-21540

Hotspot

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

Low

None

None

17, 15, 13, 11, 8

Note 1

CVE-2022-21549

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

17

Note 1

CVE-2022-25647 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Native Image (Gson)

None

No

6.2

Local

Low

None

None

Unchanged

None

None

High

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and relies on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Resolved Issues

  • There are no resolved issues associated with this release.

Known Issues

Issue ID Description

ZVM-16112

Applications using munlockall() require -XX:-UseThreadStateNativeWrapperProtocol on the command line to avoid crash or inconsistency if the rare situation occurs that the application gets swapped out after the munlockall() invocation.


22.06.0.0

Release Notes PDF

Release date: June 30, 2022

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

8u332

11

11.0.15+10

13

13.0.11+4

15

15.0.7+4

17

17.0.3+7

What’s New

  • Internal bug fixes.

Resolved Issues

Issue ID Description

ZVM-14341

NMT detailed mode allows user to track internal VM memory usage to the granularity of a single callsite. This feature is also very useful in case the user needs to find a memory leak.

ZVM-24010

Optimized layout of GC internal data structure, improving native memory consumption by the garbage collector (GC).

ZVM-23142

Improved virtual memory regions initialization to handle rare situations when there are existing mappings in preferred ranges. In such cases, the JVM previously failed to start with the error "Unable to setup virtual memory region for …​".

ZVM-24118

Fixed crashes caused by constantPoolOopDesc::tag_at(int)

ZVM-23983

async-profiler v2.7+ cpu profiling is now working with Prime.

Known Issues

Issue ID Description

-

Aarch64 support is limited to Graviton 2 and 3. Graviton 1 is not yet supported.

ZVM-20142

Async profiler activemq crashed with 'assert(false) failed: Should never reach here'

ZVM-17531

Wildfly app-server hangs when Async Java Profiler is attached.

ZVM-16393

Async profiler does not show object type in "-e alloc" mode on Zulu Prime


22.05.0.0

Release Notes PDF

Release date: May 31, 2022

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

8u332

11

11.0.15+10

13

13.0.11+4

15

15.0.7+4

17

17.0.3+7

What’s New

  • Internal bug fixes.

Resolved Issues

Issue ID Description

ZVM-21804

In container systems with an elastic CPU definition (CPU min and max both set or cgroups cpu.shares and cpu.quota both defined) Runtime.availableProcessors() now returns the same value as on OpenJDK (the upper limit). Previously it returned the lower bound. That API method is often used to size application thread pools.

Known Issues

  • There are no new issues to report in this release.


22.04.1.0

Release Notes PDF

Release date: May 24, 2022

This release is based on Azul Platform Prime 22.04.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

8u332

11

11.0.15+10

13

13.0.11+4

15

15.0.7+4

17

17.0.3+7

What’s New

Resolved Issues

  • There are no resolved issues associated with this release.

Known Issues

  • There are no new issues to report in this release.


22.04.0.0

Release Notes PDF

Release date: May 6, 2022

This CPU and PSU release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

8u332

11

11.0.15+10

13

13.0.11+4

15

15.0.7+4

17

17.0.3+7

What’s New

  • April 2022 CPU and PSU security fixes.

  • Enable elimination of safepoint pauses for finding deadlocks operations by first attempting to complete them using a checkpoint using the option -XX:[+/ -]OptimizeFindDeadlocksWithCheckpoint. If a deadlock is detected in the checkpoint, it is then confirmed using a safepoint pause.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2018-25032

ZIP

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

17, 15, 13, 11, 8, 7, 6

CVE-2022-21449

Libraries

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

18, 17, 15

Note 1

CVE-2022-21476

Libraries

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

High

None

None

18, 17, 15, 13, 11, 8, 7

Note 1

CVE-2022-21426

JAXP

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21434

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21496

JNDI

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21443

Libraries

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-0778 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (OpenSSL)

HTTPS

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Resolved Issues

Issue ID Description

ZVM-21804

In container systems with an elastic CPU definition (CPU min and max both set or cgroups cpu.shares and cpu.quota both defined) Runtime.availableProcessors() now returns the same value as on OpenJDK (the upper limit). Previously it returned the lower bound. That API method is often used to size application thread pools.

ZVM-23002

Added support for cgroups v2.

ZVM-23091

Deadlock detection was being performed using safepoint pauses in prior releases. Starting 22.04 Prime attempts to detect deadlock using checkpoints which do not cause a global pause. If the checkpoint operation indicates the possibility of a deadlock, Prime will resort to a safepoint to confirm the same.

Known Issues

  • There are no new issues to report in this release.


22.03.0.0

Release Notes PDF

Release date: March 31, 2022

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u332

8

8u322

11

11.0.14.1+9

13

13.0.10+5

15

15.0.6+5

17

17.0.2+8

What’s New

  • Internal bug fixes.

Resolved Issues

Issue ID Description

ZVM-21804

In container systems with an elastic CPU definition (CPU min and max both set or cgroups cpu.shares and cpu.quota both defined) Runtime.availableProcessors() now returns the same value as on OpenJDK (the upper limit). Previously it returned the lower bound. That API method is often used to size application thread pools.

Known Issues

  • There are no new issues to report in this release.


22.02.0.0

Release Notes PDF

Release date: February 28, 2022

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u332

8

8u322

11

11.0.14.1+9

13

13.0.10+5

15

15.0.6+5

17

17.0.2+8

What’s New

  • Miscellaneous bug fixes and performance improvements.

Resolved Issues

  • There are no resolved issues to report in this release.

Known Issues

  • There are no new issues to report in this release.


22.01.2.0

Release Notes PDF

Release date: February 14, 2022

This PSU release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u332

8

8u322

11

11.0.14+9

13

13.0.10+5

15

15.0.6+5

17

17.0.2+8

What’s New

  • Missing fixes from the January 22 PSU release of OpenJDK.

  • January 2022 PSU release security fixes.

  • Various performance improvements.

Resolved Issues

  • There are no resolved issues to report in this release.

Known Issues

  • There are no new issues to report in this release.


22.01.1.0

Release Notes PDF

Release date: February 7, 2022

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u332

8

8u322

11

11.0.14+9

13

13.0.10+5

15

15.0.6+5

17

17.0.2+8

What’s New

  • Small critical bug fixes over Azul Platform Prime 22.01.0.0.

  • January 2022 PSU release security fixes.

  • Various performance improvements.

Resolved Issues

  • There are no resolved issues to report in this release.

Known Issues

  • There are no new issues to report in this release.


22.01.0.0

Release Notes PDF

Release date: January 31, 2022

This PSU release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u332

8

8u322

11

11.0.14+9

13

13.0.10+5

15

15.0.6+5

17

17.0.2+8

What’s New

  • January 2022 PSU release security fixes.

  • Various performance improvements.

Resolved Issues

Issue ID Description

ZVM-21048

When -XX:+UseLargePages is used and the number of static huge pages reserved by nr_hugepages is insufficient for the total heap, Prime failed to start. Now it matches OpenJDK behavior and continues as expected.

ZVM-22049

OldGC is not triggered often enough during idle time when NewGCs are occurring.

ZVM-22063

Map OpenJDK command line option UseCountedLoopSafepoints onto KeepSafepointsInCountedLoops.

ZVM-19635

Avoid lock in ByteArrayInputStream.read if it is used as an input of ObjectInputStream.

ZVM-20678

Improved performance of string collation and iteration.

Known Issues

  • There are no new issues to report in this release.


21.12.0.0

Release Notes PDF

Release date: December 20, 2021

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u322

8

8u312

11

11.0.13+8

13

13.0.9+3

15

15.0.5+3

17

17.0.1+12

What’s New

  • Photon OS is now supported.

  • Improved performance of string collation and character iteration. You can enable the use of the custom implementation of RuleBasedCollator using the option -XX:+UseModifiedRuleBasedCollator. This option is false by default.

  • Docker images for Prime are now available.

Resolved Issues

Issue ID Description

ZVM-21048

When -XX:+UseLargePages is used and the number of static huge pages reserved by nr_hugepages is insufficient for the total heap, Prime failed to start. Now it matches OpenJDK behavior and continues as expected.

ZVM-22049

OldGC is not triggered often enough during idle time when NewGCs are occurring.

ZVM-22063

Map OpenJDK command line option UseCountedLoopSafepoints onto KeepSafepointsInCountedLoops.

ZVM-19635

Avoid lock in ByteArrayInputStream.read if it is used as an input of ObjectInputStream.

ZVM-20678

Improved performance of string collation and iteration.

