22.04.0.0

Need help?

Schedule a consultation with an Azul performance expert.

22.04.0.0

Release date: May 6, 2022

This CPU and PSU release corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	8u332
11	11.0.15+10
13	13.0.11+4
15	15.0.7+4
17	17.0.3+7

What’s New

April 2022 CPU and PSU security fixes.
Enable elimination of safepoint pauses for finding deadlocks operations by first attempting to complete them using a checkpoint using the option -XX:[+/ -]OptimizeFindDeadlocksWithCheckpoint. If a deadlock is detected in the checkpoint, it is then confirmed using a safepoint pause.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2018-25032	ZIP	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	17, 15, 13, 11, 8, 7, 6
CVE-2022-21449	Libraries	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	High	None	18, 17, 15	Note 1
CVE-2022-21476	Libraries	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	High	None	None	18, 17, 15, 13, 11, 8, 7	Note 1
CVE-2022-21426	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	None	None	Low	18, 17, 15, 13, 11, 8, 7, 6	Note 1
CVE-2022-21434	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	None	Low	None	18, 17, 15, 13, 11, 8, 7, 6	Note 1
CVE-2022-21496	JNDI	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	None	Low	None	18, 17, 15, 13, 11, 8, 7, 6	Note 1
CVE-2022-21443	Libraries	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	18, 17, 15, 13, 11, 8, 7, 6	Note 1
CVE-2022-0778 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM Enterprise Edition: Node (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2018-25032

ZIP

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

17, 15, 13, 11, 8, 7, 6

CVE-2022-21449

Libraries

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

18, 17, 15

Note 1

CVE-2022-21476

Libraries

Multiple

Yes

7.5

Network

Low

None

Unchanged

High

None

18, 17, 15, 13, 11, 8, 7

Note 1

CVE-2022-21426

JAXP

Multiple

Yes

5.3

Network

Low

None

Unchanged

None

Low

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21434

Libraries

Multiple

Yes

5.3

Network

Low

None

Unchanged

None

Low

None

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21496

JNDI

Multiple

Yes

5.3

Network

Low

None

Unchanged

None

Low

None

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21443

Libraries

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-0778 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (OpenSSL)

HTTPS

Yes

7.5

Network

Low

None

Unchanged

None

High

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Notes

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Resolved Issues

Issue ID Description

Issue ID	Description
ZVM-21804	In container systems with an elastic CPU definition (CPU min and max both set or cgroups `cpu.shares` and `cpu.quota` both defined) `Runtime.availableProcessors()` now returns the same value as on OpenJDK (the upper limit). Previously it returned the lower bound. That API method is often used to size application thread pools.
ZVM-23002	Added support for cgroups v2.
ZVM-23091	Deadlock detection was being performed using safepoint pauses in prior releases. Starting 22.04 Prime attempts to detect deadlock using checkpoints which do not cause a global pause. If the checkpoint operation indicates the possibility of a deadlock, Prime will resort to a safepoint to confirm the same.

ZVM-21804

In container systems with an elastic CPU definition (CPU min and max both set or cgroups cpu.shares and cpu.quota both defined) Runtime.availableProcessors() now returns the same value as on OpenJDK (the upper limit). Previously it returned the lower bound. That API method is often used to size application thread pools.

ZVM-23002

Added support for cgroups v2.

ZVM-23091

Deadlock detection was being performed using safepoint pauses in prior releases. Starting 22.04 Prime attempts to detect deadlock using checkpoints which do not cause a global pause. If the checkpoint operation indicates the possibility of a deadlock, Prime will resort to a safepoint to confirm the same.

Known Issues

There are no new issues to report in this release.