Disable limit on CNC reconnection attempts
Release Notes of Azul Zing Stream and Stable Builds of OpenJDK
- Latest Stream Build
- Latest Stable Builds
- Previous Stream Builds
- 24.09.0.0
- 24.08.0.0
- 24.07.0.0
- 24.06.0.0
- 24.05.0.0
- 24.04.0.0
- 24.03.0.0
- 24.02.0.0
- 24.01.0.0
- 23.12.0.0
- 23.10.0.0
- 23.09.0.0
- 23.08.0.0
- 23.07.0.0
- 23.06.0.0
- 23.05.0.0
- 23.04.0.0
- 23.03.0.0
- 23.02.0.0
- 23.01.0.0
- 22.12.0.0
- 22.10.0.0
- 22.09.0.0
- 22.08.0.0
- 22.07.1.0
- 22.07.0.0
- 22.06.0.0
- 22.05.0.0
- 22.04.1.0
- 22.04.0.0
- 22.03.0.0
- 22.02.0.0
- 22.01.2.0
- 22.01.1.0
- 22.01.0.0
- 21.12.0.0
- 21.10.1.0
- 21.10.0.0
- 21.09.1.0
- 21.09.0.0
- 21.08.0.0
- 21.07.0.0
- 21.06.0.0
- 21.05.1.0
- 21.05.0.0
- 21.04.0.0
- 21.03.0.0
- 21.02.0.0
- 21.01.0.0
- 20.12.0.0
- 20.10.0.0
- 20.09.1.0
- 20.09.0.0
- 20.08.0.0
- 20.07.0.0
- 20.06.0.0
- 20.05.0.0
- 20.04.0.0
- 20.03.1.0
- 20.03.0.0
- 20.02.1.0
- 20.02.0.0
- 20.01.0.0
- Previous Stable Builds
- 24.08.200.0
- 24.08.102.0
- 24.08.101.0
- 24.08.100.0
- 24.08.1.0
- 24.02.401.0
- 24.02.400.0
- 24.02.302.0
- 24.02.301.0
- 24.02.202.0
- 24.02.200.0
- 24.02.102.0
- 24.02.101.0
- 24.02.100.0
- 24.02.1.0
- 23.08.402.0
- 23.08.401.0
- 23.08.400.0
- 23.08.301.0
- 23.08.300.0
- 23.08.201.0
- 23.08.200.0
- 23.08.101.0
- 23.08.100.0
- 23.08.1.0
- 23.02.700.0
- 23.02.600.0
- 23.02.550.0
- 23.02.501.0
- 23.02.500.0
- 23.02.401.0
- 23.02.400.0
- 23.02.302.0
- 23.02.301.0
- 23.02.300.0
- 23.02.202.0
- 23.02.201.0
- 23.02.200.0
- 23.02.101.0
- 23.02.100.0
- 23.02.2.0
- 23.02.1.0
- 22.08.400.0
- 22.08.301.0
- 22.08.300.0
- 22.08.201.0
- 22.08.200.0
- 22.08.101.0
- 22.08.100.0
- 22.08.1.0
- 22.02.501.0
- 22.02.500.0
- 22.02.401.0
- 22.02.401.0
- 22.02.400.0
- 22.02.300.0
- 22.02.202.0
- 22.02.201.0
- 22.02.200.0
- 22.02.100.0
- 22.02.3.0
- 22.02.2.0
- 22.02.1.0
- 21.08.502.0
- 21.08.501.0
- 21.08.500.0
- 21.08.402.0
- 21.08.401.0
- 21.08.400.0
- 21.08.301.0
- 21.08.300.0
- 21.08.202.0
- 21.08.201.0
- 21.08.200.0
- 21.08.100.0
- 21.08.1.0
- 21.02.500.0
- 21.02.401.0
- 21.02.400.0
- 21.02.300.0
- 21.02.201.0
- 21.02.200.0
- 21.02.100.0
- 21.02.2.0
- 21.02.1.0
- 20.08.501.0
- 20.08.500.0
- 20.08.400.0
- 20.08.300.0
- 20.08.202.0
- 20.08.201.0
- 20.08.200.0
- 20.08.101.0
- 20.08.100.0
- 20.08.2.0
- 20.08.1.0
- 20.02.501.0
- 20.02.500.0
- 20.02.402.0
- 20.02.401.0
- 20.02.400.0
- 20.02.300.0
- 20.02.201.0
- 20.02.200.0
- 20.02.101.0
- 20.02.100.0
- 20.02.1.0
Note
|
This page contains release notes for versions 20.02.1.0 and newer. |
Azul Zing Builds of OpenJDK (Zing) are available in two versions:
-
Stream Builds: Fast-moving monthly releases (end of the month) that include all of the latest features and changes that are part of PSU releases. Free for development and evaluation. Use in production requires an active subscription.
Current latest: 24.10.0.0
-
Stable Builds: Builds that incorporate only CPUs, PSUs, and Azul Platform Prime critical fixes and do not uptake new features and non-critical enhancements from Stream Builds. Stable Builds are our primary vehicle for delivering time-sensitive bug-fixes to customers and are only available to Azul customers.
Current latest: 24.08.201.0 and 24.02.501.0
Latest Stream Build
24.10.0.0
Release date: November 5, 2024
This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 24.09.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_431-b4 |
11 |
11.0.24.0.101+1-LTS |
17 |
17.0.12.0.101+1-LTS |
21 |
21.0.4.0.101+1-LTS |
What’s New
-
Zing 24.10.0.0 features an update to JVMTI behavior in order to bring it to the modern standard. Previously, a few commercial Java application performance monitoring tools have been reporting too long GC pause times because Zing was reporting non-pausing concurrent GC durations wrongly as GC pauses over JVMTI events
JVMTI_EVENT_GARBAGE_COLLECTION_START
(GarbageCollectionStart) andJVMTI_EVENT_GARBAGE_COLLECTION_FINISH
(GarbageCollectionFinish).The new correct reporting may increase the actual GC pauses slightly if monitoring software attached with -javaagent using JVMTI is active.
-
Zing 24.10.0.0 enables the previously implemented command line option
OptimizeIdentityHashForDistribution
by default. This option implements an optimization to the distribution of identity hash codes. Enabling this option optimizes the protocol for distributing hash codes. Otherwise, some hash table implementations are prone to an unreasonable number of collisions. -
The version of libstdc++ packaged with Zing has been upgraded from libstdc++.so.6.0.24 to libstdc++.so.6.0.32.
-
October 2024 CPU and PSU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Networking |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 1 |
|
Serialization |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 2 |
|
CVE-2024-36138 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
Multiple |
Yes |
8.1 |
Network |
High |
None |
None |
Unchanged |
High |
High |
High |
None |
|
CVE-2023-42950 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (WebKitGTK) |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
CVE-2024-25062 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (libxml2) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
Note 1 |
CVE-2024-21235 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 2 |
CVE-2024-21210 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
Note 2 |
CVE-2024-21211 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
Note 2 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2024
Resolved Issues
Issue ID | Description |
---|---|
ZVM-31914 |
|
ZVM-32504 |
Crash when multiple threads race to fill the last slot available in VM internal constant table |
ZVM-32164 |
Make sure RN’s initialization order is not affected by parallel application activity |
ZVM-31866 |
ReadyNow threads should not cause OOM |
ZVM-31197 |
Null returned in unixSystem.getUsername() |
Latest Stable Builds
24.08.201.0
Release date: December 2, 2024
This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.200.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_432-b1 |
11 |
11.0.25+9-LTS |
17 |
17.0.13+11-LTS |
21 |
21.0.5+11-LTS |
Previous Stream Builds
24.09.0.0
Release date: October 3, 2024
This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_422-b5 |
11 |
11.0.24+8-LTS |
17 |
17.0.12+7-LTS |
21 |
21.0.4+4-LTS |
What’s New
-
Zing 24.09.0.0 increases the maximum code cache supported from 1758 MB to 4 GB. You can now set both
ReservedCodeCacheSize
andInitialCodeCacheSize
to a value up to 4 GB.
-
In case you need to disable Extended Native Memory Tracking (NMT), Zing 24.09.0.0 includes new command line option
UseExtendedNMT
, which you can use to disable Zing’s Extended NMT, andEnableNMTIntegrityChecks
, which you can use to disable checks on allocations. Zing runs in Extended NMT mode and includes integrity checks by default. Using-XX:-UseExtendedNMT
tells Zing to run NMT in a Zulu-like mode. We do not recommend disabling Extended NMT except in very specific cases.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-31884 |
Memory reservation fails on 6.8 kernel with dense encoding in non-ZST mode |
ZVM-32021 |
Malformed characters as part of cgroup data in GC log header |
ZVM-31803 |
[Inliner] AlwaysInline can cause code explosion in the inliner |
ZVM-31859 |
Don’t hold JVM lock while performing Falcon context reset |
ZVM-31812 |
Expensive JNI method handle resolution in CompileQueue::scan_for_task may delay application threads |
ZVM-31705 |
Frequent chunk sending re-tries |
24.08.0.0
Release date: August 30, 2024
This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 24.07.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_422-b5 |
11 |
11.0.24+8-LTS |
17 |
17.0.12+7-LTS |
21 |
21.0.4+4-LTS |
What’s New
-
The command line option
ProfileLogName
has been deprecated and replaced withProfileName
.ProfileName
supports all existing macros available forProfileLogName
. It is still possible to useProfileLogName
, however, we recommend that you update your configuration in order to guarantee that you have access to all of the latest features implemented inProfileName
.Note that using
ProfileName
overridesProfileLogName
,ProfileLogIn
, andProfileLogOut
. -
Zing 24.08.0.0 introduces a new feature to the Falcon compiler called Multi-Tiering. Multi-Tiering allows Falcon to schedule methods for compilation under different optimization levels, based on method hotness.
Multi-Tiering assigns hot and active methods to final-tier compilation and cold or inactive methods to mid-tier compilation. Final-tier uses the default Falcon optimization level (usually Falcon optimization level 2) while Mid-tier uses Falcon optimization level 0.
Enable Multi-Tiering using the command line option
-XX:+UseMultiTiering
.For more information on Multi-Tiering, see Analyzing and Tuning Warm-Up, Using Multiple Compiler Tiers
-
Zing 24.08.0.0 introduces the ability to apply ReadyNow transformations at runtime. This is done using the newly implemented command line options
-XX:ApplyReadyNowTransformations
or-XX:ApplyReadyNowTransformationsFile
. You can specify which transformations are used on which generation of your ReadyNow profiles.A transformation profile can be stored on your machine in yaml format and called using
-XX:ApplyReadyNowTransformationsFile=//path/to/file.yaml
. or you can apply your transformation options directly in the parameters on the command line using-XX:ApplyReadyNowTransformations="\{transformations\:\[\{data: 0\}\]\}"
. -
Zing 24.08.0.0 raises the maximum java heap size (Xmx) supported with non-ZST mode to 14000 GB (14 TB) on Intel Ice Lake and newer x86 processors when 5-level paging (LA57) is enabled at the OS level.
-
Zing 24.08.0.0 handles requests for PrintJNI without safepoint pause, allowing PrintJNI to run concurrently with your VM process.
-
July 2024 PSU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2D |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 1 |
|
Concurrency |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
11, 8 |
Note 2 |
|
CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK |
HTTP/2 |
Yes |
8.2 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
High |
None |
|
CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 1 |
CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 1 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024
-
Zing 24.08.0.0 introduces a new parameter
PrintGCHeadersGuaranteedIntervalSecs
which can be used to specify a time interval for periodic output of headers in GC log. This helps open partial GC logs in GC log analyzer, for example those pulled from Splunk. -
Zing 24.08.0.0 introduces Periodic NMT logging. With this feature, you can output NMT logs to the NMT output folder periodically. Since periodic NMT logging is a diagnostic feature, you must first unlock diagnostic VM Options using
-XX:+UnlockDiagnosticVMOptions
.To specify the output directory for NMT logs, use
-XX:PrintNMTStatisticsRoot=<dir_name>
. Setting this option enables periodic dumping.To specify the interval for printing the new report to the directory, use
-XX:PrintNMTStatisticsAtIntervalSec=<interval in seconds>
. The default value is 10 sec.Example settings for periodic NMT logging:
java -XX:+UnlockDiagnosticVMOptions -XX:NativeMemoryTracking=summary -XX:PrintNMTStatisticsRoot=nmt -XX:PrintNMTStatisticsAtIntervalSec=20 Main
24.07.0.0
Release date: July 31, 2024
This CPU release is based on the Azul Zing Build of OpenJDK (Zing) 24.06.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_421-b3 |
11 |
11.0.23.0.101+2-LTS |
17 |
17.0.11.0.101+3-LTS |
21 |
21.0.3.0.101+4-LTS |
What’s New
-
Zing 24.07.0.0 implements an intrinsification of the method java.lang.reflect.Array.get, leading to a significant performance improvement in some cases.
-
The logic around InlineTree has been greatly improved. This change allows the decisions reached by inlining to be reconstructed on request, instead of running through the tree with each query which sometimes leads to bloated recursive inlinings.