Known Issues

There are no new issues to report in this release.


21.10.1.0

Release Notes PDF

Release date: December 14, 2021

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u322

8

8u312

11

11.0.13

13

13.0.9

15

15.0.5

What’s New

  • Azul Platform Prime 21.10.1.0 contains the same features as 21.10.0.0.

Resolved Issues

Issue ID Description

ZVM-21884

Failure during startup when the kernel does not have support for Transparent Huge Pages (THP) feature, or does not support making madvise(2) calls with MADV_NOHUGEPAGE.

ZVM-22052

Cassandra fails when ulimit -l unlimited is set to allow more mlock than the Linux default. This issue affected only Prime version 21.10.0.0.

Known Issues

There are no new issues to report in this release.


21.10.0.0

Release Notes PDF

Release date: October 29, 2021

This CPU release is based on the following OpenJDK versions:

Major Version OpenJDK Version

7

7u322

8

8u312

11

11.0.13

13

13.0.9

15

15.0.5

What’s New

  • Includes all October 2021 CVE fixes.

  • Azul Platform Prime 21.10.0.0 contains the October 2021 CPU release of OpenJDK. Azul Platform Prime 21.10.0.0 brings the associated JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 versions to October 2021 CPU security update levels.

  • The peak heap occupancy target, used by heuristics to decide when to trigger a garbage collection, is now managed dynamically by default. The dynamic changes can be disabled by setting GPGCTargetPeakHeapOccupancyPercent to a desired value.

  • Increased parallelism between collectors for the new generation and old generation. Helps reduce the peak duration for a new generation collection and reduce allocation delays during peak load.

  • The number of concurrent GC threads is now changed dynamically when -Xms is set to the same value as -Xmx, or when Azul Zing System Tools (ZST) is installed. At JVM start a low number of concurrent GC threads is employed. If later during application uptime the GC Time Percent metric increases beyond a threshold, more GC threads are added to reduce the number of GC cycles. The limit for the total number of GC threads is 3/4 of the process' available CPU threads. As of this Prime version, the number of threads will never shrink later.

    To disable the dynamic handling, use the following on the command line: -XX:-UseDynamicNumberOfGCThreads

    If one of the following flags is set on the command line, the dynamic handling will also be disabled:

    • -XX:GPGCThreads=N

    • -XX:GenPauselessNewThreads=N

    • -XX:GenPauselessOldThreads=N

  • General performance improvements.

  • More intrinsics from Java 17.

Resolved Issues

Issue ID Description

ZVM-xxxx

High CPU utilization by HeapCommit thread in some specific scenarios. This only applies when -Xms isn’t set or set to less than -Xmx.

ZVM-xxxx

Fixes crash on JVM start on Ubuntu 21.10 (Impish) and CentOS 9 Stream (beta).

Known Issues

There are no new issues to report in this release.


21.09.1.0

Release Notes PDF

Release date: October 14, 2021

This release is based on Azul Platform Prime 21.09.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u312

8

8u302

11

11.0.12+7

13

13.0.8+5

15

15.0.4+5

What’s New

  • Initial support for Cloud Native Compiler. Cloud Native Compiler provides a server-side optimization solution that offloads JIT compilation to dedicated hardware, providing more processing power to JIT compilation while freeing your client JVMs from the load of doing JIT compilation.

  • General performance improvements.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.


21.09.0.0

Release Notes PDF

Release date: September 29, 2021

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u312

8

8u302

11

11.0.12+7

13

13.0.8+5

15

15.0.4+5

What’s New

  • General performance improvements.

  • GC log line has been expanded to include additional information for heap elasticity.

  • Introduces a new JFR event named "Deoptimization" which arises when previously compiled code gets discarded. The event is useful in troubleshooting performance issues including low throughput and high CPU utilization.

Resolved Issues

Issue ID Description

ZVM-21015

High pause time during OldGC due to unloading of a long chain of subclasses.

ZVM-19788

Installation packages are now signed.

ZVM-20927

Abort the VM if GC safepoint operation time exceeds a configurable threshold. See the new GC options: DieOnSafepointOperationTimeout and SafepointOperationTimeoutDelayMS

ZVM-17584

Introduces a new JFR event named "Deoptimization" which arises when previously compiled code gets discarded. The event is useful in troubleshooting performance issues including low throughput and high CPU utilization.

Installation Changes

A new directory is created during installation: /etc/connected-compiler.

Known Issues

There are no new issues to report in this release.


21.08.0.0

Release Notes PDF

Release date: August 31, 2021

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u312

8

8u302

11

11.0.12+7

13

13.0.8+5

15

15.0.4+5

What’s New

  • Improved performance with large Java heaps on Intel Ice Lake systems with 5-level page tables.

  • Introduces support for Intel’s Ice Lake 5-level paging.

  • Support for dynamically varying garbage collector thread counts with the GPGCDynamicGCThreadCountPolicy option. See command line options for more details.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.


21.07.0.0

Release Notes PDF

Release date: July 30, 2021

This CPU and PSU release is based on the following OpenJDK versions:

Major Version OpenJDK Version

7

7u312

8

8u302

11

11.0.12+7

13

13.0.8+5

15

15.0.4+5

What’s New

  • Incorporates all of the changes from the July 2021 CPU release and most of the changes from the July 2021 PSU release.

  • Various performance improvements including improved locking, stack-walking behavior for performance.

  • Loop unrolling improvements.

  • Java heap elasticity is turned on by default when not using the Prime System Tools (ZST). This means that -Xms is now recognized along with -Xmx. The default values also match OpenJDK. For latency sensitive applications it is advised to set -Xms equal to -Xmx to preserve the old behaviour. See Recommended Heap Size for more details.

Installation Directory Changes

The following file was added to the installation directory: crs-agent.jar.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.


21.06.0.0

Release Notes PDF

Release date: June 30, 2021

This release is based on Azul Platform Prime 21.04.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u302

8

8u292

11

11.0.11+9

13

13.0.7+5

15

15.0.3+3

What’s New

  • Additional improvements of the Heap Elasticity feature introduced in 21.05.0.0. Improved memory allocation handling in Heap Elasticity mode to avoid exceeding the container/cgroups memory limit.

  • Fixed many issues with Async Profiling.

  • Various performance improvements with Falcon compiler:

    • Fixed extra spills causing performance penalties by supporting live gc values on registers for calls which can throw exceptions

    • Improved performance of applications that frequently use Unsafe.allocateInstance.

    • Implemented nested locks elimination optimization for multiple nested locks on a given object under the condition that the nested lock state is not inspected.

Resolved Issues

Issue ID Description

ZVM-19710

Profiling with cpu/wall events yeilds unusable results

ZVM-20081

Startup failure when specifying Xms larger than 25% of RAM, when -XX:+GPGCNoZSTHeapElasticity is specified and Xmx is not specified.

ZVM-19972

JVM memory metrics like Runtime.getRuntime.totalMemory() and Runtime.getRuntime.maxMemory() and related like java.lang.management.MemoryMXBean now include JVM-internal memory usage and will show a few MBytes larger numbers now. Calculations and methods around free memory calculation are not affected and will return the same results as before. That means for example Runtime.getRuntime.freeMemory() or difference calculation between attributes like "used" and "total" memory will also result in the same as in previous releases. See Recommended Heap Size for details.

Known Issues

There are no new issues to report in this release.


21.05.1.0

Release Notes PDF

Release date: July 12, 2021

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u302

8

8u292

11

11.0.11+9

13

13.0.7+5

15

15.0.3+3

What’s New

  • A fix for bug ZVM-20496 which turns opt-boxing-rewrite-loads off by default to avoid miscompiles in certain code patterns.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.


21.05.0.0

Release Notes PDF

Release date: May 31, 2021

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u302

8

8u292

11

11.0.11+9

13

13.0.7+5

15

15.0.3+3

What’s New

  • Non-ZST Heap Elasticity introduced. See Recommended Heap Size for details. When heap elasticity is enabled, the Garbage Collector tries to minimize the memory footprint, keeping it between the user- defined range of -Xms and -Xmx. At the same time, the CPU usage of the Garbage Collector is monitored and the memory minimizing goal relaxed in case the CPU usage increases too much. Heap Elasticity is not available when Azul Zing System Tools (ZST) is installed.

  • Azul Platform Prime 21.05.0.0 makes the OpenJDK C1 OSR the default OSR for the Falcon compiler. The C1 OSR takes much less time and CPU resources to fully optimize your code to steady-state performance.

