21.04.0.0

Need help?

Schedule a consultation with an Azul performance expert.

21.04.0.0

Release date: April 30, 2021

This CPU and PSU release is based on the following OpenJDK versions:

Major Version	OpenJDK Version
7	7u302
8	8u292
11	11.0.11+9
13	13.0.7+5
15	15.0.3+3

What’s New

April 2021 CPU and PSU fixes.
Quicker acquisition of transparent huge pages on Ubuntu, Amazon Linux or similar Linux systems with kernel 4.19.7 or newer in non-ZST mode. This can help get peak performance earlier as well as enable faster java process restart when THP is configured.
Default value of Xmx in cgroups is now the minimum of 25% of cgroup memory limit and 32 GB. Prior to 21.04.0.0, it was 25% of cgroup memory limit.
Reduced code cache usage for applications with high number of classes or interfaces and a large number of associated methods.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2021-2161	Libraries	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	High	None	16, 15, 13, 11, 8, 7, 6	Note 1
CVE-2021-2163	Libraries	Multiple	Yes	5.3	Network	High	None	Required	Unchanged	None	High	None	16, 15, 13, 11, 8, 7, 6	Note 2
CVE-2021-23841 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM Enterprise Edition: Node (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None
CVE-2021-3450 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM Enterprise Edition: Node (Node.js)	HTTPS	Yes	7.4	Network	High	None	None	Unchanged	High	High	None	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2021-2161

Libraries

Multiple

Yes

5.9

Network

High

None

Unchanged

None

High

None

16, 15, 13, 11, 8, 7, 6

Note 1

CVE-2021-2163

Libraries

Multiple

Yes

5.3

Network

High

None

Required

Unchanged

None

High

None

16, 15, 13, 11, 8, 7, 6

Note 2

CVE-2021-23841 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (OpenSSL)

HTTPS

Yes

7.5

Network

Low

None

Unchanged

None

High

None

CVE-2021-3450 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (Node.js)

HTTPS

Yes

7.4

Network

High

None

Unchanged

High

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component.
2	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Notes

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component.

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.