-
The MXBean PersistentProfileMXBean has been extended with
getReadyNowTier1CompilesRate()
andgetReadyNowTier2CompilesRate()
. These methods allow you to see what percentage of compiles are happening in ReadyNow, when compared to all compiles including non-ReadyNow. -
July 2024 CPU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2D |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 1 |
|
Concurrency |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
11, 8 |
Note 2 |
|
CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK |
HTTP/2 |
Yes |
8.2 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
High |
None |
|
CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 1 |
CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 1 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024
Resolved Issues
Issue ID | Description |
---|---|
ZVM-31343 |
Don’t query cgroup_subsytem_path() unless Cgroup support exists |
ZVM-31328 |
Falcon compilation ends with Stack Memory Failure |
ZVM-31299 |
Port JDK-8175318 from OpenJDK to avoid unnecessary cleaning of JNI handles |
ZVM-31265 |
DebugInfo for cc-compiler-engine.zip is incompatible with the debuginfo shipped with the JDK |
ZVM-31239 |
[CNC] java.lang.Object should be always pre-registered in ProtoUniverse |
ZVM-31238 |
Missing RCD debug symbols for release builds |
ZVM-26110 |
[NMT] Make intercepted allocations honor alignment parameter |
24.06.0.0
Release date: June 28, 2024
This release is based on the Azul Zing Build of OpenJDK (Zing) 24.05.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_412-b2 |
11 |
11.0.23+9-LTS |
17 |
17.0.11+9-LTS |
21 |
21.0.3+9-LTS |
What’s New
-
Several methods have been added to Zing MXBean extensions which can request several metrics from a running JVM. The following methods have been added to Zing MXBeans:
MXBean method CompilationMXBean
getTotalOutstandingCompiles()
getTotalPerformedTier1Compiles()
getTotalPerformedTier2Compiles()PersistentProfileMXBean
getVmUnmatchedClassRate()
getProfileClassMatchRate()CompilationMXBean can return the total number of enqueued and in-progress compilations, and can return the total number of tier 1 and tier 2 compilations at the time of request.
PersistentProfileMXBean can return the ratio of matched or unmatched classes to the number of classes loaded in the VM at the time of request.
You can find a general overview of Zing MXBeans in the Zing MXBeans documentation, or a complete description of all Zing MXBeans methods in the Zing MXBeans API documentation or in the Javadocs included in the Zing documentation bundle found on the Zing customer downloads page.
-
GC Log Analyzer’s summary page now includes the ID of the current run from Ready Now Orchestrator, listed as Current VM ID.
-
GC Log Analyzer’s info page now includes the container OS along with the node OS.
-
Azul Zing 24.06.0.0 includes a significant improvement to Zing’s crash handler which allows it to properly generate diagnostic data when Falcon threads reach stack memory failure.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-30813 |
Zing ARM64 reports on start 5.5TB (5632GB) as supported max heapsize |
ZVM-30976 |
Backport JDK-8211061: Tests fail with assert(VM_Version::supports_sse4_1()) on ThreadRipper CPU |
ZVM-30975 |
Backport JDK-8194494: SHA-512 stub uses AVX 2 instructions on non-supporting CPUs |
ZVM-30972 |
CPU use and throttling information missing with cgroupsV2 |
ZVM-30233 |
Properly categorize RN memory allocations |
24.05.0.0
Release date: May 31, 2024
This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 24.04.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_412-b4 |
11 |
11.0.23+9-LTS |
17 |
17.0.11+9-LTS |
21 |
21.0.3+9-LTS |
What’s New
-
April 2024 PSU release security fixes.
-
The default value of
-XX:ProfileStartupLimitInSeconds
has changed from60
to0
. This follows from a previous change where0
was changed from "infinite" to actually 0 seconds. For more information onProfileStartupLimitInSeconds
, see Command Line Options, Advanced Miscellaneous Options. -
Azul Zing 24.05.0.0 implements some behavioral changes to the command line option
VMFootprintLevel
. In order to reduce memory footprint, malloc arenas now use half the number of CPU cores when setting a non-default value ofVMFootprintLevel
;L
,M
, orS
-
The minimum value supported for Xms (initial heap size) was lowered drastically from 512 MB to 128 MB. Previously, the minimum supported Xms was 512 MB. The minimum supported Xmx (maximum heap size) remains unchanged at 512 MB. The purpose of this change is to reduce memory consumption from small utility processes which don’t require a high amount of memory.
NoteIn case Xms and Xmx are set to the same value, while setting Xms somewhere between 128 MB and 512 MB, both values are rounded up to 512 MB in order to satisfy the minimum allowable Xmx. -
Azul Zing 24.05.0.0 introduces a new command line option,
-XX:ThpDisable
, which can be used to disable Transparent Huge Pages (THP) in the entire JVM process, even when system THP settings are enabled. When-XX:+ThpDisable
is set, THP is turned off, overriding the system default. -
Azul Zing 24.05.0.0 is now able to collect Falcon diagnostics during OOM (Out of memory) errors.
-
Thread-local backoff for secondary_super_cache updates has been ported from OpenJDK, based on JDK-8316180 and is disabled by default. To enable this feature, use the option
-XX:SecondarySuperMissBackoff=1000
. -
A new command line option,
OptimizeIdentityHashForDistribution
has been introduced in Zing 24.05.0.0. This option enables an alternate implementation for System.identityHashCode() which provides better distribution of objects at the cost of making the identity hash calculation itself slower. This option is disabled by default and can be enabled using-XX:+OptimizeIdentityHashForDistribution
.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-30696 |
Backport ZULU-61542 to a BPR on Zing 24.02.100 Java 17 |
ZVM-30695 |
Backport ZULU-61544 to a BPR on Zing 24.02.100 Java 17 |
ZVM-30653 |
Fix stack walker TTSP profiler that collects interpreter frame methods |
ZVM-30566 |
Local queue is not cleared when local fallback is disabled |
ZVM-30407 |
Linear search at LoaderProfileApplicator::has_recorded_load |
24.04.0.0
Release date: April 30, 2024
This CPU release is based on the Azul Zing Build of OpenJDK (Zing) 24.03.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_411-b3 |
11 |
11.0.22.0.101+2-LTS |
17 |
17.0.10.0.101+3-LTS |
21 |
21.0.2.0.101+2-LTS |
What’s New
-
Zing 24.04.0.0 implements a new command line option,
MallocArenaMax
, which is used to define the maximum amount of memory pools available for glibc. The default value is0
. -
The command line option
UseDefensiveHeapShrinking
is now disabled by default in cgroups where memory limiting is set. You can disable this option manually by using-XX:-UseDefensiveHeapShrinking
. For more information about defensive heap shrinking, see Command Line Options, Defensive Heap Shrinking. -
Zing 24.04.0.0 implements a more efficient way to encode deopt bundles, improving system performance.
-
Prime JIT compilation logs (LogCompilation) are now fully supported for JITWatch for Zing.
-
April 2024 CPU and PSU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 2 |
|
Networking |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
21, 17, 11 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 2 |
|
Concurrency |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
11, 8 |
Note 2 |
|
CVE-2023-41993 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (WebKitGTK) |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
CVE-2024-21892 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK |
None |
No |
7.5 |
Local |
High |
Low |
None |
Changed |
High |
High |
None |
None |
|
CVE-2024-20954 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
|
CVE-2024-21094 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
|
CVE-2024-21098 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
None |
|
CVE-2024-21003 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
None |
|
CVE-2024-21005 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
None |
|
CVE-2024-21002 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
None |
|
CVE-2024-21004 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2024
24.03.0.0
Release date: April 3, 2024
This release is based on the Azul Zing Build of OpenJDK (Zing) 24.02.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_402-b3 |
11 |
11.0.22+7-LTS |
17 |
17.0.10+7-LTS |
21 |
21.0.2+13-LTS |
What’s New
-
In order to establish a better client/server relationship between Zing and Optimizer Hub, Zing now sends its version to Optimizer Hub, making the current version of Zing available and viewable in Optimizer Hub.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-30054 |
The "Compiler Statistics"/"Code Cache Details"/ReadyNow Statistics" graphs do not properly show with latest GCLA |
ZVM-29997 |
JTReg21 - jdk/test/hotspot/jtreg/vmTestbase/nsk/jdwp/ReferenceType/Instances/instances001/instances001.java crashed due to "C [libjdwp.so+0x2e946] classSignature+0x36" |
ZVM-29278 |
Java21 crashes due to " C [libjdwp.so+0x2d72f] jvmtiAllocate+0x2f" |
ZVM-29277 |
Java21 crashes due to "C [libjdwp.so+0x2b734] debugMonitorEnter+0x24" |
24.02.0.0
Release date: March 13, 2024
This release is based on the Azul Zing Build of OpenJDK (Zing) 24.01.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_402-b6 |
11 |
11.0.22+7-LTS |
17 |
17.0.10+7-LTS |
21 |
21.0.2+13-LTS |
What’s New
-
Zing 24.02.0.0 includes new options for defensive heap shrinking. Defensive heap shrinking dynamically reduces committed Java heap in order to avoid Out-of-memory (OOM) errors in container environments, which ordinarily lead to OOM kills and crashes.
You can enable defensive heap shrinking using the flag
-XX:+UseDefensiveHeapShrinking
. See Command Line Options, Defensive Heap Shrinking for more information on tuning this option:Specifying
VMFootprintLevel
enablesUseDefensiveHeapShrinking
by default. -
The C2 Compiler SeaOfNodesC2 has been deprecated in Zing 24.02.0.0. When you use the option
-XX:+UseC2
, the JVM uses KestrelC2 for C2 compilation. -
The command line option
UseOptimizedThreadLookup
has been disabled by default due to its impact on virtual and physical memory consumption in some cases. This change can negatively effect the lookup times of threads such as with jmm_getThreadCpuTimeWithKind(). The optimization can be turned back on by default with-XX:+UseOptimizedThreadLookup
. -
Zing 24.02.0.0 implements a significant improvement to code cache segmentation. This improvement makes code cache segmentation elastic instead of fully committing the entire segment, greatly reducing the amount of wasted memory from code cache segmentation.
-
Following up from our previous deprecation of ZVision and ZVRobot components in Zing 23.08.0.0, we have now removed ZVision and ZVRobot components completely in Zing 24.02.0.0. This means that you are no longer able to use ZVision and ZVRobot with Zing. We recommend using Java Flight Recorder and Azul Mission Control for recording and viewing performance metrics for your JVM.
-
Zing 24.02.0.0 includes support for Optimizer Hub (formerly Cloud Native Compiler) on ARM64 system architecture.
-
The compilation ranking feature has been enabled again by default. Compilation ranking was disabled in Zing 23.08.201.0 due to performance issues in particular cases. If you are upgrading from a previous stream release, there is no change in behavior.
24.01.0.0
Release date: January 31, 2024
This release is based on Azul Platform Prime 23.12.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_402-b3 |
11 |
11.0.22+7-LTS |
17 |
17.0.10+7-LTS |
21 |
21.0.2+13-MTS |
What’s New
-
From Azul Platform Prime 24.01.0.0, the garbage collector’s (GC) CPU usage is logged by default. Previously, you had to use the option
-XX+:PrintGCDetails
. You can view these metrics now by default in GC Log Analyzer in the GC CPU Usage graph. GC CPU Usage is split into 3 metrics, "marking CPU usage," "relocation CPU usage," and "fixup pass," which appear as "New GC Mark," "New GC Reloc," and "New GC Fixup" in the GC CPU Usage graph. -
Azul Platform Prime 24.01.0.0 includes a new lightweight, fully functional distribution of the Java Runtime Environment (JRE) for Java 8, 11, 17 and 21. The new Java JREs saves a significant amount of space by removing various debugging options and developer options. The Azul Platform Prime Builds of JRE still fully supports Optimizer Hub and Azul Vulnerability Detection (AVD).
-
Azul Platform Prime 24.01.0.0 introduces a small but significant change to the behavior of
-XX:ProfileStartupLimitInSeconds
. Now, when you set this option to0
, it means 0 seconds. Previously, if you set this flag to0
, it would be interpreted as "infinite". You can still specify "infinite" by using any negative number, for example-1
. The default behavior without setting this option remains the same, i.e. the default remains60
. -
January 2024 CPU and PSU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Security |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
17 |
Note 1 |
|
Security |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
21, 17, 11, 8 |
Note 3 |
|
Scripting |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
11, 8 |
Note 2 |
|
Security |
None |
No |
4.7 |
Local |
High |
Low |
None |
Unchanged |
High |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
Low |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
HTTP |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 2 |
CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
None |
Note 2 |
CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
3 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024
Resolved Issues
Issue ID | Description |
---|---|
ZVM-29440 |
VM fails to remove stale hsperfdata files after backport of JDK-8286030 |
ZVM-19215 |
Backport JDK-8215451: IsSameObject should not keep objects alive. |
ZVM-29526 |
[JCK-runtime-21] JCK test crashed api/javax_net/ssl/SSLSocket/Description.html with V [libjvm.so+0x6339b8] void GPGC_MarkAlgorithm::drain_stacks(GPGC_GCManagerOldStrong*)+0x638 |
ZVM-29388 |
aarch64 builds contain debug symbols - much larger than x64 |
ZVM-29384 |
Backport JDK-8153413: Exceptions::_throw always logs exceptions, penalizing performance |
ZVM-4337 |
[JVMTI] Zing does not provide inlining data on CompiledMethodLoad |
23.12.0.0
Release date: December 15, 2023
This release is based on Azul Platform Prime 23.10.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_392-b3 |
11 |
11.0.21+8-LTS |
17 |
17.0.9+8-LTS |
21 |
21.0.1+11-MTS |
What’s New
-
Azul platform Prime 23.12.0.0 includes several performance fixes including improvements to handling of arrays such as ArraysFill and ArrayCopy.
-
More concise logging of the Compilation Ranking feature has been implemented in order to better asses the behavior and impact of this feature. This applies to Falcon compilations only. Newly collected data has been added to the pre-existing charts in GC Log Analyzer, Compiler Statistics > Compiler Queues and Compiler Statistic > Tier 2 Compiler Counts. Newly collected and viewable data includes the following:
-
The total number of hot and warm methods which have made it to the compile queue, split from the total number of methods.
-
The total number of hot and warm methods which have begun compilation, split from the total number of methods.
-
The total number of methods which were not promoted to the compiler queue due to being identified as cold methods. These are methods which have reached the compile threshold, but not quickly enough to be considered warm or hot methods.
-
23.10.0.0
Release date: November 2, 2023
This PSU release is based on Azul Platform Prime 23.09.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_392-b3 |
11 |
11.0.21+8-LTS |
17 |
17.0.9+8-LTS |
21 |
21.0.1+11-MTS |
What’s New
-
Zing 23.10.0.0 contains the General Availability (GA) release of Azul Prime Builds of OpenJDK 21.