  • Stream Builds (previously known as Feature Releases) are now free for use in development and evaluation. As such, the builds no longer check for an evaluation license.

  • Latency improvement for applications with frequent Unsafe.get() and put() calls.

  • Fixed heap dump compatibility issue that prevented opening Zing head dumps in IntelliJIdea.

  • Enabled jcmd ManagementAgent command option support.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.


21.04.0.0

Release Notes PDF

Release date: April 30, 2021

This CPU and PSU release is based on the following OpenJDK versions:

Major Version OpenJDK Version

7

7u302

8

8u292

11

11.0.11+9

13

13.0.7+5

15

15.0.3+3

What’s New

  • April 2021 CPU and PSU fixes.

  • Quicker acquisition of transparent huge pages on Ubuntu, Amazon Linux or similar Linux systems with kernel 4.19.7 or newer in non-ZST mode. This can help get peak performance earlier as well as enable faster java process restart when THP is configured.

  • Default value of Xmx in cgroups is now the minimum of 25% of cgroup memory limit and 32 GB. Prior to 21.04.0.0, it was 25% of cgroup memory limit.

  • Reduced code cache usage for applications with high number of classes or interfaces and a large number of associated methods.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2021-2161

Libraries

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

16, 15, 13, 11, 8, 7, 6

Note 1

CVE-2021-2163

Libraries

Multiple

Yes

5.3

Network

High

None

Required

Unchanged

None

High

None

16, 15, 13, 11, 8, 7, 6

Note 2

CVE-2021-23841 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (OpenSSL)

HTTPS

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2021-3450 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (Node.js)

HTTPS

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component.

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.


21.03.0.0

Release Notes PDF

Release date: March 31, 2021

This release is based on the following OpenJDK versions:

Major Version OpenJDK Version

7

7u292

8

8u282

11

11.0.10+9

13

13.0.6+5

15

15.0.2+7

What’s New

  • Enhanced Compatibility With Data Management Platforms

    ZVM 21.03.0.0 improves compatibility between the MXBean memory pool names and names expected by in- memory data management systems (e.g., Pivotal GemFire 8.2).

  • JFR Event Streaming allows to asynchronously subscribe to select JFR events and avoid the overhead associated with creating a recording in JDK 15.

  • Various performance improvements, like enhancements to tracking of garbage-collection roots, compiler optimizations for aggressive lock coarsening, and an experimental ReadyNow mode that enables the pre-initialization of a greater number of bootstrap classes.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.


21.02.0.0

Release Notes PDF

Release date: February 26, 2021

This release is based on Azul Platform Prime 21.01.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u292

8

8u282

11

11.0.10+9

13

13.0.6+5

15

15.0.2+7

What’s New

  • Introduces medium-term support (MTS) for Java Standard Edition 15. See Azul Product Support Lifecycle for more information.

  • Additional non-security changes associated with the January 2021 Patch Set Updates (PSU) OpenJDK 7u292, OpenJDK 8u282, OpenJDK 11.0.10, OpenJDK 13.0.6 and OpenJDK 15.0.2 release contents.

  • Load value barriers for reference equality checks are optimized within loops. Zing also optimizes more such checks aggressively by considering both operands of the equality check.

  • Improved object locking with better monitor inflation behavior.

  • The functionality of UseCodeCacheFlushing is offered under UseIncrementalCodeCacheFlushing in Zing 21.02.0.0. However, Zing has emergency code cache flushing turned on by default, see UseEmergencyCodeCacheFlushing in Using Zing Command-Line Options for details.

  • Early-access support for ReadyNow Image, an experimental warm-up optimizer based on ReadyNow and Linux Checkpoint/Restore In Userspace (CRIU).

    Zing 21.02.0.0 installation contains ReadyNow Image files in the /etc/rni/ directory: ` `criu libnet.so.1 libnl-3.so.200 libprotobuf-c.so.1 restore-script wait-script

  • Zing 21.02.0.0 includes optional experimental support for interaction with connected runtime services through an emerging protocol in Zing 13. Note that for Zing 8 and Zing 11 this support was introduced in Zing 21.01.0.0.

    Zing 21.02.0.0 installation contains the following files related to the services:

    • jmods/azul.crs.jfr.access.jmod

    • legal/azul.crs.jfr.access/ADDITIONAL_LICENSE_INFO

    • legal/azul.crs.jfr.access/ASSEMBLY_EXCEPTION

    • legal/azul.crs.jfr.access/CLASSPATH_EXCEPTION_NOTE

    • legal/azul.crs.jfr.access/LICENSE

    • lib/crs-agent.jar

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.


21.01.0.0

Release Notes PDF

Release date: January 29, 2021

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u292

8

8u282

11

11.0.10+9

13

13.0.6+5

What’s New

  • C2 Improvement

    The default JIT compiler on Zing JDK 8 and JDK 7 is changed from SeaOfNodesC2 to KestrelC2 when Zing C2 mode is enabled with -XX:+UseC2.

    For Zing JDK 11, this improvement was made in Zing 20.04.0.0.

    KestrelC2 is a C2 implementation introduced to Zing in 2020. It is based on a lightweight use of the LLVM backend and typically produces faster code than UseSeaOfNodesC2 while keeping compilation effort at similar levels. UseKestrelC2 generally exhibits a significantly lower compilation-time CPU consumption compared to Falcon.

    See Using Zing Command-Line Options for -XX:[+/-]UseKestrelC2 and -XX:[+/-]UseSeaOfNodesC2 command-line options and details.

    The default JIT compiler in Zing is the high-performance Falcon introduced in 2017.

  • New Experimental Features

    Zing 21.01.0.0 includes optional experimental support for interaction with connected runtime services through an emerging protocol in Zing 11 and Zing 8.

    These experimental capabilities are enabled by the -XX:+UseCRS command-line option and turned off by default. Being an experimental Zing option, it must be unlocked by preceding -XX:+UnlockExperimentalVMOptions.

  • Performance Improvement

    Zing 21.01.0.0 introduces an improved escape analysis for arrays in the Falcon compiler.

    The improvement includes an optimization for array reallocation pattern (e.g., java.util.Arrays.copyOf) to avoid redundant copying. Notably, this optimization improves the performance of string concatenation using the StringBuilder class by the elimination of excessive reallocations of the underlying StringBuilder buffer.

  • Support for EdDSA Signature Algorithm

    Zing 21.01.0.0 introduces the OpenEdDSA provider which can be used for cryptographic signatures using the Edwards-Curve Digital Signature Algorithm (EdDSA) in Zing 8 with no application or code changes. See JEP 339: Edwards-Curve Digital Signature Algorithm (EdDSA) for details.

    The OpenEdDSA public API is provided in the org.openeddsa.java.security.interfaces and org.openeddsa.java.security.spec packages.

    To enable the OpenEdDSA provider, do either of the following:

    • configure the Java Runtime Environment for the OpenEdDSA provider by adding the entry below to the $JAVA_HOME/jre/lib/security/java.security file

       
      security.provider.10=org.openeddsa.security.OpenEdDSA
    • add the OpenEdDSA provider directly to your code

       
      // Add OpenEdDSA provider java.security.Security.addProvider(new org.openeddsa.security.OpenEdDSA());

Resolved Issues

Issue ID Description

ZVM-18362

A compiler crash due to incorrect transformation of Compare And Swap on an unescaped object.

ZVM-18233

21.01.0.0 20.08.201.0

Known Issues

There are no new issues to report in this release.


20.12.0.0

Release Notes PDF

Release date: December 18, 2020

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u285

8

8u275

11

11.0.9.1+1

13

13.0.5.1+1

What’s New

  • Zing 20.12.0.0 incorporates additional non-security changes associated with the October Patch Set Updates (PSU) 2020 OpenJDK 7u285, OpenJDK 8u275, OpenJDK 11.0.9.1, and OpenJDK 13.0.5.1 release contents.

  • Zing 20.12.0.0 introduces an enhanced induction variable analysis and range checks removal mechanism. Particularly, improved range check elimination capabilities for decrementing loops of the following type:

     
    for (int i = array.length - 1; i >= 0; i--) { array[i] = ... }

Resolved Issues

Issue ID Description

ZVM-18035

Backport of JDK-8202837 and JDK-8214513 to Zing 8.

ZVM-17938

Setting InitalHeapSize and MaxHeapSize the same fails in non-ZST mode. This affects applications such as ElasticSearch which insists that Initial Heap Size be equal to Maximum Heap Size.

ZVM-17430

JarFile constructor exception in JDK 11.0.8.

