24.02.301.0
24.02.301.0
Release date: July 17, 2024
This CPU release is based on Azul Prime 24.02.202.0 and corresponds to the following OpenJDK versions:
| Major Version | OpenJDK Version |
|---|---|
8 |
1.8.0_421-b1 |
11 |
11.0.23.0.101+2-LTS |
17 |
17.0.11.0.101+3-LTS |
21 |
21.0.3.0.101+4-LTS |
What’s New
-
July 2024 CPU release security fixes.
CVE fixes
| CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2D |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
21, 17, 11, 8 |
Note 1 |
|
Concurrency |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
None |
Low |
11, 8 |
Note 2 |
|
CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK |
HTTP/2 |
Yes |
8.2 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
High |
None |
|
CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 1 |
CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 1 |
Notes:
| ID | Notes |
|---|---|
1 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024
-
Changes to the RootCA Certificates
Following a trend led by the Mozilla and Chrome browsers regarding CA certificate policies (see this conversation and message for more details), the RootCA
GLOBALTRUST 2020from CA certs has been removed. If this impacts you, you can add the certificate back by running the following command:keytool -importcert -file <my-crt-file-location> -cacerts -storepass changeit -noprompt -alias <my-alias>