-
October 2023 CPU and PSU release security fixes, including CPU and PSU fixes for Azul Prime Builds of OpenJDK 21.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CORBA |
CORBA |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
8 |
Note 1 |
|
JSSE |
HTTPS |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 2 |
|
CVE-2023-30589 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
HTTP |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
None |
|
CVE-2023-22091 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Compiler |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
|
CVE-2023-22025 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
Note 3 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component, e.g., through a web service. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
3 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2023
23.09.0.0
Release date: September 29, 2023
This release is based on Azul Platform Prime 23.08.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_382-b2 |
11 |
11.0.20.1+1-LTS |
17 |
17.0.8.1+1-LTS |
What’s New
-
A new option,
GPGCSafepointWaitForMutatorResume
, has been introduced and is set totrue
by default. This flag tells the Garbage Collector to pause and wait for mutator threads to be woken up before resuming, after every GC safepoint. If-XX:-GPGCSafepointWaitForMutatorResume
is set, the Garbage Collector resumes its work in parallel with mutator threads waking up.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-28703 |
java.lang.UnsupportedOperationException Monitoring of Synchronizer Usage is not supported sun.management.ThreadImpl.findDeadlockedThreads(ThreadImpl.java:411) |
ZVM-28639 |
Debug files/libraries not being excluded from release artifacts |
ZVM-28588 |
weblogic crashed with "assert0(false) failed: [false expected]" |
23.08.0.0
Release date: September 11, 2023
This release is based on Azul Platform Prime 23.07.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_382-b2 |
11 |
11.0.20.1+1-LTS |
17 |
17.0.8.1+1-LTS |
What’s New
-
Compilation ranks by priority, which allows the JVM to assign compilation ranks to methods, has been introduced to Azul Platform Prime 23.08.0.0. This allows the Falcon compiler to assign ranks, hot, warm, or cold, to methods in order to prioritize system resources to methods depending on their hotness. The value of compilation ranking is that compiler activity is optimized later in an application run, not only reducing system load and freeing up resources for the running application but also reducing application outliers.
For more information on compilation ranks, see Analyzing and Tuning Warmup. For newly added options, see Command Line Options.
-
As of Azul Platform Prime 23.08.0.0, ZVision and ZVRobot components have been deprecated and are no longer actively developed. While we still support these components, we encourage users to switch to Java Flight Recorder, as ZVision and ZVRobot are planned for End-of-Life with Azul Platform Prime 24.02.0.0.
-
Support for the latest features in Optimizer Hub (formerly Cloud Native Compiler) 1.8.0. As Cloud Native Compiler expands its scope to offer more functionality than just offloading compilations, it is time to rebrand the offering to better reflect what it does. Starting with release 1.8, we are using the following naming:
-
Optimizer Hub (was Cloud Native Compiler) - The name of the overall component that you install on your Kubernetes cluster.
-
Cloud Native Compiler (was Compiler Service) - The feature that performs the compilation on Optimizer Hub.
-
ReadyNow Orchestrator (was Profile Log Service) - The feature that records and serves ReadyNow profiles to JVMs.
-
-
In Optimizer Hub 1.8, all major artifacts and command line switches use the updated branding. This includes, but is not limited to:
-
Command-line JVM options to configure Cloud Native Compiler and ReadyNow Orchestrator. See Command Line Options.
-
Helm repository locations, names, and parameter names: github.com/AzulSystems/opthub-helm-charts.
If you are using release 1.7 and earlier, all of the previous spellings of artifacts still work. Additionally, all of the pre-1.8 command-line arguments will continue to work for a period of one year from the release of 1.8.
-
-
The command line option
PreferContainerQuotaForVMInternalCPUCount
has been set totrue
by default in order to make calculations of internal thread counts, as well as budgeting options, more clear in container environments.In container environments where both CPU shares and CPU quota are specified, such as with Kubernetes where these are commonly specified, the VM now uses quota to calculate compiler and GC thread counts. Prior to Azul Platform Prime 23.08, it was using half of quota for the calculation.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-28301 |
Fix java_lang_String::hash_code |
ZVM-28262 |
Remove default RSS cap for ProfileLogIn |
ZVM-28242 |
JFR profiler does not collect stack traces |
ZVM-28144 |
Exhausting java heap during early VM initialization causes a hang |
ZVM-28121 |
JFR is not collecting jdk.ExecutionSample events on ARM |
ZVM-27536 |
Enable per-thread CPU utilisation data collection in SelfDiagnosticRunLevel=3 |
23.07.0.0
Release date: July 31, 2023
This PSU release is based on Azul Platform Prime 23.06.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_382-b5 |
11 |
11.0.20+8-LTS |
17 |
17.0.8+7-LTS |
What’s New
-
ZVision and ZVRobot have been separated from the Azul Platform Prime package due to a known vulnerability in jQuery 1.4.3, which is used in building the ZVision and ZVRobot utilities. At this time, Azul is not aware of any vulnerability in ZVision itself. For this reason, ZVision is still available for download for Azul Platform Prime subscribers at https://ftp.azul.com/releases/Zing/ZVision/ZVTools.zip
-
The command line option
-XX:CompileCommand
has been updated to useFalconCompileThreshold
.This option is used in the following way:
-XX:CompileCommand="option,<Class>::<method>,FalconCompileThreshold=<threshold value>"
-
July 2023 CPU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hotspot |
None |
No |
5.1 |
Local |
High |
None |
None |
Unchanged |
High |
None |
None |
17, 11 |
Note 1 |
|
Utility |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
17, 11 |
Note 2 |
|
Libraries |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 2 |
|
2D (Harfbuzz) |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
17, 11 |
Note 2 |
|
Networking |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
17, 11 |
Note 1 |
|
CVE-2023-22043 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
None |
Note 1 |
CVE-2023-22044 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
Note 2 |
CVE-2023-22045 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
Note 2 |
CVE-2023-22051 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
GraalVM Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2023
23.06.0.0
Release date: June 30, 2023
This release is based on Azul Platform Prime 23.05.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_372-b2 |
11 |
11.0.19+7-LTS |
17 |
17.0.7+7-LTS |
What’s New
-
A new option,
C2CompileThreshold
, has been added. This option allows the C2 compile threshold to be specified for individual methods. This option was introduced because some methods that are rarely called are still important and need to undergo regular optimization. This is set using-XX:CompileCommand
in the following way:-XX:CompileCommand="option,<Class>::<method>,C2CompileThreshold=<threshold>"
-
The maximum supported code cache size has been increased to 1758 MB when
AllocCodeCacheInLower2G
is disabled using-XX:-AllocCodeCacheInLower2G
. -
It is no longer necessary to LD_PRELOAD the libnmt_hooks.so library in order to use extended Native Memory Tracking (NMT). The libnmt_hooks.so library is now linked by default.
-
Using Java Flight Recorder, you can now see exact JIT name for each stacktrace frame in Azul Mission Control in the Method Profiling tab. This uses the option
JFRDistinguishJITTypes
, which is set totrue
by default, and shows either C1, C2, or Falcon for each stacktrace frame. WithJFRDistinguishJITTypes
set tofalse
, it shows JIT compiled.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-27634 |
Unify Prime’s "java.vendor" with Zulu |
ZVM-27514 |
High JFRCheckpoint pauses seen on Prime |
ZVM-27506 |
Turn on JFRDistinguishJITTypes flag by default |
ZVM-27424 |
Prime 11+ doesn’t throw IncompatibleClassChangeError in instanceKlass::method_at_itable |
ZVM-27785 |
Fix segmentation fault on StubRoutines::stringIndexOf |
ZVM-27675 |
Prohibit inlining for methods with invalid method ID |
ZVM-27624 |
Disable RSS workaround only once use of large pages are confirmed |
ZVM-27388 |
objSizes.jar application crashes with "assert(m->is_abstract()) failed: should be public and abstract" in fastdebug mode |
ZVM-27549 |
Avoid native method calls from VM.java class |
23.05.0.0
Release date: May 31, 2023
This release is based on Azul Platform Prime 23.04.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_372-b2 |
11 |
11.0.19+7-LTS |
17 |
17.0.7+7-LTS |
What’s New
-
Some Falcon CPU Budgeting options have been renamed according to the following table:
Changed from: Changed to: CompilerTier2BudgetingThreadsPercent
CompilerTier2BudgetingCPUPercent
CompilerTier2BudgetingWarmupThreadsPercent
CompilerTier2BudgetingWarmupCPUPercent
CompilerTier2BudgetMaxMs
CompilerTier2BudgetWindowDurationMs
For more information on Falcon CPU Budgeting options, see Command Line Options, CPU Budgeting Options
-
The command line option
UseTrueObjectsForUnsafe
has been set totrue
by default. This option forces unsafe objects to be returned in their true object form instead of the equivalent java class object. For example, withUseTrueObjectsForUnsafe
disabled, java.lang.Class can be returned instead of the true klassOop. -
Azul Platform Prime 23.05.0.0 includes several performance optimizations including many intrinsic functions implemented in the Falcon compiler.
23.04.0.0
Release date: April 28, 2023
This PSU release is based on Azul Platform Prime 23.03.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_372-b2 |
11 |
11.0.19+7-LTS |
17 |
17.0.7+7-LTS |
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
JSSE |
TLS |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
17, 11, 8 |
Note 1 |
|
JSSE |
HTTPS |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
None |
High |
17, 11, 8 |
Note 1 |
|
Swing |
HTTP |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 1 |
|
Networking |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 1 |
|
Libraries |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 2 |
|
Libraries |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 1 |
|
CVE-2023-21954 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
None |
Note 1 |
CVE-2023-21986 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Native Image |
None |
No |
5.7 |
Local |
Low |
None |
None |
Changed |
None |
Low |
Low |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2023
-
Cloud Native Compiler (CNC) 1.7 client support.
-
The command line option,
AllocCodeCacheInLower2G
, is now supported on the AArch64 system architecture, which is set totrue
by default. This option allocates code cache and related data structures at virtual address within 2 GB. To allow allocation to higher memory addresses, use-XX:-AllocCodeCacheinLower2G
. -
A new command line option,
GPGCCommitInitialHeapLazily
, has been introduced, which is set tofalse
by default. When enabled, this option prevents the whole of the initial heap size,InitialHeapSize
or-Xms
, from being committed from the OS upfront.With this option enabled, use the option
GPGCLazyInitialHeapCommitPercent
to specify how much of Xms shall be committed from the OS upfront, at startup. The default value forGPGCLazyInitialHeapCommitPercent
is50
. The remainder gets committed based on regular elastic heap heuristics. -
The command line option
InitialHeapSize
is now incorporated in Azul Platform Prime in order to keep compatibility with OpenJDK.InitialHeapSize
can be used instead of-Xms<size>
on the command line.
Note
|
The command line argument MaxHeapSize can also be used instead of -Xmx<size>
|
23.03.0.0
Release date: March 31, 2023
This release is based on Azul Platform Prime 23.02.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_362-b2 |
11 |
11.0.18+10-LTS |
13 |
13.0.14+5-MTS |
15 |
15.0.10+5-MTS |
17 |
17.0.6+10-LTS |
19 |
19.0.2+7-MTS |
What’s New
-
Included in this release are the final set of JDK versions 13, 15 and 19. The next release will no longer contain these versions. Starting from 23.04.0.0, stream releases will include only JDK 8, 11, and 17. Starting from 23.02.100.0, stable releases will only include JDK 8, 11, and 17 CPU/PSU builds.
-
Oracle Linux (Centos 7.9) ARM is supported from Azul Platform Prime version 22.03.0.0.
-
The Command Line Option
GPGCUseAllocationPacing
has been disabled by default. -
The Command Line Option
CNCForceLocalCompiler
has been deprecated and replaced with the new optionCNCEnableRemoteCompiler
.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-26650 |
Transform head of _freeThreads to a tagged reference to avoid ABA problems |
ZVM-26648 |
Missing tag update in HeapRefBufferList::grab() |
ZVM-26387 |
[Alpine] Failed to bundle core from alpine container |
ZVM-26245 |
jlink on Prime converts library symlinks to files and increase the total size by 87MB |
23.02.0.0
Release date: March 1, 2023
This release is based on Azul Platform Prime 23.01.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_362-b2 |
11 |
11.0.18+10-LTS |
13 |
13.0.14+5-MTS |
15 |
15.0.10+5-MTS |
17 |
17.0.6+10-LTS |
19 |
19.0.2+7-MTS |
Note
|
Version 1 of the GC Log Analyzer has reached its end-of-life and has been replaced with Version 2 of the GC Log Analyzer. GC Log Analyzer 2 is included in Zing packages and can be found at <installdir>/etc/GCLogAnalyzer2.jar . The latest version of GC Log Analyzer is also available for download at https://docs.azul.com/prime/gcla/about-gcla.
|
What’s New
-
Zing 23.02.0.0 contains the General Availability (GA) release of Azul Prime Builds of OpenJDK 19 for x86_64 systems.
-
Cloud Native Compiler (CNC) 1.6.1 client support.
-
NativeMemoryTracking has been extended with further Falcon tracking support.
To enable "extended tracking," set
LD_PRELOAD=$JAVA_HOME/etc/zing/lib/libnmt_hooks.so
in addition to regular NMT flags which are described in Native Memory Tracking Options and in the Oracle documentation. -
Zing 23.02.0.0 introduces new CPU budgeting features for the Falcon Tier 2 compiler. CPU Budgeting tells the Tier 2 compiler when to run and how many CPU threads to use, pre and post warmup.
With these new features, it is possible to specify allocated threads as a percent, meaning the compiler and the running application can share resources, resulting in less pauses and more stability for the running application. Previously, only whole numbers of threads could be allocated.