ZVM-17346

System data collected for GC logging could cause oom-killer invocation and kernel panic when java is launched under the root user.

ZVM-16051

Provide FalconTrustInterfaceTypesForArrayStore to move interface type conformance check from the VM to the application. This can improve throughput variability for some applications. -XX:+UnlockExperimentalVMOptions is required to use -XX:+FalconTrustInterfaceTypesForArrayStore.

Known Issues

There are no new issues to report in this release.


20.10.0.0

Release Notes PDF

Release date: October 30, 2020

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u281

8

8u271

11

11.0.8.0.101+5

What’s New

  • Zing 20.10.0.0 brings the associated JDK 7, JDK 8, JDK 11 and JDK 13 versions to October 2020 Critical Patch Update (CPU) security update levels and incorporates changes related to OpenJDK 7u281, OpenJDK 8u271, OpenJDK 11.0.8.0.101, and OpenJDK 13.0.4.0.101 release contents.

  • Zing 20.10.0.0 includes loop form fixes to increase performance of loops by simplified triggering of enabled vectorization methods. The optimization is enabled by default.

  • Zing 20.10.0.0 contains an improved allocation mechanism which has a positive impact on Zing’s performance. The optimization is enabled by default.

  • Zing 20.10.0.0 introduces method counters across JVM runs, which enables ReadyNow to build a profile over multiple short runs when the number of orders is low.

Resolved Issues

Issue ID Description

ZVM-17662

Fix confusing error message when calling Zing MXBeans APIs without specifying -XX:+UseZingMXBeans.

ZVM-17168

Checkpoint timeout crash while running async-profiler along with Zing.

ZVM-16971

Compiler crash with signature polymorphic invokedynamic calls.

Known Issues

There are no new issues to report in this release.


20.09.1.0

Release Notes PDF

Release date: October 19, 2020

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u272

8

8u265

11

11.0.8+10

13

13.0.4+8

What’s New

Resolved Issues

Issue ID Description

ZVM-17453

Final field optimizations can miscompile in code compiled with Javac11 and above.

Known Issues

There are no new issues to report in this release.


20.09.0.0

Release Notes PDF

Release date: September 30, 2020

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u272

8

8u265

11

11.0.8+10

13

13.0.4+8

What’s New

  • Zing 20.09.0.0 introduces Medium Term Support for Java SE 13. See Azul Product Support Lifecycle for more information.

  • Zing 20.09.0.0 includes accelerated copying of large array chunks. The optimization is enabled by default. See UseArrayCopyChunkingIntrinsics in Using Zing Command-Line Options for details.

  • Zing 20.09.0.0 provides a performance improvement for org.apache.logging.log4j.util.StackLocator.getCallerClass(), which maximizes logging performance when using log4j versions 2.13.1 - 2.13.3 on Zing 8 and log4j versions 2.9.0 - 2.13.3 on Zing 11+. The improvement is disabled by default. See UseLog4jGetCallerClassIntrinsic in Using Zing Command-Line Options for details.

  • Zing 20.09.0.0 introduces unified Garbage Collection (GC) logging that utilizes unified JVM logging framework (JEP 271: Unified GC Logging). See Unified GC Logging Recommendations to learn more.

Resolved Issues

Issue ID Description

ZVM-16945

Core bundler: pid extraction can select more than one line.

ZVM-16239

Racy initialization logic in GraphBuilder::initialize(): under rare circumstances another thread can observe the _is_initialized flag set before the static fields _can_trap and _is_async are actually initialized.

Known Issues

There are no new issues to report in this release.


20.08.0.0

Release Notes PDF

Release date: August 31, 2020

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u272

8

8u262

11

11.0.8+10

What’s New

  • Zing 20.08.0.0 incorporates additional non-security changes associated with the July Patch Set Updates (PSU) 2020 OpenJDK 7u272, OpenJDK 8u265, and OpenJDK 11.0.8 release contents.

  • NONEwithDSAinP1363Format is included in signature algorithms enabled in Zing 20.08.0.0 by default. NONEwithDSAinP1363Format is scheduled for removal in the following release of the Zing Virtual Machine. Since the algorithm is not supported in other JDK 8 virtual machines, it is recommended to migrate to Digital Signature Algorithms with ASN.1 encoded signature bytes.

  • Zing 20.08.0.0 introduces multiple optimizations that significantly increase performance on a set of Java Stream API scenarios.

  • Zing 20.08.0.0 introduces a new version string format that includes a matching OpenJDK release number.

  • Version 1 of the GC Log Analyser has reached its end-of-life and is removed from Zing 20.08.0.0. Version 2 of the GC Log Analyzer is available for download at https://cdn.azul.com/gcla/GCLogAnalyzer2.jar.

Resolved Issues

Issue ID Description

ZVM-16504

Crash in guarantee(_deopt_list_len < sizeof(_deopt_list)/sizeof(_deopt_list[0])) failed: make deopt_list bigger.

Known Issues

There are no new issues to report in this release.


20.07.0.0

Release Notes PDF

Release date:

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u272

8

8u262

11

11.0.8+10

What’s New

  • Zing 20.07.0.0 brings the associated JDK 7, JDK 8, and JDK 11 versions to July 2020 Critical Patch Update (CPU) security update levels and incorporates changes related to OpenJDK 7u271, OpenJDK 8u261, and OpenJDK 11.0.7.0.101 release contents.

  • The lock-less Java Native Interface (JNI) protocol is enabled by default in Zing 20.07.0.0. See Using Zing Command-Line Options for the UseThreadStateNativeWrapperProtocol option and details.

  • Zing 20.07.0.0 introduces optimization in object allocation (internal new_stub() function) for improved performance in TLAB allocation intensive applications. The optimization is enabled by default.

  • Starting with Zing 20.07.0.0, Zing 8 supports TLS 1.3 by default and follows the application programming interface (API) changes introduced by Maintenance Release 3 to the Java SE 8 specification.

Resolved Issues

Issue ID Description

ZVM-15833

Add additional logging of padding sizes.

Known Issues

Issue ID Description

20.06.0.0

Release Notes PDF

Release date:

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u262

8

8u252

11

11.0.7+10

What’s New

  • The release of Zing 20.06.0.0 includes ReadyNow improvements for faster warmup and smaller footprint.

  • Zing 20.06.0.0 introduces a JNI exception checking optimization. See Using Zing Command-Line Options for the UseFastJNIExceptionCheck option and details.

  • Zing 20.06.0.0 provides full elasticity support for code cache. See Using Zing Command-Line Options for the InitialCodeCacheSize, ReservedCodeCacheSize, and CodeCacheOopTableSize options and details.

  • Zing 20.06.0.0 includes a further improvement of JDK 11 java.lang.StackWalker which is frequently used by log4j2 and other logging implementations. See also https://openjdk.java.net/jeps/259 and java.lang.StackStreamFactory$AbstractStackWalker.

  • Zing 20.06.0.0 introduces new diagnostic Java Flight Recorder (JFR) events to simplify error handling.

  • The lock-less Java Native Interface (JNI) protocol is disabled by default. See Using Zing Command-Line Options for the UseThreadStateNativeWrapperProtocol option and details.

Resolved Issues

Issue ID Description

ZVM-15687

Make -XX:+TraceImplicitNullChecks manageable.

ZVM-12535

JVM flags, ParGCCardsPerStrideChunk and UseCompressedClassPointers, give error.

Known Issues

Issue ID Description

20.05.0.0

Release Notes PDF

Release date: May 29, 2020

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u262

8

8u252

11

11.0.7+10

What’s New

  • In Zing 20.05.0.0, the Java Flight Recorder Tick Profiler becomes enabled by default.

  • In Zing 20.05.0.0, Java monitors are moved from CodeCache to a new dedicated MonitorCache storage.

  • The release of Zing 20.05.0.0 includes optimizations targeted at accelerating compilation and warmup.

  • Zing 20.05.0.0 introduces better JDK 11 java.lang.StackWalker which is frequently used by log4j2 and other logging implementations. See also https://openjdk.java.net/jeps/259 and java.lang.StackStreamFactory$AbstractStackWalker.

  • Zing 20.05.0.0 provides a reduction of application exit times in the non-ZST mode when a process uses mlockall().

  • Zing 20.05.0.0 improves the mitigation strategy used by the Falcon compiler to minimize performance impacts due to Intel's microcode updates in response to Jump Conditional Code (JCC) Erratum SKX102. Previous versions inserted nop instructions for padding; the new version can optionally increase the size of existing instructions in some cases. As before, the mitigation is enabled only on affected processors, and no user action is needed.

