23.02.200.0
23.02.200.0
Release date: May 16, 2023
This PSU release is based on Azul Prime 23.02.101.0 and corresponds to the following OpenJDK versions:
| Major Version | OpenJDK Version |
|---|---|
8 |
1.8.0_372-b1 |
11 |
11.0.19+7-LTS |
17 |
17.0.7+7-LTS |
CVE fixes
| CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
JSSE |
TLS |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
17, 11, 8 |
Note 1 |
|
JSSE |
HTTPS |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
None |
High |
17, 11, 8 |
Note 1 |
|
Swing |
HTTP |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 1 |
|
Networking |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 1 |
|
Libraries |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 2 |
|
Libraries |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 11, 8 |
Note 1 |
|
CVE-2023-21954 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
None |
Note 1 |
CVE-2023-21986 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Native Image |
None |
No |
5.7 |
Local |
Low |
None |
None |
Changed |
None |
Low |
Low |
None |
|
Notes:
| ID | Notes |
|---|---|
1 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2023
-
Some Falcon CPU Budgeting options have been renamed according to the following table:
Changed from: Changed to: CompilerTier2BudgetingThreadsPercent
CompilerTier2BudgetingCPUPercent
CompilerTier2BudgetingWarmupThreadsPercent
CompilerTier2BudgetingWarmupCPUPercent
CompilerTier2BudgetMaxMs
CompilerTier2BudgetWindowDurationMs
For more information on Falcon CPU Budgeting options, see Command Line Options, CPU Budgeting Options
-
The command line option
UseTrueObjectsForUnsafehas been set totrueby default. This option forces unsafe objects to be returned in their true object form instead of the equivalent java class object. For example, withUseTrueObjectsForUnsafedisabled, java.lang.Class can be returned instead of the true klassOop.