To enable these new features, use the argument
-XX:+EnableTier2CompilerBudgeting
.New Falcon CPU Budgeting features are listed in Command Line Options, CPU Budgeting Options
-
A new command line option,
AllocCodeCacheInLower2G
has been introduced and is set totrue
by default. This option allocates code cache and related data structures at virtual address within 2 GB. To allow allocation to higher memory addresses, use-XX:-AllocCodeCacheinLower2G
. This option is only available for x86_64 systems. -
Lower GC pauses with JVMTI - JVMTI tag map clearing has been moved outside of safepoint pause by default. This is set by the command line argument
ConcurrentJVMTITagMapClearing
and is set totrue
by default. -
Falcon improvement - Register allocation enhancement that improves code generation for derived pointers around GC safepoints. This allows derived pointers to rematerialize immediately before their use instead of after every safepoint. This is beneficial when a pointer is live across many statepoints but has few uses.
-
Allocation publication barrier optimizations for AArch64 in Falcon. Testing has yielded up to an 8.5% performance improvement from this optimization.
-
The output format for
-Xlog:safepoint
has been changed to match OpenJDK for JDK13 and above.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-26265 |
Add jcmd, jmap, jps, jstack tools to jdk8 jre tar.gz |
ZVM-25703 |
backport JDK-8297028 (UseContainerCpuShares ) missing for Prime Java 8 Jan 2023 (Oracle 8u361 equivalent) |
ZVM-26144 |
attaching agent generates error: Skipping cleaning of inline cache |
ZVM-25902 |
ProfilePersistCodeProfilesOnUncommonTraps may introduce a significant overhead |
ZVM-25844 |
Tune FalconContextReset to lower value - Resolution: Reset frequency is chosen using an ergonomics heuristic. There is no need to tune the default value. |
ZVM-25437 |
jdk/test/hotspot/jtreg/serviceability/jvmti/RedefineClasses/RedefinePreviousVersions.java failed with "java.lang.RuntimeException: 'Class unloading: has_previous_versions = false' missing from stdout/stderr" |
ZVM-22464 |
JTreg crashed with JvmtiEnvBase::get_stack_trace |
ZVM-26017 |
-Xlog:safepoint output format differs between Zing 17 and OpenJDK 17 |
23.01.0.0
Release date: January 31, 2023
This PSU release is based on Azul Platform Prime 22.12.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_362-b3 |
11 |
11.0.18+10-LTS |
13 |
13.0.14+5-MTS |
15 |
15.0.10+5-MTS |
17 |
17.0.6+10-LTS |
Note
|
Version 1 of the GC Log Analyzer has reached its end-of-life and has been replaced with Version 2 of the GC Log Analyzer. GC Log Analyzer 2 is included in Zing packages and can be found at <installdir>/etc/GCLogAnalyzer2.jar . The latest version of GC Log Analyzer is also available for download at https://docs.azul.com/prime/gcla/about-gcla.
|
What’s New
-
January 2023 CPU and PSU release security fixes.
-
Cloud Native Compiler (CNC) 1.6 client support.
-
You can now read and write ReadyNow profile logs to Cloud Native Compiler. This simplifies getting ReadyNow profile logs in and out of containers and other environments without persistent storage.
-
Compile stashing has been disabled by default, even when using ReadyNow.
Existing ReadyNow users that want to maintain the same compile stashing behavior as in earlier releases should ensure the
-XX:+FalconUseCompileStashing
flag is set.Users who wish to use compile stashing with the new Profile Log Service must ensure both
+FalconUseCompileStashing
and+CNCEnableRemoteCompiler
flags are set. -
FalconContextReset is now set using ergonomics heuristic based on the number of Falcon compiler threads, unless specified explicitly. Falcon compiler threads reset the internal caches after every
FalconContextReset
number of compilations. This is a tradeoff between compilation speed and memory consumption. The more often the caches are reset, the less memory is consumed but more time is spent rebuilding the caches.Currently, the value of
FalconContextReset
is chosen asFalconContextResetFactor=<number of Falcon threads>
nested betweenFalconContextResetLowerLimit
andFalconContextResetUpperLimit
.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Serialization |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
8 |
|
|
JSSE |
DTLS |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11 |
|
|
Sound |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 15, 13, 11, 8 |
|
|
CVE-2022-43548 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM Enterprise Edition: Node (Node.js) |
HTTPS |
Yes |
8.1 |
Network |
High |
None |
None |
Unchanged |
High |
High |
High |
None |
|
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2023
22.12.0.0
Release date: December 19, 2022
This release is based on Azul Platform Prime 22.10.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_352-b2 |
11 |
11.0.17+8 |
13 |
13.0.13+5 |
15 |
15.0.9+5 |
17 |
17.0.5+8 |
Note
|
Version 1 of the GC Log Analyzer has reached its end-of-life and has been replaced with Version 2 of the GC Log Analyzer. GC Log Analyzer 2 is included in Zing packages and can be found at <installdir>/etc/GCLogAnalyzer2.jar . The latest version of GC Log Analyzer 2 is also available for download at https://docs.azul.com/prime/gcla/about-gcla.
|
What’s New
-
Zing 22.12.0.0, through various changed and updates, has been able to achieve 10% lower GC CPU usage on Cassandra.
-
Zing 22.12.0.0 lowers the amount of GC pauses with hidden classes.
-
Falcon has been improved for Jackson as well as other optimizations to the Falcon JIT compiler.
-
New JMX MXBean metrics replace old metric name below java.lang.GarbageCollector to increase accuracy for GC monitoring added with JDK-8265136: Previously, metric "GPGC New/Old" was providing a sum of GC pauses and concurrent GC duration. This metric is replaced by the following:
-
GPGC New/Old Cycles: duration time in ms of the concurrent GC which runs in parallel to application threads and is not stopping the application.
-
GPGC New/Old Pauses: GC pause time in ms.
-
On Java 11 and 17, the new metrics are enabled by default and the old removed. If you need to switch back to the old metric, add -XX:+GPGCReportLegacyGarbageCollectorMXBean
.
On Java 8, only the old metric is active by default. To switch to the new metric add -XX:-GPGCReportLegacyGarbageCollectorMXBean
.
22.10.0.0
Release date: October 31, 2022
This CPU/PSU release is based on Azul Platform Prime 22.09.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
8u352-b08 |
11 |
11.0.17+8 |
13 |
13.0.13+5 |
15 |
15.0.9+5 |
17 |
17.0.5+8 |
What’s New
-
October 2022 CPU and PSU release security fixes
-
Compatibility with Cloud Native Compiler (CNC) version 1.5
-
Support for the GA release of Azul Vulnerability Detection (AVD).
-
Changes for containers regarding thread pool size calculation and number of available CPUs.
With the October 2022 release of Java 11 and 17, the default calculation of available CPU cores will change, following JDK-8281181. Previously, the number of available CPU cores was in some situations calculated based on the lower bound defined in the environment. With the change in this release, the lower bound won’t be used anymore and the calculation will only be based on the upper limit of the environment. If in container-based systems no upper limit is defined, the total number of CPUs on the host machine is read as upper limit.
A situation where a change will occur is, for example, a Kubernetes container where neither CPU requests nor CPU Limits are set, as previously the JVM would select only 1 CPU core as available in this situation while after the chance, it will select all available CPU cores of the environment which can lead to higher resource usage as thread pools of various open source frameworks are using this calculation for sizing. To verify if your systems are effect, check especially those where no upper limit is defined.
In case you need to switch back to the previous calculation, add
-XX:+UseContainerCpuShares
to the Java command line.Other terms used in the context of CPU definitions are for lower bound "CPU Requests" or "cgroups cpu.shares", and for upper limit "CPU Limits" or "cgroups cpu.cfs_quota_us".
When both quota and shares are specified for a cgroup and
UseContainerCpuShares
istrue
, the number of GC and compiler threads are derived based on a total processor count calculated as(quota+shares)/2
. WhenUseContainerCpuShares
isfalse
the number is derived based on a total processor count calculated as(quota/2)
.To check the current setting, for example, to compare previous and current Java versions in your environment, use the following example to display the actual number of CPUs as seen by application code and run it inside your container environment:
File AvailableCPUs.java:
public class AvailableCPUs { public static void main(String[] args) { System.out.println("CPUs: " + Runtime.getRuntime().availableProcessors()); } }To run it:
java -showversion AvailableCPUs.java
22.09.0.0
Release date: September 30, 2022
This release is based on Azul Platform Prime 22.08.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
8u345 |
11 |
11.0.16.1+1 |
13 |
13.0.12+4 |
15 |
15.0.8+4 |
17 |
17.0.4.1+1 |
What’s New
-
Internal bug fixes.
-
Improved accuracy of RSS metric reported in GC log (C heap usage). With this improvement, the reported memory usage in GC log will give more accurate results.
-
The Allocation Pacing feature is turned on by default in non-ZST mode. This will help reduce peak allocation delays while introducing smaller delays into allocation paths as heap usage approaches the total Java heap committed. To turn off the feature use
-XX:-GPGCUseAllocationPacing
.
22.08.0.0
Release date: August 30, 2022
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
8u345 |
11 |
11.0.16.1+1 |
13 |
13.0.12+4 |
15 |
15.0.8+4 |
17 |
17.0.4.1+1 |
What’s New
-
Internal bug fixes.
-
ZVM-24576 - New feature, Allocation Pacing, to help protect against long allocation delays. When enabled, the virtual machine adds smooth delays to allocations as the heap usage approaches the maximum. This new feature helps prevent long allocation delays caused by memory exhaustion and helps the garbage collector keep up. To enable the feature, use -XX:+GPGCUseAllocationPacing, available in non-ZST mode only.
-
ZVM-24277 - Implemented StringUTF16.compress
Resolved Issues
Issue ID | Description |
---|---|
ZVM-24429 |
Using Xlog:safepoint could cause long pauses under I/O contention |
ZVM-24614 |
PrintCodeCacheMap could cause application crash at exit time. |
ZVM-24455 |
LockOpt::eliminateNestedLock could sometimes add an invalid/stale value to the deopt bundle which could potentially lead to crashes. |
22.07.1.0
Release date: August 9, 2022
This release is based on Azul Platform Prime 22.07.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
8u345 |
11 |
11.0.16 |
13 |
13.0.12 |
15 |
15.0.8 |
17 |
17.0.4 |
22.07.0.0
Release date: July 29, 2022
This PSU release is based on Azul Platform Prime 22.06.0.0 and 22.02.300.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
8u342 |
11 |
11.0.16 |
13 |
13.0.12 |
15 |
15.0.8 |
17 |
17.0.4 |
What’s New
-
July 2022 PSU release fixes.
-
ZVM-24301 - New command line option
UseContainerCpuShares
, default true, to consider CPU shares when computing available processors inside a cgroup. This option was backported from OpenJDK 17 and it is important to note that while OpenJDK has a default value of false, the default value in Azul Platform Prime is true.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
JAXP (Xalan-J) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
17, 15, 13, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
17, 15, 13, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
Low |
None |
None |
17, 15, 13, 11, 8 |
Note 1 |
|
Libraries |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
17 |
Note 1 |
|
CVE-2022-25647 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Native Image (Gson) |
None |
No |
6.2 |
Local |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and relies on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. |
22.06.0.0
Release date: June 30, 2022
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
8u332 |
11 |
11.0.15+10 |
13 |
13.0.11+4 |
15 |
15.0.7+4 |
17 |
17.0.3+7 |
Resolved Issues
Issue ID | Description |
---|---|
ZVM-14341 |
NMT detailed mode allows user to track internal VM memory usage to the granularity of a single callsite. This feature is also very useful in case the user needs to find a memory leak. |
ZVM-24010 |
Optimized layout of GC internal data structure, improving native memory consumption by the garbage collector (GC). |
ZVM-23142 |
Improved virtual memory regions initialization to handle rare situations when there are existing mappings in preferred ranges. In such cases, the JVM previously failed to start with the error "Unable to setup virtual memory region for …". |
ZVM-24118 |
Fixed crashes caused by |
ZVM-23983 |
async-profiler v2.7+ cpu profiling is now working with Prime. |
Known Issues
Issue ID | Description |
---|---|
- |
Aarch64 support is limited to Graviton 2 and 3. Graviton 1 is not yet supported. |
ZVM-20142 |
Async profiler activemq crashed with 'assert(false) failed: Should never reach here' |
ZVM-17531 |
Wildfly app-server hangs when Async Java Profiler is attached. |
ZVM-16393 |
Async profiler does not show object type in "-e alloc" mode on Zulu Prime |
22.05.0.0
Release date: May 31, 2022
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
8u332 |
11 |
11.0.15+10 |
13 |
13.0.11+4 |
15 |
15.0.7+4 |
17 |
17.0.3+7 |
Resolved Issues
Issue ID | Description |
---|---|
ZVM-21804 |
In container systems with an elastic CPU definition (CPU min and max both set or cgroups |
22.04.1.0
Release date: May 24, 2022
This release is based on Azul Platform Prime 22.04.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
8u332 |
11 |
11.0.15+10 |
13 |
13.0.11+4 |
15 |
15.0.7+4 |
17 |
17.0.3+7 |
22.04.0.0
Release date: May 6, 2022
This CPU and PSU release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
8u332 |
11 |
11.0.15+10 |
13 |
13.0.11+4 |
15 |
15.0.7+4 |
17 |
17.0.3+7 |
What’s New
-
April 2022 CPU and PSU security fixes.