  • Zing 20.05.0.0 introduces a testing grace period mode, under which the Zing can run for up to 60 minutes (3600 seconds) without requiring a valid license. The testing grace period can be enabled by setting the ZING_TESTING_GRACE_PERIOD_SEC environment variable to a number of grace period seconds (up to 3600), or by using the -XX:ZVMTestingGracePeriodSec=N flag with a similar value.

Resolved Issues

Issue ID Description

ZVM-15452

Crash with problematic frame vframe::next()+0x9e

ZVM-15426

Crash in guarantee(false) failed: derived_oop_slots.contains(dst)!!

ZVM-15024

Crash in guarantee(FMP.getNumFunctions() == 1) failed: exactly one function expected!.

Known Issues

Issue ID Description

20.04.0.0

Release Notes PDF

Release date: April 30, 2020

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u262

8

8u252

11

11.0.7+10

What’s New

  • The release of Zing 20.04.0.0 contains April 2020 critical patch update (CPU) security and critical bug fixes and brings the associated JDK 7, JDK 8, and JDK 11 versions to April 2020 CPU security update levels.

  • Zing 20.04.0.0 incorporates additional non-security changes associated with the April PSU 2020 OpenJDK 8u252 and OpenJDK 11.0.7 release contents.

  • Starting with Zing 20.04.0.0, the -XX:+UseC2 option can use one of two separate implementations of C2 JIT compilation: a traditional UseSeaOfNodesC2 mode and a new UseKestrelC2 mode.

  • The new mode is selected with +UseKestrelC2 which is on by default for Zing 11 and off by default for Zing 8 and Zing 7. This mode enables a C2 implementation introduced to Zing in 2020. It is based on a lightweight use of the LLVM backend and typically produces faster code than UseSeaOfNodesC2 while keeping compilation effort at similar levels. UseKestrelC2 generally exhibits a significantly lower compilation-time CPU consumption compared to Falcon.

    The old mode is selected with +UseSeaOfNodesC2 which is off by default in Zing 11 and on by default for Zing 8 and Zing 7.

    See Using Zing Command-Line Options for UseKestrelC2 and UseSeaOfNodesC2 command-line options and details.

  • Zing 20.04.0.0 introduces a compilation time improvement.

  • The release of Zing 20.04.0.0 introduces an increased maximum Java heap size from 1 TB to 2.5 TB in the default non-ZST mode.

    The maximum Java heap size for the Zing Virtual Machine with ZST is 20 TB.

  • In Zing 20.04.0.0, a new Java Flight Recorder functionality allows you to collect profiling data about applications that use JNI invocations.

  • The release of Zing 20.04.0.0 includes optimizations targeted at reducing JNI transition costs. The cost of a native call from Java was reduced, and the implementation of the accessor functions used to retrieve fields of Java objects from native code was also improved. Most applications will not be affected, but applications with many native transitions (such as a socket or file IO) may see the marked improvement.

    See Using Zing Command-Line Options for UseFastJNIAccessors, UseMembar, and UseThreadStateNativeWrapperProtocol command-line options and details.

  • Zing 20.04.0.0 excludes debug symbols embedded in libjvm.so, which reduces the filesystem footprint of a Zing installation by 280 MB.

    Contact [email protected] if you need to install debug symbols for Zing.

Resolved Issues

Issue ID Description

ZVM-15020

Illegal memcpy generated through the optimizer.

ZVM-14815

getPercentJavaHeapOccupiedAfterCollection() returns 0.

ZVM-10128

Runtime.getRuntime().availableProcessors() returns an incorrect value when affinity is set.

Known Issues

Issue ID Description

ZVM-14636

Heap dumps and JVMTI object tagging are not supported with UseEpsilonGC.


20.03.1.0

Release Notes PDF

Release date:

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u252

8

8u242

11

11.0.6+10

What’s New

Resolved Issues

Issue ID Description

Known Issues

Issue ID Description

20.03.0.0

Release Notes PDF

Release date:

This release corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u252

8

8u242

11

11.0.6+10

What’s New

  • The release of Zing 20.03.0.0 introduces the elimination of redundant boxing conversions and the optimized copying of HashSets.

Resolved Issues

Issue ID Description

Known Issues

Issue ID Description

20.02.1.0

Release Notes PDF

Release date: April 8, 2020

This release is based on Azul Platform Prime 20.02.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

7

7u252

8

8u242

11

11.0.6+10

What’s New

  • Internal bug fixes and stability improvements.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.


20.02.0.0

Release Notes PDF

Release date: February 28, 2020

This release is based on the following OpenJDK versions:

Major Version OpenJDK Version

7

7u252

8

8u242

11

11.0.6+10

What’s New

  • January 2020 PSU Release.

    This version incorporates additional non-security changes associated with the PSU 2020 OpenJDK 8u242 and OpenJDK 11.0.6 release contents.

  • Deprecation of FalconUseLegacyInliner

    The FalconUseLegacyInliner command-line option is deprecated in Zing 8 and 11 with no replacemen.

Resolved Issues

Issue ID Description

ZVM-14463

Occasionally seen segmentation faults during startup of the servers, which causes the server to fail to start.

ZVM-12506

In Java 11 testing, a rare ZVM 18.12.0.0 crash was observed when returning from the invocation of a MethodHandle routine.

Known Issues

There are no new issues to report in this release.


20.01.0.0

Release Notes PDF

Release date: January 30, 2020

This release is based on the following OpenJDK versions:

Major Version OpenJDK Version

7

7u251

8

8u241

11

11.0.5.0.101+11

What’s New

  • January 2020 CPU Release.

  • InZVM20.01.0.0, -XX:+FalconCompensateForIntelMCUForErratumSKX102 is an off-by-default option and introduces a nop padding based mitigation for performance regressions seen on some systems following Intel’s microcode updates in response to errata SKX102. This option is expected to become the default in a future Zing release. If enabled, nop padding will be used to align affected branches on systems with the microcode update applied.

    For testing purposes, the flag -XX:+ForceFalconCompensateForIntelMCUForErratumSKX102 is also provided. This can be used to force the generation of nop padded code on unaffected systems for performance validation.

Resolved Issues

Issue ID Description

ZVM-7678

Backport of JDK-8162795 to fix JNI weak handle native memory leak which can occur in some use cases since ZVM 19.02.102.0.

Known Issues

There are no new issues to report in this release.


Previous Stable Builds

24.08.200.0

Release Notes PDF

Release date: November 19, 2024

This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.102.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_432-b4

11

11.0.25+9-LTS

17

17.0.13+11-LTS

21

21.0.5+11-LTS

What’s New

  • October 2024 PSU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-21208

Networking

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 1

CVE-2024-21217

Serialization

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 2

CVE-2024-36138 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

Multiple

Yes

8.1

Network

High

None

None

Unchanged

High

High

High

None

CVE-2023-42950 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (WebKitGTK)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

High

High

None

Note 1

CVE-2024-25062 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (libxml2)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

Note 1

CVE-2024-21235 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

Note 2

CVE-2024-21210 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

Note 2

CVE-2024-21211 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

Note 2

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-32734

Avoid using std::regex due to incompatibility with libraries that use old versions of libstdc++


24.08.102.0

Release Notes PDF

Release date: November 14, 2024

This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.101.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_431-b2

11

11.0.24.0.101+1-LTS

17

17.0.12.0.101+1-LTS

21

21.0.4.0.101+1-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-32704

Revert BufferTier1CompileRequests


24.08.101.0

Release Notes PDF

Release date: October 22, 2024

This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.100.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_431-b1

11

11.0.24.0.101+1-LTS

17

17.0.12.0.101+1-LTS

21

21.0.4.0.101+1-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-32504

Crash when multiple threads race to fill the last slot available in VM internal constant table

ZVM-32001

Allocation analyses and optimizations can consume too much memory

ZVM-29261

Crash with virtual threads due to reuse of a stack chunk during GC

ZVM-31788

Local fallback not triggered when the connection to OptHub is alive but no serverside components are able to serve the client requests.


