23.08.400.0

Need help?

Schedule a consultation with an Azul performance expert.

23.08.400.0

Release date: February 23, 2024

This PSU release is based on Azul Prime 23.08.300.0 and corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	1.8.0_402-b1
11	11.0.22+7-LTS
17	17.0.10+7-LTS

What’s New

Azul Prime 23.08.400.0 introduces a new option, -XX:FalconAbortCompileWithInstrPattern=<pattern>, which you can use to abort the compilation of methods whose assembly contains the specified pattern. This way you can "exclude" a bad compilation, while still getting its IR/obj dump, even if it’s not the first compilation of that method.
Azul Prime 23.08.400.0 includes an improvement to the TTSP profiler to include interpreter frame names and BCI.
January 2024 PSU release security fixes.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2024-20932	Security	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	High	None	17	Note 1
CVE-2024-20952	Security	Multiple	Yes	7.4	Network	High	None	None	Unchanged	High	High	None	21, 17, 11, 8	Note 1
CVE-2024-20919	Hotspot	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	High	None	21, 17, 11, 8	Note 3
CVE-2024-20926	Scripting	Multiple	Yes	5.9	Network	High	None	None	Unchanged	High	None	None	11, 8	Note 2
CVE-2024-20945	Security	None	No	4.7	Local	High	Low	None	Unchanged	High	None	None	21, 17, 11, 8	Note 1
CVE-2024-20923	JavaFX	Multiple	Yes	3.1	Network	High	None	Required	Unchanged	Low	None	None	21, 17, 11, 8	Note 1
CVE-2024-20925	JavaFX	Multiple	Yes	3.1	Network	High	None	Required	Unchanged	None	Low	None	21, 17, 11, 8	Note 1
CVE-2024-20922	JavaFX	None	No	2.5	Local	High	None	Required	Unchanged	None	Low	None	21, 17, 11, 8	Note 1
CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK: Node (Node.js)	HTTP	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None
CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java)	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None
CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	7.4	Network	High	None	None	Unchanged	High	High	None	None	Note 2
CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	5.9	Network	High	None	None	Unchanged	High	None	None	None	Note 2
CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler	Multiple	Yes	3.7	Network	High	None	None	Unchanged	Low	None	None	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2024-20932

Security

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

Note 1

CVE-2024-20952

Security

Multiple

Yes

7.4

Network

High

None

Unchanged

High

None

21, 17, 11, 8

Note 1

CVE-2024-20919

Hotspot

Multiple

Yes

5.9

Network

High

None

Unchanged

None

High

None

21, 17, 11, 8

Note 3

CVE-2024-20926

Scripting

Multiple

Yes

5.9

Network

High

None

Unchanged

High

None

11, 8

Note 2

CVE-2024-20945

Security

None

4.7

Local

High

Low

None

Unchanged

High

None

21, 17, 11, 8

Note 1

CVE-2024-20923

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

Low

None

21, 17, 11, 8

Note 1

CVE-2024-20925

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-20922

JavaFX

None

2.5

Local

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

Unchanged

None

High

None

CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java)

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

Unchanged

High

None

Note 2

CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

5.9

Network

High

None

Unchanged

High

None

Note 2

CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

Unchanged

Low

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
3	This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024

Known Issues

There are no new issues to report in this release.

Resolved Issues

Issue ID	Description
ZVM-29800	The 'libjvm.so' file is significantly larger in the aarch64 build compared to the x64 build
ZVM-29388	aarch64 builds contain debug symbols - much larger than x64
ZVM-29384	Backport JDK-8153413: Exceptions::_throw always logs exceptions, penalizing performance
ZVM-29078	Do not report ConnectedCompiler thread as compiler thread to GC log
ZVM-27809	ZVM crashes with GCC 13 unwinder

Issue ID

Description

ZVM-29800

The 'libjvm.so' file is significantly larger in the aarch64 build compared to the x64 build

ZVM-29388

aarch64 builds contain debug symbols - much larger than x64

ZVM-29384

Backport JDK-8153413: Exceptions::_throw always logs exceptions, penalizing performance

ZVM-29078

Do not report ConnectedCompiler thread as compiler thread to GC log

ZVM-27809

ZVM crashes with GCC 13 unwinder