-
Enable elimination of safepoint pauses for finding deadlocks operations by first attempting to complete them using a checkpoint using the option
-XX:[+/ -]OptimizeFindDeadlocksWithCheckpoint
. If a deadlock is detected in the checkpoint, it is then confirmed using a safepoint pause.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ZIP |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
17, 15, 13, 11, 8, 7, 6 |
|
|
Libraries |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
18, 17, 15 |
Note 1 |
|
Libraries |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
High |
None |
None |
18, 17, 15, 13, 11, 8, 7 |
Note 1 |
|
JAXP |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
18, 17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
Libraries |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
18, 17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
JNDI |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
18, 17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
Libraries |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
18, 17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
CVE-2022-0778 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM Enterprise Edition: Node (OpenSSL) |
HTTPS |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. |
Resolved Issues
Issue ID | Description |
---|---|
ZVM-21804 |
In container systems with an elastic CPU definition (CPU min and max both set or cgroups |
ZVM-23002 |
Added support for cgroups v2. |
ZVM-23091 |
Deadlock detection was being performed using safepoint pauses in prior releases. Starting 22.04 Prime attempts to detect deadlock using checkpoints which do not cause a global pause. If the checkpoint operation indicates the possibility of a deadlock, Prime will resort to a safepoint to confirm the same. |
22.03.0.0
Release date: March 31, 2022
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u332 |
8 |
8u322 |
11 |
11.0.14.1+9 |
13 |
13.0.10+5 |
15 |
15.0.6+5 |
17 |
17.0.2+8 |
Resolved Issues
Issue ID | Description |
---|---|
ZVM-21804 |
In container systems with an elastic CPU definition (CPU min and max both set or cgroups |
22.02.0.0
Release date: February 28, 2022
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u332 |
8 |
8u322 |
11 |
11.0.14.1+9 |
13 |
13.0.10+5 |
15 |
15.0.6+5 |
17 |
17.0.2+8 |
22.01.2.0
Release date: February 14, 2022
This PSU release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u332 |
8 |
8u322 |
11 |
11.0.14+9 |
13 |
13.0.10+5 |
15 |
15.0.6+5 |
17 |
17.0.2+8 |
22.01.1.0
Release date: February 7, 2022
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u332 |
8 |
8u322 |
11 |
11.0.14+9 |
13 |
13.0.10+5 |
15 |
15.0.6+5 |
17 |
17.0.2+8 |
22.01.0.0
Release date: January 31, 2022
This PSU release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u332 |
8 |
8u322 |
11 |
11.0.14+9 |
13 |
13.0.10+5 |
15 |
15.0.6+5 |
17 |
17.0.2+8 |
Resolved Issues
Issue ID | Description |
---|---|
ZVM-21048 |
When |
ZVM-22049 |
OldGC is not triggered often enough during idle time when NewGCs are occurring. |
ZVM-22063 |
Map OpenJDK command line option |
ZVM-19635 |
Avoid lock in ByteArrayInputStream.read if it is used as an input of ObjectInputStream. |
ZVM-20678 |
Improved performance of string collation and iteration. |
21.12.0.0
Release date: December 20, 2021
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u322 |
8 |
8u312 |
11 |
11.0.13+8 |
13 |
13.0.9+3 |
15 |
15.0.5+3 |
17 |
17.0.1+12 |
What’s New
-
Photon OS is now supported.
-
Improved performance of string collation and character iteration. You can enable the use of the custom implementation of
RuleBasedCollator
using the option-XX:+UseModifiedRuleBasedCollator
. This option is false by default. -
Docker images for Prime are now available.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-21048 |
When |
ZVM-22049 |
OldGC is not triggered often enough during idle time when NewGCs are occurring. |
ZVM-22063 |
Map OpenJDK command line option |
ZVM-19635 |
Avoid lock in |
ZVM-20678 |
Improved performance of string collation and iteration. |
21.10.1.0
Release date: December 14, 2021
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u322 |
8 |
8u312 |
11 |
11.0.13 |
13 |
13.0.9 |
15 |
15.0.5 |
Resolved Issues
Issue ID | Description |
---|---|
ZVM-21884 |
Failure during startup when the kernel does not have support for Transparent Huge Pages (THP) feature, or does not support making madvise(2) calls with MADV_NOHUGEPAGE. |
ZVM-22052 |
Cassandra fails when ulimit -l unlimited is set to allow more mlock than the Linux default. This issue affected only Prime version 21.10.0.0. |
21.10.0.0
Release date: October 29, 2021
This CPU release is based on the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u322 |
8 |
8u312 |
11 |
11.0.13 |
13 |
13.0.9 |
15 |
15.0.5 |
What’s New
-
Includes all October 2021 CVE fixes.
-
Azul Platform Prime 21.10.0.0 contains the October 2021 CPU release of OpenJDK. Azul Platform Prime 21.10.0.0 brings the associated JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 versions to October 2021 CPU security update levels.
-
The peak heap occupancy target, used by heuristics to decide when to trigger a garbage collection, is now managed dynamically by default. The dynamic changes can be disabled by setting
GPGCTargetPeakHeapOccupancyPercent
to a desired value. -
Increased parallelism between collectors for the new generation and old generation. Helps reduce the peak duration for a new generation collection and reduce allocation delays during peak load.
-
The number of concurrent GC threads is now changed dynamically when
-Xms
is set to the same value as-Xmx
, or when Azul Zing System Tools (ZST) is installed. At JVM start a low number of concurrent GC threads is employed. If later during application uptime the GC Time Percent metric increases beyond a threshold, more GC threads are added to reduce the number of GC cycles. The limit for the total number of GC threads is 3/4 of the process' available CPU threads. As of this Prime version, the number of threads will never shrink later.To disable the dynamic handling, use the following on the command line:
-XX:-UseDynamicNumberOfGCThreads
If one of the following flags is set on the command line, the dynamic handling will also be disabled:
-
-XX:GPGCThreads=N
-
-XX:GenPauselessNewThreads=N
-
-XX:GenPauselessOldThreads=N
-
-
General performance improvements.
-
More intrinsics from Java 17.
21.09.1.0
Release date: October 14, 2021
This release is based on Azul Platform Prime 21.09.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u312 |
8 |
8u302 |
11 |
11.0.12+7 |
13 |
13.0.8+5 |
15 |
15.0.4+5 |
What’s New
-
Initial support for Cloud Native Compiler. Cloud Native Compiler provides a server-side optimization solution that offloads JIT compilation to dedicated hardware, providing more processing power to JIT compilation while freeing your client JVMs from the load of doing JIT compilation.
-
General performance improvements.
21.09.0.0
Release date: September 29, 2021
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u312 |
8 |
8u302 |
11 |
11.0.12+7 |
13 |
13.0.8+5 |
15 |
15.0.4+5 |
What’s New
-
General performance improvements.
-
GC log line has been expanded to include additional information for heap elasticity.
-
Introduces a new JFR event named "Deoptimization" which arises when previously compiled code gets discarded. The event is useful in troubleshooting performance issues including low throughput and high CPU utilization.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-21015 |
High pause time during OldGC due to unloading of a long chain of subclasses. |
ZVM-19788 |
Installation packages are now signed. |
ZVM-20927 |
Abort the VM if GC safepoint operation time exceeds a configurable
threshold. See the new GC options: |
ZVM-17584 |
Introduces a new JFR event named "Deoptimization" which arises when previously compiled code gets discarded. The event is useful in troubleshooting performance issues including low throughput and high CPU utilization. |
21.08.0.0
Release date: August 31, 2021
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u312 |
8 |
8u302 |
11 |
11.0.12+7 |
13 |
13.0.8+5 |
15 |
15.0.4+5 |
What’s New
-
Improved performance with large Java heaps on Intel Ice Lake systems with 5-level page tables.
-
Introduces support for Intel’s Ice Lake 5-level paging.
-
Support for dynamically varying garbage collector thread counts with the GPGCDynamicGCThreadCountPolicy option. See command line options for more details.
21.07.0.0
Release date: July 30, 2021
This CPU and PSU release is based on the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u312 |
8 |
8u302 |
11 |
11.0.12+7 |
13 |
13.0.8+5 |
15 |
15.0.4+5 |
What’s New
-
Incorporates all of the changes from the July 2021 CPU release and most of the changes from the July 2021 PSU release.
-
Various performance improvements including improved locking, stack-walking behavior for performance.
-
Loop unrolling improvements.
-
Java heap elasticity is turned on by default when not using the Prime System Tools (ZST). This means that
-Xms
is now recognized along with-Xmx
. The default values also match OpenJDK. For latency sensitive applications it is advised to set-Xms
equal to-Xmx
to preserve the old behaviour. See Recommended Heap Size for more details.
21.06.0.0
Release date: June 30, 2021
This release is based on Azul Platform Prime 21.04.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u302 |
8 |
8u292 |
11 |
11.0.11+9 |
13 |
13.0.7+5 |
15 |
15.0.3+3 |
What’s New
-
Additional improvements of the Heap Elasticity feature introduced in 21.05.0.0. Improved memory allocation handling in Heap Elasticity mode to avoid exceeding the container/cgroups memory limit.
-
Fixed many issues with Async Profiling.
-
Various performance improvements with Falcon compiler:
-
Fixed extra spills causing performance penalties by supporting live gc values on registers for calls which can throw exceptions
-
Improved performance of applications that frequently use Unsafe.allocateInstance.
-
Implemented nested locks elimination optimization for multiple nested locks on a given object under the condition that the nested lock state is not inspected.
-
Resolved Issues
Issue ID | Description |
---|---|
ZVM-19710 |
Profiling with cpu/wall events yeilds unusable results |
ZVM-20081 |
Startup failure when specifying |
ZVM-19972 |
JVM memory metrics like |
21.05.1.0
Release date: July 12, 2021
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u302 |
8 |
8u292 |
11 |
11.0.11+9 |
13 |
13.0.7+5 |
15 |
15.0.3+3 |
21.05.0.0
Release date: May 31, 2021
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u302 |
8 |
8u292 |
11 |
11.0.11+9 |
13 |
13.0.7+5 |
15 |
15.0.3+3 |
What’s New
-
Non-ZST Heap Elasticity introduced. See Recommended Heap Size for details. When heap elasticity is enabled, the Garbage Collector tries to minimize the memory footprint, keeping it between the user- defined range of -Xms and -Xmx. At the same time, the CPU usage of the Garbage Collector is monitored and the memory minimizing goal relaxed in case the CPU usage increases too much. Heap Elasticity is not available when Azul Zing System Tools (ZST) is installed.
-
Azul Platform Prime 21.05.0.0 makes the OpenJDK C1 OSR the default OSR for the Falcon compiler. The C1 OSR takes much less time and CPU resources to fully optimize your code to steady-state performance.
-
Stream Builds (previously known as Feature Releases) are now free for use in development and evaluation. As such, the builds no longer check for an evaluation license.
-
Latency improvement for applications with frequent Unsafe.get() and put() calls.
-
Fixed heap dump compatibility issue that prevented opening Zing head dumps in IntelliJIdea.
-
Enabled jcmd ManagementAgent command option support.
21.04.0.0
Release date: April 30, 2021
This CPU and PSU release is based on the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u302 |
8 |
8u292 |
11 |
11.0.11+9 |
13 |
13.0.7+5 |
15 |
15.0.3+3 |
What’s New
-
April 2021 CPU and PSU fixes.
-
Quicker acquisition of transparent huge pages on Ubuntu, Amazon Linux or similar Linux systems with kernel 4.19.7 or newer in non-ZST mode. This can help get peak performance earlier as well as enable faster java process restart when THP is configured.
-
Default value of Xmx in cgroups is now the minimum of 25% of cgroup memory limit and 32 GB. Prior to 21.04.0.0, it was 25% of cgroup memory limit.
-
Reduced code cache usage for applications with high number of classes or interfaces and a large number of associated methods.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Libraries |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
16, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
Libraries |
Multiple |
Yes |
5.3 |
Network |
High |
None |
Required |
Unchanged |
None |
High |
None |
16, 15, 13, 11, 8, 7, 6 |
Note 2 |
|
CVE-2021-23841 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM Enterprise Edition: Node (OpenSSL) |
HTTPS |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2021-3450 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM Enterprise Edition: Node (Node.js) |
HTTPS |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
21.03.0.0
Release date: March 31, 2021
This release is based on the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u292 |
8 |
8u282 |
11 |
11.0.10+9 |
13 |
13.0.6+5 |
15 |
15.0.2+7 |
What’s New
-
Enhanced Compatibility With Data Management Platforms
ZVM 21.03.0.0 improves compatibility between the MXBean memory pool names and names expected by in- memory data management systems (e.g., Pivotal GemFire 8.2).
-
JFR Event Streaming allows to asynchronously subscribe to select JFR events and avoid the overhead associated with creating a recording in JDK 15.
-
Various performance improvements, like enhancements to tracking of garbage-collection roots, compiler optimizations for aggressive lock coarsening, and an experimental ReadyNow mode that enables the pre-initialization of a greater number of bootstrap classes.
21.02.0.0
Release date: February 26, 2021
This release is based on Azul Platform Prime 21.01.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u292 |
8 |
8u282 |
11 |
11.0.10+9 |
13 |
13.0.6+5 |
15 |
15.0.2+7 |
What’s New
-
Introduces medium-term support (MTS) for Java Standard Edition 15. See Azul Product Support Lifecycle for more information.
-
Additional non-security changes associated with the January 2021 Patch Set Updates (PSU) OpenJDK 7u292, OpenJDK 8u282, OpenJDK 11.0.10, OpenJDK 13.0.6 and OpenJDK 15.0.2 release contents.
-
Load value barriers for reference equality checks are optimized within loops. Zing also optimizes more such checks aggressively by considering both operands of the equality check.
-
Improved object locking with better monitor inflation behavior.
-
The functionality of
UseCodeCacheFlushing
is offered underUseIncrementalCodeCacheFlushing
in Zing 21.02.0.0. However, Zing has emergency code cache flushing turned on by default, seeUseEmergencyCodeCacheFlushing
in Using Zing Command-Line Options for details. -
Early-access support for ReadyNow Image, an experimental warm-up optimizer based on ReadyNow and Linux Checkpoint/Restore In Userspace (CRIU).