24.08.100.0

Release Notes PDF

Release date: October 15, 2024

This CPU release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.1.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_431-b2

11

11.0.24.0.101+1-LTS

17

17.0.12.0.101+1-LTS

21

21.0.4.0.101+1-LTS

What’s New

  • October 2024 CPU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-21208

Networking

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 1

CVE-2024-21217

Serialization

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 2

CVE-2024-36138 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

Multiple

Yes

8.1

Network

High

None

None

Unchanged

High

High

High

None

CVE-2023-42950 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (WebKitGTK)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

High

High

None

Note 1

CVE-2024-25062 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (libxml2)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

Note 1

CVE-2024-21235 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

Note 2

CVE-2024-21210 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

Note 2

CVE-2024-21211 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

Note 2

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


24.08.1.0

Release Notes PDF

Release date: September 20, 2024

This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_422-b1

11

11.0.24+8-LTS

17

17.0.12+7-LTS

21

21.0.4+4-LTS

What’s New

  • Zing 24.08.1.0 includes a performance improvement in ReadyNow which improves the efficiency and reporting of the built-in class loader identification task.

  • In case you need to disable Extended Native Memory Tracking (NMT), Zing 24.08.1.0 includes new command line option UseExtendedNMT , which you can use to disable Zing’s Extended NMT, and EnableNMTIntegrityChecks , which you can use to disable checks on allocations. Zing runs in Extended NMT mode and includes integrity checks by default. Using -XX:-UseExtendedNMT tells Zing to run NMT in a Zulu-like mode. We do not recommend disabling Extended NMT except in very specific cases.

  • Zing 24.08.1.0 features an update to JVMTI behavior in order to bring it to the modern standard. Previously, a few commercial Java application performance monitoring tools have been reporting too long GC pause times because Zing was reporting non-pausing concurrent GC durations wrongly as GC pauses over JVMTI events JVMTI_EVENT_GARBAGE_COLLECTION_START (GarbageCollectionStart) and JVMTI_EVENT_GARBAGE_COLLECTION_FINISH (GarbageCollectionFinish).

    The new correct reporting may increase the actual GC pauses slightly if monitoring software attached with -javaagent using JVMTI is active. By adding -XX:-GPGCNotifyJVMTIGCEventsInSafepoint the reporting of GC events can be moved outside the pause.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-32164

Make sure RN’s initialization order is not affected by parallel application activity

ZVM-32021

Malformed characters as part of cgroup data in GC log header

ZVM-31884

Memory reservation fails on 6.8 kernel with dense encoding in non-ZST mode

ZVM-31914

Disable limit on CNC reconnection attempts

ZVM-31866

ReadyNow threads should not cause OOM

ZVM-31859

Don’t hold JVM lock while performing Falcon context reset

ZVM-31812

Expensive JNI method handle resolution in CompileQueue::scan_for_task may delay application threads

ZVM-31772

Remove CompileQueue::top best task search overhead

ZVM-31705

Frequent chunk sending re-tries


24.02.401.0

Release Notes PDF

Release date: October 3, 2024

This release is based on Azul Platform Prime 24.02.400.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_422-b3

11

11.0.24+8-LTS

17

17.0.12+7-LTS

21

21.0.4+4-LTS

What’s New

  • Azul Zing 24.02.401.0 improves the efficiency and reporting of the builtin class loader identification task, ensuring that the builtin class loader identification tasks finish within an expected timeframe.

  • Azul Zing 24.02.401.0 adds a mode which makes ReadyNow file tasks through the request buffer rather than directly to the compile queue. This change can reduce overhead in some cases.

  • In case you need to disable Extended Native Memory Tracking (NMT), Zing 24.02.401.0 includes new command line option UseExtendedNMT, which you can use to disable Zing’s Extended NMT, and EnableNMTIntegrityChecks, which you can use to disable checks on allocations. Zing runs in Extended NMT mode and includes integrity checks by default. Using -XX:-UseExtendedNMT tells Zing to run NMT in a Zulu-like mode. We do not recommend disabling Extended NMT except in very specific cases.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-32021

Malformed characters as part of cgroup data in GC log header

ZVM-31884

Memory reservation fails on 6.8 kernel with dense encoding in non-ZST mode

ZVM-32164

Make sure ReadyNow’s initialization order is not affected by parallel application activity

ZVM-31914

Failing to run Falcon code for some methods in Neuron application

ZVM-31884

Memory reservation fails on 6.8 kernel with dense encoding in non-ZST mode

ZVM-31866

ReadyNow threads should not cause OOM

ZVM-31859

Don’t hold JVM lock while performing Falcon context reset

ZVM-31812

Expensive JNI method handle resolution in CompileQueue::scan_for_task may delay application threads

ZVM-31772

Remove CompileQueue::top best task search overhead


24.02.400.0

Release Notes PDF

Release date: August 19, 2024

This PSU release is based on Azul Platform Prime 24.02.302.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_422-b1

11

11.0.24+8-LTS

17

17.0.12+7-LTS

21

21.0.4+4-LTS

What’s New

  • July 2024 PSU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-21145

2D

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21131

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21138

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 1

CVE-2024-21144

Concurrency

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

11, 8

Note 2

CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK

HTTP/2

Yes

8.2

Network

Low

None

None

Unchanged

None

Low

High

None

CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Note 1

CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

Note 1

Notes:

ID Notes

1

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


24.02.302.0

Release Notes PDF

Release date: July 17, 2024

This PSU release is based on Azul Platform Prime 24.02.301.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_421-b2

11

11.0.23.0.101+2-LTS

17

17.0.11.0.101+3-LTS

21

21.0.3.0.101+4-LTS

What’s New

  • Zing 24.02.302.0 is able to track detailed ReadyNow task execution. This tracks data on the amount of time tasks are waiting in the compiler queue and actual work done, and compiles those total values into a histogram.

  • Zing 24.02.302.0 implements an intrinsification of the method java.lang.reflect.Array.get, leading to a significant performance improvement in some cases.

  • You can now use more patterns in the DumpIR compile command to specify multiple DumpIRToDiskOf options, allowing you to collect the IR dump for multiple different compilations without using a wide pattern which can potentially lead to overflow of storage.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-31406

LocalFallback happening when rebalancing (without obvious reason)

ZVM-31312

PrintGCHeadersGuaranteedIntervalSecs fails with big interval

ZVM-31328

Falcon compilation ends with Stack Memory Failure

ZVM-31300

Remove OSThread::_interrupted for Java >= 14

ZVM-31299

Port JDK-8175318 from OpenJDK to avoid unnecessary cleaning of JNI handles

ZVM-31224

Multiple compiler engine crashes

ZVM-31117

[SLPVectorize] Quick fix downstream for broken cost model affecting sun.security.provider.SHA.implCompress

ZVM-30566

Local queue is not cleared when local fallback is disabled

ZVM-29694

Chronicle-Queue crashed due to "Error: Safepoint sync time longer than 200000 ms detected when executing Deoptimize."

ZVM-26110

[NMT] Make intercepted allocations honor alignment parameter


24.02.301.0

Release Notes PDF

Release date: July 17, 2024

This CPU release is based on Azul Platform Prime 24.02.202.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_421-b1

11

11.0.23.0.101+2-LTS

17

17.0.11.0.101+3-LTS

21

21.0.3.0.101+4-LTS

What’s New

  • July 2024 CPU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-21145

2D

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21131

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21138

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 1

CVE-2024-21144

Concurrency

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

11, 8

Note 2

CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK

HTTP/2

Yes

8.2

Network

Low

None

None

Unchanged

None

Low

High

None

CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Note 1

CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

Note 1

Notes:

ID Notes

1

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024

  • Changes to the RootCA Certificates

    Following a trend led by the Mozilla and Chrome browsers regarding CA certificate policies (see this conversation and message for more details), the RootCA GLOBALTRUST 2020 from CA certs has been removed. If this impacts you, you can add the certificate back by running the following command:

     
    keytool -importcert -file <my-crt-file-location> -cacerts -storepass changeit -noprompt -alias <my-alias>

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


24.02.202.0

Release Notes PDF

Release date: July 22, 2024

This release is based on Azul Platform Prime 24.02.200.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_412-b1

11

11.0.23+9-LTS

17

17.0.11+9-LTS

21

21.0.3+9-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


24.02.200.0

Release Notes PDF

Release date: May 27, 2024

This PSU release is based on Azul Platform Prime 24.02.101.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_412-b3

11

11.0.23+9-LTS

17

17.0.11+9-LTS

21

21.0.3+9-LTS

What’s New

  • April 2024 PSU release security fixes.

  • Azul Zing 24.02.200.0 introduces a new command line option, -XX:ThpDisable, which can be used to disable Transparent Huge Pages (THP) in the entire JVM process, even when system THP settings are enabled. When -XX:+ThpDisable is set, THP is turned off, overriding the system default. If ThpDisable is not set manually, the value is inherited from the parent process; typically, the system default.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-30278

Introduce Yield calls in New PM


24.02.102.0

Release Notes PDF

Release date: June 19, 2024

This release is based on Azul Platform Prime 24.02.101.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_411-b1

11

11.0.22.0.101+2-LTS

17

17.0.10.0.101+3-LTS

21

21.0.2.0.101+2-LTS

What’s New

  • GC Log Analyzer’s summary page now includes the ID of the current run from Ready Now Orchestrator, listed as Current VM ID.

