23.02.400.0

Need help?

Schedule a consultation with an Azul performance expert.

23.02.400.0

Release date: August 28, 2023

This PSU release is based on Azul Prime 23.02.302.0 and corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	1.8.0_382-b2
11	11.0.20.1+1-LTS
17	17.0.8.1+1-LTS

What’s New

ZVision and ZVRobot have been separated from the Azul Prime package due to a known vulnerability in jQuery 1.4.3, which is used in building the ZVision and ZVRobot utilities. At this time, Azul is not aware of any vulnerability in ZVision itself. For this reason, ZVision is still available for download for Azul Prime subscribers at https://ftp.azul.com/releases/Zing/ZVision/ZVTools.zip
It is no longer necessary to LD_PRELOAD the libnmt_hooks.so library in order to use extended Native Memory Tracking (NMT). The libnmt_hooks.so library is now linked by default.
July 2023 CPU and PSU release security fixes.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2023-22041	Hotspot	None	No	5.1	Local	High	None	None	Unchanged	High	None	None	17, 11	Note 1
CVE-2023-22036	Utility	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	17, 11	Note 2
CVE-2023-22049	Libraries	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 11, 8	Note 2
CVE-2023-25193	2D (Harfbuzz)	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	17, 11	Note 2
CVE-2023-22006	Networking	Multiple	Yes	3.1	Network	High	None	Required	Unchanged	None	Low	None	17, 11	Note 1
CVE-2023-22043 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	High	None	None	Note 1
CVE-2023-22044 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Unchanged	Low	None	None	None	Note 2
CVE-2023-22045 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Unchanged	Low	None	None	None	Note 2
CVE-2023-22051 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	GraalVM Compiler	Multiple	Yes	3.7	Network	High	None	None	Unchanged	Low	None	None	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2023-22041

Hotspot

None

5.1

Local

High

None

Unchanged

High

None

17, 11

Note 1

CVE-2023-22036

Utility

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

17, 11

Note 2

CVE-2023-22049

Libraries

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 11, 8

Note 2

CVE-2023-25193

2D (Harfbuzz)

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

17, 11

Note 2

CVE-2023-22006

Networking

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

17, 11

Note 1

CVE-2023-22043 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

Multiple

Yes

5.9

Network

High

None

Unchanged

None

High

None

Note 1

CVE-2023-22044 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

Unchanged

Low

None

Note 2

CVE-2023-22045 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

Unchanged

Low

None

Note 2

CVE-2023-22051 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

GraalVM Compiler

Multiple

Yes

3.7

Network

High

None

Unchanged

Low

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Notes

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2023

Azul Prime 23.02.400.0 contains Zing Critical Fixes (ZCF).

Known Issues

There are no new issues to report in this release.

Resolved Issues

Issue ID	Description
ZVM-28301	Fix java_lang_String::hash_code
ZVM-28295	Avoid implicit type conversion when calling the Address constructor with Register parameter
ZVM-28242	[AArch64] JFR profiler does not collect stack traces
ZVM-27897	Hadoop fails with Prime when -XX:+UseAES is used
ZVM-27796	SEGV due to module loading early during JVM init
ZVM-25950	Backport JDK-7059899 Stack overflows in Java code cause 64-bit JVMs to exit due to SIGSEGV

Issue ID

Description

ZVM-28301

Fix java_lang_String::hash_code

ZVM-28295

Avoid implicit type conversion when calling the Address constructor with Register parameter

ZVM-28242

[AArch64] JFR profiler does not collect stack traces

ZVM-27897

Hadoop fails with Prime when -XX:+UseAES is used

ZVM-27796

SEGV due to module loading early during JVM init

ZVM-25950

Backport JDK-7059899 Stack overflows in Java code cause 64-bit JVMs to exit due to SIGSEGV