Zing 21.02.0.0 installation contains ReadyNow Image files in the /etc/rni/ directory:
` `criu
libnet.so.1
libnl-3.so.200
libprotobuf-c.so.1
restore-script
wait-script
-
Zing 21.02.0.0 includes optional experimental support for interaction with connected runtime services through an emerging protocol in Zing 13. Note that for Zing 8 and Zing 11 this support was introduced in Zing 21.01.0.0.
Zing 21.02.0.0 installation contains the following files related to the services:
-
jmods/azul.crs.jfr.access.jmod
-
legal/azul.crs.jfr.access/ADDITIONAL_LICENSE_INFO
-
legal/azul.crs.jfr.access/ASSEMBLY_EXCEPTION
-
legal/azul.crs.jfr.access/CLASSPATH_EXCEPTION_NOTE
-
legal/azul.crs.jfr.access/LICENSE
-
lib/crs-agent.jar
-
21.01.0.0
Release date: January 29, 2021
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u292 |
8 |
8u282 |
11 |
11.0.10+9 |
13 |
13.0.6+5 |
What’s New
-
C2 Improvement
The default JIT compiler on Zing JDK 8 and JDK 7 is changed from SeaOfNodesC2 to KestrelC2 when Zing C2 mode is enabled with
-XX:+UseC2
.For Zing JDK 11, this improvement was made in Zing 20.04.0.0.
KestrelC2 is a C2 implementation introduced to Zing in 2020. It is based on a lightweight use of the LLVM backend and typically produces faster code than UseSeaOfNodesC2 while keeping compilation effort at similar levels. UseKestrelC2 generally exhibits a significantly lower compilation-time CPU consumption compared to Falcon.
See Using Zing Command-Line Options for
-XX:[+/-]UseKestrelC2
and-XX:[+/-]UseSeaOfNodesC2
command-line options and details.The default JIT compiler in Zing is the high-performance Falcon introduced in 2017.
-
New Experimental Features
Zing 21.01.0.0 includes optional experimental support for interaction with connected runtime services through an emerging protocol in Zing 11 and Zing 8.
These experimental capabilities are enabled by the
-XX:+UseCRS
command-line option and turned off by default. Being an experimental Zing option, it must be unlocked by preceding-XX:+UnlockExperimentalVMOptions
. -
Performance Improvement
Zing 21.01.0.0 introduces an improved escape analysis for arrays in the Falcon compiler.
The improvement includes an optimization for array reallocation pattern (e.g., java.util.Arrays.copyOf) to avoid redundant copying. Notably, this optimization improves the performance of string concatenation using the StringBuilder class by the elimination of excessive reallocations of the underlying StringBuilder buffer.
-
Support for EdDSA Signature Algorithm
Zing 21.01.0.0 introduces the OpenEdDSA provider which can be used for cryptographic signatures using the Edwards-Curve Digital Signature Algorithm (EdDSA) in Zing 8 with no application or code changes. See JEP 339: Edwards-Curve Digital Signature Algorithm (EdDSA) for details.
The OpenEdDSA public API is provided in the
org.openeddsa.java.security.interfaces
andorg.openeddsa.java.security.spec
packages.To enable the OpenEdDSA provider, do either of the following:
-
configure the Java Runtime Environment for the OpenEdDSA provider by adding the entry below to the
$JAVA_HOME/jre/lib/security/java.security
filesecurity.provider.10=org.openeddsa.security.OpenEdDSA -
add the OpenEdDSA provider directly to your code
// Add OpenEdDSA provider java.security.Security.addProvider(new org.openeddsa.security.OpenEdDSA());
-
20.12.0.0
Release date: December 18, 2020
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u285 |
8 |
8u275 |
11 |
11.0.9.1+1 |
13 |
13.0.5.1+1 |
What’s New
-
Zing 20.12.0.0 incorporates additional non-security changes associated with the October Patch Set Updates (PSU) 2020 OpenJDK 7u285, OpenJDK 8u275, OpenJDK 11.0.9.1, and OpenJDK 13.0.5.1 release contents.
-
Zing 20.12.0.0 introduces an enhanced induction variable analysis and range checks removal mechanism. Particularly, improved range check elimination capabilities for decrementing loops of the following type:
for (int i = array.length - 1; i >= 0; i--) { array[i] = ... }
Resolved Issues
Issue ID | Description |
---|---|
ZVM-18035 |
Backport of JDK-8202837 and JDK-8214513 to Zing 8. |
ZVM-17938 |
Setting InitalHeapSize and MaxHeapSize the same fails in non-ZST mode. This affects applications such as ElasticSearch which insists that Initial Heap Size be equal to Maximum Heap Size. |
ZVM-17430 |
JarFile constructor exception in JDK 11.0.8. |
ZVM-17346 |
System data collected for GC logging could cause oom-killer invocation and kernel panic when java is launched under the root user. |
ZVM-16051 |
Provide FalconTrustInterfaceTypesForArrayStore to move interface type conformance check from the VM to the application. This can improve throughput variability for some applications. -XX:+UnlockExperimentalVMOptions is required to use -XX:+FalconTrustInterfaceTypesForArrayStore. |
20.10.0.0
Release date: October 30, 2020
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u281 |
8 |
8u271 |
11 |
11.0.8.0.101+5 |
What’s New
-
Zing 20.10.0.0 brings the associated JDK 7, JDK 8, JDK 11 and JDK 13 versions to October 2020 Critical Patch Update (CPU) security update levels and incorporates changes related to OpenJDK 7u281, OpenJDK 8u271, OpenJDK 11.0.8.0.101, and OpenJDK 13.0.4.0.101 release contents.
-
Zing 20.10.0.0 includes loop form fixes to increase performance of loops by simplified triggering of enabled vectorization methods. The optimization is enabled by default.
-
Zing 20.10.0.0 contains an improved allocation mechanism which has a positive impact on Zing’s performance. The optimization is enabled by default.
-
Zing 20.10.0.0 introduces method counters across JVM runs, which enables ReadyNow to build a profile over multiple short runs when the number of orders is low.
20.09.1.0
Release date: October 19, 2020
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u272 |
8 |
8u265 |
11 |
11.0.8+10 |
13 |
13.0.4+8 |
20.09.0.0
Release date: September 30, 2020
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u272 |
8 |
8u265 |
11 |
11.0.8+10 |
13 |
13.0.4+8 |
What’s New
-
Zing 20.09.0.0 introduces Medium Term Support for Java SE 13. See Azul Product Support Lifecycle for more information.
-
Zing 20.09.0.0 includes accelerated copying of large array chunks. The optimization is enabled by default. See
UseArrayCopyChunkingIntrinsics
in Using Zing Command-Line Options for details. -
Zing 20.09.0.0 provides a performance improvement for
org.apache.logging.log4j.util.StackLocator.getCallerClass()
, which maximizes logging performance when using log4j versions 2.13.1 - 2.13.3 on Zing 8 and log4j versions 2.9.0 - 2.13.3 on Zing 11+. The improvement is disabled by default. SeeUseLog4jGetCallerClassIntrinsic
in Using Zing Command-Line Options for details. -
Zing 20.09.0.0 introduces unified Garbage Collection (GC) logging that utilizes unified JVM logging framework (JEP 271: Unified GC Logging). See Unified GC Logging Recommendations to learn more.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-16945 |
Core bundler: pid extraction can select more than one line. |
ZVM-16239 |
Racy initialization logic in GraphBuilder::initialize(): under rare circumstances another thread can observe the _is_initialized flag set before the static fields _can_trap and _is_async are actually initialized. |
20.08.0.0
Release date: August 31, 2020
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u272 |
8 |
8u262 |
11 |
11.0.8+10 |
What’s New
-
Zing 20.08.0.0 incorporates additional non-security changes associated with the July Patch Set Updates (PSU) 2020 OpenJDK 7u272, OpenJDK 8u265, and OpenJDK 11.0.8 release contents.
-
NONEwithDSAinP1363Format is included in signature algorithms enabled in Zing 20.08.0.0 by default. NONEwithDSAinP1363Format is scheduled for removal in the following release of the Zing Virtual Machine. Since the algorithm is not supported in other JDK 8 virtual machines, it is recommended to migrate to Digital Signature Algorithms with ASN.1 encoded signature bytes.
-
Zing 20.08.0.0 introduces multiple optimizations that significantly increase performance on a set of Java Stream API scenarios.
-
Zing 20.08.0.0 introduces a new version string format that includes a matching OpenJDK release number.
-
Version 1 of the GC Log Analyser has reached its end-of-life and is removed from Zing 20.08.0.0. Version 2 of the GC Log Analyzer is available for download at https://cdn.azul.com/gcla/GCLogAnalyzer2.jar.
20.07.0.0
Release date:
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u272 |
8 |
8u262 |
11 |
11.0.8+10 |
What’s New
-
Zing 20.07.0.0 brings the associated JDK 7, JDK 8, and JDK 11 versions to July 2020 Critical Patch Update (CPU) security update levels and incorporates changes related to OpenJDK 7u271, OpenJDK 8u261, and OpenJDK 11.0.7.0.101 release contents.
-
The lock-less Java Native Interface (JNI) protocol is enabled by default in Zing 20.07.0.0. See Using Zing Command-Line Options for the
UseThreadStateNativeWrapperProtocol
option and details. -
Zing 20.07.0.0 introduces optimization in object allocation (internal new_stub() function) for improved performance in TLAB allocation intensive applications. The optimization is enabled by default.
-
Starting with Zing 20.07.0.0, Zing 8 supports TLS 1.3 by default and follows the application programming interface (API) changes introduced by Maintenance Release 3 to the Java SE 8 specification.
20.06.0.0
Release date:
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u262 |
8 |
8u252 |
11 |
11.0.7+10 |
What’s New
-
The release of Zing 20.06.0.0 includes ReadyNow improvements for faster warmup and smaller footprint.
-
Zing 20.06.0.0 introduces a JNI exception checking optimization. See Using Zing Command-Line Options for the
UseFastJNIExceptionCheck
option and details. -
Zing 20.06.0.0 provides full elasticity support for code cache. See Using Zing Command-Line Options for the
InitialCodeCacheSize
,ReservedCodeCacheSize
, andCodeCacheOopTableSize
options and details. -
Zing 20.06.0.0 includes a further improvement of JDK 11
java.lang.StackWalker
which is frequently used by log4j2 and other logging implementations. See also https://openjdk.java.net/jeps/259 andjava.lang.StackStreamFactory$AbstractStackWalker
. -
Zing 20.06.0.0 introduces new diagnostic Java Flight Recorder (JFR) events to simplify error handling.
-
The lock-less Java Native Interface (JNI) protocol is disabled by default. See Using Zing Command-Line Options for the UseThreadStateNativeWrapperProtocol option and details.
20.05.0.0
Release date: May 29, 2020
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u262 |
8 |
8u252 |
11 |
11.0.7+10 |
What’s New
-
In Zing 20.05.0.0, the Java Flight Recorder Tick Profiler becomes enabled by default.
-
In Zing 20.05.0.0, Java monitors are moved from CodeCache to a new dedicated MonitorCache storage.
-
The release of Zing 20.05.0.0 includes optimizations targeted at accelerating compilation and warmup.
-
Zing 20.05.0.0 introduces better JDK 11
java.lang.StackWalker
which is frequently used by log4j2 and other logging implementations. See also https://openjdk.java.net/jeps/259 andjava.lang.StackStreamFactory$AbstractStackWalker
. -
Zing 20.05.0.0 provides a reduction of application exit times in the non-ZST mode when a process uses mlockall().
-
Zing 20.05.0.0 improves the mitigation strategy used by the Falcon compiler to minimize performance impacts due to Intel's microcode updates in response to Jump Conditional Code (JCC) Erratum SKX102. Previous versions inserted nop instructions for padding; the new version can optionally increase the size of existing instructions in some cases. As before, the mitigation is enabled only on affected processors, and no user action is needed.
-
Zing 20.05.0.0 introduces a testing grace period mode, under which the Zing can run for up to 60 minutes (3600 seconds) without requiring a valid license. The testing grace period can be enabled by setting the
ZING_TESTING_GRACE_PERIOD_SEC
environment variable to a number of grace period seconds (up to 3600), or by using the-XX:ZVMTestingGracePeriodSec=N
flag with a similar value.
20.04.0.0
Release date: April 30, 2020
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u262 |
8 |
8u252 |
11 |
11.0.7+10 |
What’s New
-
The release of Zing 20.04.0.0 contains April 2020 critical patch update (CPU) security and critical bug fixes and brings the associated JDK 7, JDK 8, and JDK 11 versions to April 2020 CPU security update levels.
-
Zing 20.04.0.0 incorporates additional non-security changes associated with the April PSU 2020 OpenJDK 8u252 and OpenJDK 11.0.7 release contents.
-
Starting with Zing 20.04.0.0, the
-XX:+UseC2
option can use one of two separate implementations of C2 JIT compilation: a traditionalUseSeaOfNodesC2
mode and a newUseKestrelC2
mode. -
The new mode is selected with
+UseKestrelC2
which is on by default for Zing 11 and off by default for Zing 8 and Zing 7. This mode enables a C2 implementation introduced to Zing in 2020. It is based on a lightweight use of the LLVM backend and typically produces faster code than UseSeaOfNodesC2 while keeping compilation effort at similar levels.UseKestrelC2
generally exhibits a significantly lower compilation-time CPU consumption compared to Falcon.The old mode is selected with
+UseSeaOfNodesC2
which is off by default in Zing 11 and on by default for Zing 8 and Zing 7.See Using Zing Command-Line Options for
UseKestrelC2
andUseSeaOfNodesC2
command-line options and details. -
Zing 20.04.0.0 introduces a compilation time improvement.
-
The release of Zing 20.04.0.0 introduces an increased maximum Java heap size from 1 TB to 2.5 TB in the default non-ZST mode.
The maximum Java heap size for the Zing Virtual Machine with ZST is 20 TB.