  • GC Log Analyzer’s info page now includes the container OS along with the node OS.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-30972

CPU use and throttling information missing with cgroupsV2


24.02.101.0

Release Notes PDF

Release date: May 16, 2024

This release is based on Azul Platform Prime 24.02.100.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_411-b4

11

11.0.22.0.101+2-LTS

17

17.0.10.0.101+3-LTS

21

21.0.2.0.101+2-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-30696

Backport ZULU-61542 to a BPR on Zing 24.02.100 Java 17

ZVM-30695

Backport ZULU-61544 to a BPR on Zing 24.02.100 Java 17

ZVM-30653

Fix stack walker TTSP profiler that collects interpreter frame methods

ZVM-30407

Linear search at LoaderProfileApplicator::has_recorded_load


24.02.100.0

Release Notes PDF

Release date: April 16, 2024

This CPU release is based on Azul Platform Prime 24.02.1.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_411-b5

11

11.0.22.0.101+2-LTS

17

17.0.10.0.101+3-LTS

21

21.0.2.0.101+2-LTS

What’s New

  • April 2024 CPU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-21011

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 2

CVE-2024-21012

Networking

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

21, 17, 11

Note 1

CVE-2024-21068

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

21, 17, 11, 8

Note 2

CVE-2024-21085

Concurrency

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

11, 8

Note 2

CVE-2023-41993 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (WebKitGTK)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

High

High

None

Note 1

CVE-2024-21892 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK

None

No

7.5

Local

High

Low

None

Changed

High

High

None

None

CVE-2024-20954 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

CVE-2024-21094 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

CVE-2024-21098 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

None

CVE-2024-21003 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

None

CVE-2024-21005 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

None

CVE-2024-21002 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

None

No

2.5

Local

High

None

Required

Unchanged

None

Low

None

None

CVE-2024-21004 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

None

No

2.5

Local

High

None

Required

Unchanged

None

Low

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


24.02.1.0

Release Notes PDF

Release date: April 10, 2024

This release is based on Azul Platform Prime 24.02.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_402-b2

11

11.0.22+7-LTS

17

17.0.10+7-LTS

21

21.0.2+13-LTS

What’s New

  • In order to establish a better client/server relationship between Zing and Optimizer Hub, Zing now sends its version to Optimizer Hub, making the current version of Zing available and viewable in Optimizer Hub.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-30086

Add elapsed time end(s) field to all common log lines in Zing GC log

ZVM-29997

JTReg21 - jdk/test/hotspot/jtreg/vmTestbase/nsk/jdwp/ReferenceType/Instances/instances001/instances001.java crashed due to "C [libjdwp.so+0x2e946] classSignature+0x36"

ZVM-29278

Java21 crashes due to " C [libjdwp.so+0x2d72f] jvmtiAllocate+0x2f"


23.08.402.0

Release Notes PDF

Release date: April 10, 2024

This release is based on Azul Platform Prime 23.08.401.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_402-b2

11

11.0.22+7-LTS

17

17.0.10+7-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-29694

The "Compiler Statistics"/"Code Cache Details"/ReadyNow Statistics" graphs do not properly show with latest GCLA


23.08.401.0

Release Notes PDF

Release date: March 13, 2024

This release is based on Azul Platform Prime 23.08.300.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_402-b1

11

11.0.22+7-LTS

17

17.0.10+7-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-29694

Chronicle-Queue crashed due to "Error: Safepoint sync time longer than 200000 ms detected when executing Deoptimize."


23.08.400.0

Release Notes PDF

Release date: February 23, 2024

This PSU release is based on Azul Platform Prime 23.08.300.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_402-b1

11

11.0.22+7-LTS

17

17.0.10+7-LTS

What’s New

  • Azul Platform Prime 23.08.400.0 introduces a new option, -XX:FalconAbortCompileWithInstrPattern=<pattern>, which you can use to abort the compilation of methods whose assembly contains the specified pattern. This way you can "exclude" a bad compilation, while still getting its IR/obj dump, even if it’s not the first compilation of that method.

  • Azul Platform Prime 23.08.400.0 includes an improvement to the TTSP profiler to include interpreter frame names and BCI.

  • January 2024 PSU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-20932

Security

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

17

Note 1

CVE-2024-20952

Security

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

21, 17, 11, 8

Note 1

CVE-2024-20919

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

21, 17, 11, 8

Note 3

CVE-2024-20926

Scripting

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

11, 8

Note 2

CVE-2024-20945

Security

None

No

4.7

Local

High

Low

None

Unchanged

High

None

None

21, 17, 11, 8

Note 1

CVE-2024-20923

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

Low

None

None

21, 17, 11, 8

Note 1

CVE-2024-20925

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-20922

JavaFX

None

No

2.5

Local

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Note 2

CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

None

Note 2

CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

3

This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-29800

The 'libjvm.so' file is significantly larger in the aarch64 build compared to the x64 build

ZVM-29388

aarch64 builds contain debug symbols - much larger than x64

ZVM-29384

Backport JDK-8153413: Exceptions::_throw always logs exceptions, penalizing performance

ZVM-29078

Do not report ConnectedCompiler thread as compiler thread to GC log

ZVM-27809

ZVM crashes with GCC 13 unwinder


23.08.301.0

Release Notes PDF

Release date: February 23, 2024

This PSU release is based on Azul Platform Prime 23.08.300.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_401-b2

11

11.0.21.0.101+2-LTS

17

17.0.9.0.101+2-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-30014

Backport ZVM-29800 to a 23.08.300 build for aarch64

ZVM-29800

The 'libjvm.so' file is significantly larger in the aarch64 build compared to the x64 build


23.08.300.0

Release Notes PDF

Release date: January 16, 2024

This CPU release is based on Azul Platform Prime 23.08.201.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_401-b2

11

11.0.21.0.101+2-LTS

17

17.0.9.0.101+2-LTS

What’s New

  • January 2024 CPU release security fixes.

CVE fixes
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-20932

Security

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

17

Note 1

CVE-2024-20952

Security

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

21, 17, 11, 8

Note 1

CVE-2024-20919

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

21, 17, 11, 8

Note 3

CVE-2024-20926

Scripting

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

11, 8

Note 2

CVE-2024-20945

Security

None

No

4.7

Local

High

Low

None

Unchanged

High

None

None

21, 17, 11, 8

Note 1

CVE-2024-20923

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

Low

None

None

21, 17, 11, 8

Note 1

CVE-2024-20925

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-20922

JavaFX

None

No

2.5

Local

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Note 2

CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

None

Note 2

CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

3

This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


23.08.201.0

Release Notes PDF

Release date: January 10, 2024

This release is based on Azul Platform Prime 23.08.200.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_392-b1

11

11.0.21+8-LTS

17

17.0.9+8-LTS

What’s New

  • Compilation ranking has been disabled in 23.08.x.x stable releases starting from 23.08.201 since, in some cases, the feature can cause some performance issues. You can turn on the feature manually, if needed, with:

     
    -XX:TopTierHotCompileThresholdTriggerMillis=60000 -XX:TopTierWarmCompileThresholdTriggerMillis=600000 -XX:TopTierWarmCompileCpuPercent=25

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-29440

VM fails to remove stale hsperfdata files after backport of JDK-8286030

ZVM-19215

Backport JDK-8215451: IsSameObject should not keep objects alive.

ZVM-29388

aarch64 builds contain debug symbols - much larger than x64

ZVM-29314

[Java17+] Improve handling of constantPool entry in klass_at_if_loaded()

ZVM-29280

Record final IR in our crash handler

ZVM-29160

[Falcon] Incorrect exception handling in case of unloaded klass handler


23.08.200.0

Release Notes PDF

Release date: November 20, 2023

This PSU release is based on Azul Platform Prime 23.08.101.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_392-b1

11

11.0.21+8-LTS

17

17.0.9+8-LTS

What’s New

  • October 2023 PSU release security fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


23.08.101.0

Release Notes PDF

Release date: November 2, 2023

This release is based on Azul Platform Prime 23.08.100.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_391-b01

11

11.0.20.1.101+1-LTS

17

17.0.8.1.101+1-LTS

What’s New

  • Internal bug fixes.

  • The starting point of the time period specified by the option CompilerWarmupPeriodSeconds has been updated. Previously, this time period began at the execution of the Main method. But, since pre-Main can have unexpectedly long initializations, the ending point of this time period could become unpredictable. The starting point of this time period has been changed to JVM startup in order to include pre-Main, giving much better predictability of when this time period ends.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-28960

Potential regression in compilation behaviors and times from 23.02.400 to 23.08.01

ZVM-29000

Fix missing files for SelfDiagnosticRunLevel=2

ZVM-28818

Fix check super class access

ZVM-28801

Prime jre17 fails to load management agent

ZVM-28288

Liveness probe failure during high load resulting in SIGTRAP sent to VM


23.08.100.0

Release Notes PDF

Release date: October 17, 2023

This CPU release is based on Azul Platform Prime 23.08.1.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_391-b01

11

11.0.20.1.101+1-LTS

17

17.0.8.1.101+1-LTS

What’s New

  • October 2023 CPU release security fixes.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2023-22067

CORBA

CORBA

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

8

Note 1

CVE-2023-22081

JSSE

HTTPS

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 2

CVE-2023-30589 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

None

CVE-2023-22091 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Compiler

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

CVE-2023-22025 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

Note 3

Notes:

ID Notes

1

This vulnerability can only be exploited by supplying data to APIs in the specified Component, e.g., through a web service.

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

3

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2023

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


23.08.1.0

Release Notes PDF

Release date: September 26, 2023

This release is based on Azul Platform Prime 23.08.0.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_382-b2

11

11.0.20.1+1-LTS

17

17.0.8.1+1-LTS

What’s New

  • Internal bug fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-28703

java.lang.UnsupportedOperationException Monitoring of Synchronizer Usage is not supported sun.management.ThreadImpl.findDeadlockedThreads(ThreadImpl.java:411)

ZVM-28639

Debug files/libraries not being excluded from release artifacts

ZVM-28588

weblogic crashed with "assert0(false) failed: [false expected]"


23.02.700.0

Release Notes PDF

Release date: January 16, 2024

This CPU release is based on Azul Platform Prime 23.02.600.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_401-b2

11

11.0.21.0.101+2-LTS

17

17.0.9.0.101+2-LTS

What’s New

  • January 2024 CPU release security fixes.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-20932

Security

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

17

Note 1

CVE-2024-20952

Security

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

21, 17, 11, 8

Note 1

CVE-2024-20919

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

21, 17, 11, 8

Note 3

CVE-2024-20926

Scripting

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

11, 8

Note 2

CVE-2024-20945

Security

None

No

4.7

Local

High

Low

None

Unchanged

High

None

None

21, 17, 11, 8

Note 1

CVE-2024-20923

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

Low

None

None

21, 17, 11, 8

Note 1

CVE-2024-20925

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-20922

JavaFX

None

No

2.5

Local

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Note 2

CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

None

Note 2

CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

3

This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-27809

ZVM crashes with GCC 13 unwinder


23.02.600.0

Release date: November 20, 2023

This PSU release is based on Azul Platform Prime 23.02.501.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_392-b1

11

11.0.21+8-LTS

17

17.0.9+8-LTS

What’s New

  • October 2023 PSU release security fixes.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


23.02.550.0

Release Notes PDF

Release date: March 5, 2024

This release is based on Azul Platform Prime 23.02.501.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_391-b1

11

11.0.20.1.101+1-LTS

17

17.0.8.1.101+1-LTS

What’s New

  • Internal bug fixes

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-29694

Chronicle-Queue crashed due to "Error: Safepoint sync time longer than 200000 ms detected when executing Deoptimize."

ZVM-29858

Fuzzer test crash - V [libjvm.so+0x7df40e] java_lang_Class::set_module(oopDesc*, oopDesc*)+0xe


23.02.501.0

Release Notes PDF

Release date: January 8, 2024

This release is based on Azul Platform Prime 23.02.500.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_391-b01

11

11.0.20.1.101+1-LTS

17

17.0.8.1.101+1-LTS

What’s New

  • A new diagnostic command line option has been introduced, -XX:FalconAbortCompileWithInstrPattern=<pattern>, which can be used to apply abortfalcon compile command only if assembly of the compiled method contains the specified pattern. The specified pattern uses regexp syntax.

  • An improvement to the Time to Safepoint (TTSP) profiler has been made to include interpreter frame names and BCI during error reporting in the hs_err file.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-29440

VM fails to remove stale hsperfdata files after backport of JDK-8286030

ZVM-19215

Backport JDK-8215451: IsSameObject should not keep objects alive.

ZVM-29384

Backport JDK-8153413: Exceptions::_throw always logs exceptions, penalizing performance

ZVM-29314

[Java17+] Improve handling of constantPool entry in klass_at_if_loaded()

ZVM-29280

Record final IR in our crash handler

ZVM-29160

[Falcon] Incorrect exception handling in case of unloaded klass handler


23.02.500.0

Release Notes PDF

Release date: October 17, 2023

This CPU release is based on Azul Platform Prime 23.02.400.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_391-b01

11

11.0.20.1.101+1-LTS

17

17.0.8.1.101+1-LTS

What’s New

  • October 2023 CPU release security fixes.

CVE fixes

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2023-22067

CORBA

CORBA

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

8

Note 1

CVE-2023-22081

JSSE

HTTPS

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

21, 17, 11, 8

Note 2

CVE-2023-30589 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

None

CVE-2023-22091 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Compiler

Multiple

Yes

4.8

Network

High

None

None

Unchanged

Low

Low

None

None

CVE-2023-22025 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

None

Note 3

Notes:

ID Notes

1

This vulnerability can only be exploited by supplying data to APIs in the specified Component, e.g., through a web service.

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

3

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2023

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

  • There are no resolved issues associated with this release.


23.02.401.0

Release Notes PDF

Release date: October 12, 2023

This release is based on Azul Platform Prime 23.02.302.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_382-b2

11

11.0.20.1+1-LTS

17

17.0.8.1+1-LTS

What’s New

  • The starting point of the time period specified by the option CompilerWarmupPeriodSeconds has been updated. Previously, this time period began at the execution of the Main method. But, since pre-Main can have unexpectedly long initializations, the ending point of this time period could become unpredictable. The starting point of this time period has been changed to JVM startup in order to include pre-Main, giving much better predictability of when this time period ends.

Known Issues

  • There are no new issues to report in this release.

Resolved Issues

Issue ID Description

ZVM-27506

Turn on JFRDistinguishJITTypes flag by default

ZVM-28818

Fix check super class access

ZVM-28801

Prime jre17 fails to load management agent

ZVM-28588

weblogic crashed with "assert0(false) failed: [false expected]"

ZVM-28144

Exhausting java heap during early VM initialization causes a hang

ZVM-28534

Prevent Falcon optimization of exception-throwing in case PrintStacktraceOnException is specified


23.02.400.0

Release Notes PDF

Release date: August 28, 2023

This PSU release is based on Azul Platform Prime 23.02.302.0 and corresponds to the following OpenJDK versions:

Major Version OpenJDK Version

8

1.8.0_382-b2

11

11.0.20.1+1-LTS

17

17.0.8.1+1-LTS

What’s New

  • ZVision and ZVRobot have been separated from the Azul Platform Prime package due to a known vulnerability in jQuery 1.4.3, which is used in building the ZVision and ZVRobot utilities. At this time, Azul is not aware of any vulnerability in ZVision itself. For this reason, ZVision is still available for download for Azul Platform Prime subscribers at https://ftp.azul.com/releases/Zing/ZVision/ZVTools.zip

  • It is no longer necessary to LD_PRELOAD the libnmt_hooks.so library in order to use extended Native Memory Tracking (NMT). The libnmt_hooks.so library is now linked by default.

  • July 2023 CPU and PSU release security fixes.

CVE fixes

<
CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2023-22041

Hotspot

None

No

5.1

Local

High

None

None

Unchanged

High

None

None

17, 11

Note 1

CVE-2023-22036

Utility

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

17, 11

Note 2

CVE-2023-22049

Libraries

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 11, 8

Note 2

CVE-2023-25193

2D (Harfbuzz)

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

17, 11

Note 2

CVE-2023-22006

Networking

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

17, 11

Note 1

CVE-2023-22043 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

None

Note 1

CVE-2023-22044 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Note 2

CVE-2023-22045 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Note 2

CVE-2023-22051 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

GraalVM Compiler

Multiple

Yes

3.7

Network

High

None

None