-
In Zing 20.04.0.0, a new Java Flight Recorder functionality allows you to collect profiling data about applications that use JNI invocations.
-
The release of Zing 20.04.0.0 includes optimizations targeted at reducing JNI transition costs. The cost of a native call from Java was reduced, and the implementation of the accessor functions used to retrieve fields of Java objects from native code was also improved. Most applications will not be affected, but applications with many native transitions (such as a socket or file IO) may see the marked improvement.
See Using Zing Command-Line Options for
UseFastJNIAccessors
,UseMembar
, andUseThreadStateNativeWrapperProtocol
command-line options and details. -
Zing 20.04.0.0 excludes debug symbols embedded in
libjvm.so
, which reduces the filesystem footprint of a Zing installation by 280 MB.Contact [email protected] if you need to install debug symbols for Zing.
20.03.1.0
Release date:
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u252 |
8 |
8u242 |
11 |
11.0.6+10 |
20.03.0.0
Release date:
This release corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u252 |
8 |
8u242 |
11 |
11.0.6+10 |
20.02.1.0
Release date: April 8, 2020
This release is based on Azul Platform Prime 20.02.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u252 |
8 |
8u242 |
11 |
11.0.6+10 |
20.02.0.0
Release date: February 28, 2020
This release is based on the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u252 |
8 |
8u242 |
11 |
11.0.6+10 |
What’s New
-
January 2020 PSU Release.
This version incorporates additional non-security changes associated with the PSU 2020 OpenJDK 8u242 and OpenJDK 11.0.6 release contents.
-
Deprecation of FalconUseLegacyInliner
The
FalconUseLegacyInliner
command-line option is deprecated in Zing 8 and 11 with no replacemen.
20.01.0.0
Release date: January 30, 2020
This release is based on the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
7 |
7u251 |
8 |
8u241 |
11 |
11.0.5.0.101+11 |
What’s New
-
January 2020 CPU Release.
-
InZVM20.01.0.0,
-XX:+FalconCompensateForIntelMCUForErratumSKX102
is an off-by-default option and introduces a nop padding based mitigation for performance regressions seen on some systems following Intel’s microcode updates in response to errata SKX102. This option is expected to become the default in a future Zing release. If enabled, nop padding will be used to align affected branches on systems with the microcode update applied.For testing purposes, the flag
-XX:+ForceFalconCompensateForIntelMCUForErratumSKX102
is also provided. This can be used to force the generation of nop padded code on unaffected systems for performance validation.
Previous Stable Builds
24.08.200.0
Release date: November 19, 2024
This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.102.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_432-b4 |
11 |
11.0.25+9-LTS |
17 |
17.0.13+11-LTS |
21 |
21.0.5+11-LTS |
What’s New
-
October 2024 PSU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Networking |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 1 |
|
Serialization |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 2 |
|
CVE-2024-36138 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
Multiple |
Yes |
8.1 |
Network |
High |
None |
None |
Unchanged |
High |
High |
High |
None |
|
CVE-2023-42950 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (WebKitGTK) |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
CVE-2024-25062 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (libxml2) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
Note 1 |
CVE-2024-21235 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 2 |
CVE-2024-21210 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
Note 2 |
CVE-2024-21211 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
Note 2 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2024
24.08.102.0
Release date: November 14, 2024
This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.101.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_431-b2 |
11 |
11.0.24.0.101+1-LTS |
17 |
17.0.12.0.101+1-LTS |
21 |
21.0.4.0.101+1-LTS |
24.08.101.0
Release date: October 22, 2024
This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.100.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_431-b1 |
11 |
11.0.24.0.101+1-LTS |
17 |
17.0.12.0.101+1-LTS |
21 |
21.0.4.0.101+1-LTS |
Resolved Issues
Issue ID | Description |
---|---|
ZVM-32504 |
Crash when multiple threads race to fill the last slot available in VM internal constant table |
ZVM-32001 |
Allocation analyses and optimizations can consume too much memory |
ZVM-29261 |
Crash with virtual threads due to reuse of a stack chunk during GC |
ZVM-31788 |
Local fallback not triggered when the connection to OptHub is alive but no serverside components are able to serve the client requests. |
24.08.100.0
Release date: October 15, 2024
This CPU release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.1.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_431-b2 |
11 |
11.0.24.0.101+1-LTS |
17 |
17.0.12.0.101+1-LTS |
21 |
21.0.4.0.101+1-LTS |
What’s New
-
October 2024 CPU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Networking |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 1 |
|
Serialization |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 2 |
|
CVE-2024-36138 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
Multiple |
Yes |
8.1 |
Network |
High |
None |
None |
Unchanged |
High |
High |
High |
None |
|
CVE-2023-42950 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (WebKitGTK) |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
CVE-2024-25062 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (libxml2) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
Note 1 |
CVE-2024-21235 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 2 |
CVE-2024-21210 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
Note 2 |
CVE-2024-21211 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
Note 2 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2024
24.08.1.0
Release date: September 20, 2024
This release is based on the Azul Zing Build of OpenJDK (Zing) 24.08.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_422-b1 |
11 |
11.0.24+8-LTS |
17 |
17.0.12+7-LTS |
21 |
21.0.4+4-LTS |
What’s New
-
Zing 24.08.1.0 includes a performance improvement in ReadyNow which improves the efficiency and reporting of the built-in class loader identification task.
-
In case you need to disable Extended Native Memory Tracking (NMT), Zing 24.08.1.0 includes new command line option
UseExtendedNMT
, which you can use to disable Zing’s Extended NMT, andEnableNMTIntegrityChecks
, which you can use to disable checks on allocations. Zing runs in Extended NMT mode and includes integrity checks by default. Using-XX:-UseExtendedNMT
tells Zing to run NMT in a Zulu-like mode. We do not recommend disabling Extended NMT except in very specific cases. -
Zing 24.08.1.0 features an update to JVMTI behavior in order to bring it to the modern standard. Previously, a few commercial Java application performance monitoring tools have been reporting too long GC pause times because Zing was reporting non-pausing concurrent GC durations wrongly as GC pauses over JVMTI events
JVMTI_EVENT_GARBAGE_COLLECTION_START
(GarbageCollectionStart) andJVMTI_EVENT_GARBAGE_COLLECTION_FINISH
(GarbageCollectionFinish).The new correct reporting may increase the actual GC pauses slightly if monitoring software attached with -javaagent using JVMTI is active. By adding
-XX:-GPGCNotifyJVMTIGCEventsInSafepoint
the reporting of GC events can be moved outside the pause.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-32164 |
Make sure RN’s initialization order is not affected by parallel application activity |
ZVM-32021 |
Malformed characters as part of cgroup data in GC log header |
ZVM-31884 |
Memory reservation fails on 6.8 kernel with dense encoding in non-ZST mode |
ZVM-31914 |
Disable limit on CNC reconnection attempts |
ZVM-31866 |
ReadyNow threads should not cause OOM |
ZVM-31859 |
Don’t hold JVM lock while performing Falcon context reset |
ZVM-31812 |
Expensive JNI method handle resolution in CompileQueue::scan_for_task may delay application threads |
ZVM-31772 |
Remove CompileQueue::top best task search overhead |
ZVM-31705 |
Frequent chunk sending re-tries |
24.02.401.0
Release date: October 3, 2024
This release is based on Azul Platform Prime 24.02.400.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_422-b3 |
11 |
11.0.24+8-LTS |
17 |
17.0.12+7-LTS |
21 |
21.0.4+4-LTS |
What’s New
-
Azul Zing 24.02.401.0 improves the efficiency and reporting of the builtin class loader identification task, ensuring that the builtin class loader identification tasks finish within an expected timeframe.
-
Azul Zing 24.02.401.0 adds a mode which makes ReadyNow file tasks through the request buffer rather than directly to the compile queue. This change can reduce overhead in some cases.
-
In case you need to disable Extended Native Memory Tracking (NMT), Zing 24.02.401.0 includes new command line option
UseExtendedNMT
, which you can use to disable Zing’s Extended NMT, andEnableNMTIntegrityChecks
, which you can use to disable checks on allocations. Zing runs in Extended NMT mode and includes integrity checks by default. Using-XX:-UseExtendedNMT
tells Zing to run NMT in a Zulu-like mode. We do not recommend disabling Extended NMT except in very specific cases.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-32021 |
Malformed characters as part of cgroup data in GC log header |
ZVM-31884 |
Memory reservation fails on 6.8 kernel with dense encoding in non-ZST mode |
ZVM-32164 |
Make sure ReadyNow’s initialization order is not affected by parallel application activity |
ZVM-31914 |
Failing to run Falcon code for some methods in Neuron application |
ZVM-31884 |
Memory reservation fails on 6.8 kernel with dense encoding in non-ZST mode |
ZVM-31866 |
ReadyNow threads should not cause OOM |
ZVM-31859 |
Don’t hold JVM lock while performing Falcon context reset |
ZVM-31812 |
Expensive JNI method handle resolution in CompileQueue::scan_for_task may delay application threads |
ZVM-31772 |
Remove CompileQueue::top best task search overhead |
24.02.400.0
Release date: August 19, 2024
This PSU release is based on Azul Platform Prime 24.02.302.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_422-b1 |
11 |
11.0.24+8-LTS |
17 |
17.0.12+7-LTS |
21 |
21.0.4+4-LTS |
What’s New
-
July 2024 PSU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2D |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 1 |
|
Concurrency |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
11, 8 |
Note 2 |
|
CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK |
HTTP/2 |
Yes |
8.2 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
High |
None |
|
CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 1 |
CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 1 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024
24.02.302.0
Release date: July 17, 2024
This PSU release is based on Azul Platform Prime 24.02.301.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_421-b2 |
11 |
11.0.23.0.101+2-LTS |
17 |
17.0.11.0.101+3-LTS |
21 |
21.0.3.0.101+4-LTS |
What’s New
-
Zing 24.02.302.0 is able to track detailed ReadyNow task execution. This tracks data on the amount of time tasks are waiting in the compiler queue and actual work done, and compiles those total values into a histogram.
-
Zing 24.02.302.0 implements an intrinsification of the method java.lang.reflect.Array.get, leading to a significant performance improvement in some cases.
-
You can now use more patterns in the DumpIR compile command to specify multiple DumpIRToDiskOf options, allowing you to collect the IR dump for multiple different compilations without using a wide pattern which can potentially lead to overflow of storage.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-31406 |
LocalFallback happening when rebalancing (without obvious reason) |
ZVM-31312 |
PrintGCHeadersGuaranteedIntervalSecs fails with big interval |
ZVM-31328 |
Falcon compilation ends with Stack Memory Failure |
ZVM-31300 |
Remove OSThread::_interrupted for Java >= 14 |
ZVM-31299 |
Port JDK-8175318 from OpenJDK to avoid unnecessary cleaning of JNI handles |
ZVM-31224 |
Multiple compiler engine crashes |
ZVM-31117 |
[SLPVectorize] Quick fix downstream for broken cost model affecting sun.security.provider.SHA.implCompress |
ZVM-30566 |
Local queue is not cleared when local fallback is disabled |
ZVM-29694 |
Chronicle-Queue crashed due to "Error: Safepoint sync time longer than 200000 ms detected when executing Deoptimize." |
ZVM-26110 |
[NMT] Make intercepted allocations honor alignment parameter |
24.02.301.0
Release date: July 17, 2024
This CPU release is based on Azul Platform Prime 24.02.202.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_421-b1 |
11 |
11.0.23.0.101+2-LTS |
17 |
17.0.11.0.101+3-LTS |
21 |
21.0.3.0.101+4-LTS |
What’s New
-
July 2024 CPU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2D |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 1 |
|
Concurrency |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
11, 8 |
Note 2 |
|
CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK |
HTTP/2 |
Yes |
8.2 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
High |
None |
|
CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 1 |
CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 1 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024
-
Changes to the RootCA Certificates
Following a trend led by the Mozilla and Chrome browsers regarding CA certificate policies (see this conversation and message for more details), the RootCA
GLOBALTRUST 2020
from CA certs has been removed. If this impacts you, you can add the certificate back by running the following command:keytool -importcert -file <my-crt-file-location> -cacerts -storepass changeit -noprompt -alias <my-alias>
24.02.202.0
Release date: July 22, 2024
This release is based on Azul Platform Prime 24.02.200.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_412-b1 |
11 |
11.0.23+9-LTS |
17 |
17.0.11+9-LTS |
21 |
21.0.3+9-LTS |
24.02.200.0
Release date: May 27, 2024
This PSU release is based on Azul Platform Prime 24.02.101.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_412-b3 |
11 |
11.0.23+9-LTS |
17 |
17.0.11+9-LTS |
21 |
21.0.3+9-LTS |
What’s New
-
April 2024 PSU release security fixes.
-
Azul Zing 24.02.200.0 introduces a new command line option,
-XX:ThpDisable
, which can be used to disable Transparent Huge Pages (THP) in the entire JVM process, even when system THP settings are enabled. When-XX:+ThpDisable
is set, THP is turned off, overriding the system default. IfThpDisable
is not set manually, the value is inherited from the parent process; typically, the system default.
24.02.102.0
Release date: June 19, 2024
This release is based on Azul Platform Prime 24.02.101.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_411-b1 |
11 |
11.0.22.0.101+2-LTS |
17 |
17.0.10.0.101+3-LTS |
21 |
21.0.2.0.101+2-LTS |
24.02.101.0
Release date: May 16, 2024
This release is based on Azul Platform Prime 24.02.100.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_411-b4 |
11 |
11.0.22.0.101+2-LTS |
17 |
17.0.10.0.101+3-LTS |
21 |
21.0.2.0.101+2-LTS |
Resolved Issues
Issue ID | Description |
---|---|
ZVM-30696 |
Backport ZULU-61542 to a BPR on Zing 24.02.100 Java 17 |
ZVM-30695 |
Backport ZULU-61544 to a BPR on Zing 24.02.100 Java 17 |
ZVM-30653 |
Fix stack walker TTSP profiler that collects interpreter frame methods |
ZVM-30407 |
Linear search at LoaderProfileApplicator::has_recorded_load |
24.02.100.0
Release date: April 16, 2024
This CPU release is based on Azul Platform Prime 24.02.1.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_411-b5 |
11 |
11.0.22.0.101+2-LTS |
17 |
17.0.10.0.101+3-LTS |
21 |
21.0.2.0.101+2-LTS |
What’s New
-
April 2024 CPU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 2 |
|
Networking |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
21, 17, 11 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 2 |
|
Concurrency |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
11, 8 |
Note 2 |
|
CVE-2023-41993 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (WebKitGTK) |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
CVE-2024-21892 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK |
None |
No |
7.5 |
Local |
High |
Low |
None |
Changed |
High |
High |
None |
None |
|
CVE-2024-20954 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
|
CVE-2024-21094 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
|
CVE-2024-21098 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
None |
|
CVE-2024-21003 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
None |
|
CVE-2024-21005 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
None |
|
CVE-2024-21002 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
None |
|
CVE-2024-21004 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2024
24.02.1.0
Release date: April 10, 2024
This release is based on Azul Platform Prime 24.02.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_402-b2 |
11 |
11.0.22+7-LTS |
17 |
17.0.10+7-LTS |
21 |
21.0.2+13-LTS |
What’s New
-
In order to establish a better client/server relationship between Zing and Optimizer Hub, Zing now sends its version to Optimizer Hub, making the current version of Zing available and viewable in Optimizer Hub.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-30086 |
Add elapsed time end(s) field to all common log lines in Zing GC log |
ZVM-29997 |
JTReg21 - jdk/test/hotspot/jtreg/vmTestbase/nsk/jdwp/ReferenceType/Instances/instances001/instances001.java crashed due to "C [libjdwp.so+0x2e946] classSignature+0x36" |
ZVM-29278 |
Java21 crashes due to " C [libjdwp.so+0x2d72f] jvmtiAllocate+0x2f" |
23.08.402.0
Release date: April 10, 2024
This release is based on Azul Platform Prime 23.08.401.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_402-b2 |
11 |
11.0.22+7-LTS |
17 |
17.0.10+7-LTS |
23.08.401.0
Release date: March 13, 2024
This release is based on Azul Platform Prime 23.08.300.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_402-b1 |
11 |
11.0.22+7-LTS |
17 |
17.0.10+7-LTS |
23.08.400.0
Release date: February 23, 2024
This PSU release is based on Azul Platform Prime 23.08.300.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_402-b1 |
11 |
11.0.22+7-LTS |
17 |
17.0.10+7-LTS |
What’s New
-
Azul Platform Prime 23.08.400.0 introduces a new option,
-XX:FalconAbortCompileWithInstrPattern=<pattern>
, which you can use to abort the compilation of methods whose assembly contains the specified pattern. This way you can "exclude" a bad compilation, while still getting its IR/obj dump, even if it’s not the first compilation of that method. -
Azul Platform Prime 23.08.400.0 includes an improvement to the TTSP profiler to include interpreter frame names and BCI.
-
January 2024 PSU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Security |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
17 |
Note 1 |
|
Security |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
21, 17, 11, 8 |
Note 3 |
|
Scripting |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
11, 8 |
Note 2 |
|
Security |
None |
No |
4.7 |
Local |
High |
Low |
None |
Unchanged |
High |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
Low |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
HTTP |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 2 |
CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
None |
Note 2 |
CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
3 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024
Resolved Issues
Issue ID | Description |
---|---|
ZVM-29800 |
The 'libjvm.so' file is significantly larger in the aarch64 build compared to the x64 build |
ZVM-29388 |
aarch64 builds contain debug symbols - much larger than x64 |
ZVM-29384 |
Backport JDK-8153413: Exceptions::_throw always logs exceptions, penalizing performance |
ZVM-29078 |
Do not report ConnectedCompiler thread as compiler thread to GC log |
ZVM-27809 |
ZVM crashes with GCC 13 unwinder |
23.08.301.0
Release date: February 23, 2024
This PSU release is based on Azul Platform Prime 23.08.300.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_401-b2 |
11 |
11.0.21.0.101+2-LTS |
17 |
17.0.9.0.101+2-LTS |
23.08.300.0
Release date: January 16, 2024
This CPU release is based on Azul Platform Prime 23.08.201.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_401-b2 |
11 |
11.0.21.0.101+2-LTS |
17 |
17.0.9.0.101+2-LTS |
What’s New
-
January 2024 CPU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Security |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
17 |
Note 1 |
|
Security |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
21, 17, 11, 8 |
Note 3 |
|
Scripting |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
11, 8 |
Note 2 |
|
Security |
None |
No |
4.7 |
Local |
High |
Low |
None |
Unchanged |
High |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
Low |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
HTTP |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 2 |
CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
None |
Note 2 |
CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
3 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024
23.08.201.0
Release date: January 10, 2024
This release is based on Azul Platform Prime 23.08.200.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_392-b1 |
11 |
11.0.21+8-LTS |
17 |
17.0.9+8-LTS |
What’s New
-
Compilation ranking has been disabled in 23.08.x.x stable releases starting from 23.08.201 since, in some cases, the feature can cause some performance issues. You can turn on the feature manually, if needed, with:
-XX:TopTierHotCompileThresholdTriggerMillis=60000 -XX:TopTierWarmCompileThresholdTriggerMillis=600000 -XX:TopTierWarmCompileCpuPercent=25
Resolved Issues
Issue ID | Description |
---|---|
ZVM-29440 |
VM fails to remove stale hsperfdata files after backport of JDK-8286030 |
ZVM-19215 |
Backport JDK-8215451: IsSameObject should not keep objects alive. |
ZVM-29388 |
aarch64 builds contain debug symbols - much larger than x64 |
ZVM-29314 |
[Java17+] Improve handling of constantPool entry in klass_at_if_loaded() |
ZVM-29280 |
Record final IR in our crash handler |
ZVM-29160 |
[Falcon] Incorrect exception handling in case of unloaded klass handler |
23.08.200.0
Release date: November 20, 2023
This PSU release is based on Azul Platform Prime 23.08.101.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_392-b1 |
11 |
11.0.21+8-LTS |
17 |
17.0.9+8-LTS |
23.08.101.0
Release date: November 2, 2023
This release is based on Azul Platform Prime 23.08.100.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_391-b01 |
11 |
11.0.20.1.101+1-LTS |
17 |
17.0.8.1.101+1-LTS |
What’s New
-
Internal bug fixes.
-
The starting point of the time period specified by the option CompilerWarmupPeriodSeconds has been updated. Previously, this time period began at the execution of the Main method. But, since pre-Main can have unexpectedly long initializations, the ending point of this time period could become unpredictable. The starting point of this time period has been changed to JVM startup in order to include pre-Main, giving much better predictability of when this time period ends.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-28960 |
Potential regression in compilation behaviors and times from 23.02.400 to 23.08.01 |
ZVM-29000 |
Fix missing files for SelfDiagnosticRunLevel=2 |
ZVM-28818 |
Fix check super class access |
ZVM-28801 |
Prime jre17 fails to load management agent |
ZVM-28288 |
Liveness probe failure during high load resulting in SIGTRAP sent to VM |
23.08.100.0
Release date: October 17, 2023
This CPU release is based on Azul Platform Prime 23.08.1.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_391-b01 |
11 |
11.0.20.1.101+1-LTS |
17 |
17.0.8.1.101+1-LTS |
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CORBA |
CORBA |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
8 |
Note 1 |
|
JSSE |
HTTPS |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 2 |
|
CVE-2023-30589 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
HTTP |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
None |
|
CVE-2023-22091 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Compiler |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
|
CVE-2023-22025 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
Note 3 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component, e.g., through a web service. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
3 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2023
23.08.1.0
Release date: September 26, 2023
This release is based on Azul Platform Prime 23.08.0.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_382-b2 |
11 |
11.0.20.1+1-LTS |
17 |
17.0.8.1+1-LTS |
Resolved Issues
Issue ID | Description |
---|---|
ZVM-28703 |
java.lang.UnsupportedOperationException Monitoring of Synchronizer Usage is not supported sun.management.ThreadImpl.findDeadlockedThreads(ThreadImpl.java:411) |
ZVM-28639 |
Debug files/libraries not being excluded from release artifacts |
ZVM-28588 |
weblogic crashed with "assert0(false) failed: [false expected]" |
23.02.700.0
Release date: January 16, 2024
This CPU release is based on Azul Platform Prime 23.02.600.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_401-b2 |
11 |
11.0.21.0.101+2-LTS |
17 |
17.0.9.0.101+2-LTS |
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Security |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
17 |
Note 1 |
|
Security |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
21, 17, 11, 8 |
Note 3 |
|
Scripting |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
11, 8 |
Note 2 |
|
Security |
None |
No |
4.7 |
Local |
High |
Low |
None |
Unchanged |
High |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
Low |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
HTTP |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 2 |
CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
None |
Note 2 |
CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
3 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024
23.02.600.0
Release date: November 20, 2023
This PSU release is based on Azul Platform Prime 23.02.501.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_392-b1 |
11 |
11.0.21+8-LTS |
17 |
17.0.9+8-LTS |
23.02.550.0
Release date: March 5, 2024
This release is based on Azul Platform Prime 23.02.501.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_391-b1 |
11 |
11.0.20.1.101+1-LTS |
17 |
17.0.8.1.101+1-LTS |
23.02.501.0
Release date: January 8, 2024
This release is based on Azul Platform Prime 23.02.500.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_391-b01 |
11 |
11.0.20.1.101+1-LTS |
17 |
17.0.8.1.101+1-LTS |
What’s New
-
A new diagnostic command line option has been introduced,
-XX:FalconAbortCompileWithInstrPattern=<pattern>
, which can be used to apply abortfalcon compile command only if assembly of the compiled method contains the specified pattern. The specified pattern uses regexp syntax. -
An improvement to the Time to Safepoint (TTSP) profiler has been made to include interpreter frame names and BCI during error reporting in the hs_err file.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-29440 |
VM fails to remove stale hsperfdata files after backport of JDK-8286030 |
ZVM-19215 |
Backport JDK-8215451: IsSameObject should not keep objects alive. |
ZVM-29384 |
Backport JDK-8153413: Exceptions::_throw always logs exceptions, penalizing performance |
ZVM-29314 |
[Java17+] Improve handling of constantPool entry in klass_at_if_loaded() |
ZVM-29280 |
Record final IR in our crash handler |
ZVM-29160 |
[Falcon] Incorrect exception handling in case of unloaded klass handler |
23.02.500.0
Release date: October 17, 2023
This CPU release is based on Azul Platform Prime 23.02.400.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_391-b01 |
11 |
11.0.20.1.101+1-LTS |
17 |
17.0.8.1.101+1-LTS |
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CORBA |
CORBA |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
8 |
Note 1 |
|
JSSE |
HTTPS |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 2 |
|
CVE-2023-30589 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
HTTP |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
None |
|
CVE-2023-22091 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Compiler |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
|
CVE-2023-22025 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
None |
Note 3 |
Notes:
ID | Notes |
---|---|
1 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component, e.g., through a web service. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
3 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2023
23.02.401.0
Release date: October 12, 2023
This release is based on Azul Platform Prime 23.02.302.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_382-b2 |
11 |
11.0.20.1+1-LTS |
17 |
17.0.8.1+1-LTS |
What’s New
-
The starting point of the time period specified by the option
CompilerWarmupPeriodSeconds
has been updated. Previously, this time period began at the execution of the Main method. But, since pre-Main can have unexpectedly long initializations, the ending point of this time period could become unpredictable. The starting point of this time period has been changed to JVM startup in order to include pre-Main, giving much better predictability of when this time period ends.
Resolved Issues
Issue ID | Description |
---|---|
ZVM-27506 |
Turn on JFRDistinguishJITTypes flag by default |
ZVM-28818 |
Fix check super class access |
ZVM-28801 |
Prime jre17 fails to load management agent |
ZVM-28588 |
weblogic crashed with "assert0(false) failed: [false expected]" |
ZVM-28144 |
Exhausting java heap during early VM initialization causes a hang |
ZVM-28534 |
Prevent Falcon optimization of exception-throwing in case PrintStacktraceOnException is specified |
23.02.400.0
Release date: August 28, 2023
This PSU release is based on Azul Platform Prime 23.02.302.0 and corresponds to the following OpenJDK versions:
Major Version | OpenJDK Version |
---|---|
8 |
1.8.0_382-b2 |
11 |
11.0.20.1+1-LTS |
17 |
17.0.8.1+1-LTS |
What’s New
-
ZVision and ZVRobot have been separated from the Azul Platform Prime package due to a known vulnerability in jQuery 1.4.3, which is used in building the ZVision and ZVRobot utilities. At this time, Azul is not aware of any vulnerability in ZVision itself. For this reason, ZVision is still available for download for Azul Platform Prime subscribers at https://ftp.azul.com/releases/Zing/ZVision/ZVTools.zip
-
It is no longer necessary to LD_PRELOAD the libnmt_hooks.so library in order to use extended Native Memory Tracking (NMT). The libnmt_hooks.so library is now linked by default.
-
July 2023 CPU and PSU release security fixes.
CVE fixes
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hotspot |
None |
No |
5.1 |
Local |
High |
None |
None |
Unchanged |
High |
None |
None |
17, 11 |
Note 1 |
|
Utility |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
17, 11 |
Note 2 |
|
Libraries |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 2 |
|
2D (Harfbuzz) |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
17, 11 |
Note 2 |
|
Networking |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
17, 11 |
Note 1 |
|
CVE-2023-22043 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
None |
Note 1 |
CVE-2023-22044 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
Note 2 |
CVE-2023-22045 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
Note 2 |
CVE-2023-22051 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
GraalVM Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
<