22.07.0.0

Need help?

Schedule a consultation with an Azul performance expert.

22.07.0.0

Release date: July 29, 2022

This PSU release is based on Azul Prime 22.06.0.0 and 22.02.300.0 and corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	8u342
11	11.0.16
13	13.0.12
15	15.0.8
17	17.0.4

What’s New

July 2022 PSU release fixes.
ZVM-24301 - New command line option UseContainerCpuShares, default true, to consider CPU shares when computing available processors inside a cgroup. This option was backported from OpenJDK 17 and it is important to note that while OpenJDK has a default value of false, the default value in Azul Prime is true.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2022-34169	JAXP (Xalan-J)	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	High	None	17, 15, 13, 11, 8	Note 1
CVE-2022-21541	Hotspot	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	High	None	17, 15, 13, 11, 8	Note 1
CVE-2022-21540	Hotspot	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	Low	None	None	17, 15, 13, 11, 8	Note 1
CVE-2022-21549	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	None	Low	None	17	Note 1
CVE-2022-25647 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Native Image (Gson)	None	No	6.2	Local	Low	None	None	Unchanged	None	None	High	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2022-34169

JAXP (Xalan-J)

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

17, 15, 13, 11, 8

Note 1

CVE-2022-21541

Hotspot

Multiple

Yes

5.9

Network

High

None

Unchanged

None

High

None

17, 15, 13, 11, 8

Note 1

CVE-2022-21540

Hotspot

Multiple

Yes

5.3

Network

Low

None

Unchanged

Low

None

17, 15, 13, 11, 8

Note 1

CVE-2022-21549

Libraries

Multiple

Yes

5.3

Network

Low

None

Unchanged

None

Low

None

Note 1

CVE-2022-25647 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Native Image (Gson)

None

6.2

Local

Low

None

Unchanged

None

High

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and relies on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Notes

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and relies on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

Issue ID	Description
ZVM-16112	Applications using munlockall() require -XX:-UseThreadStateNativeWrapperProtocol on the command line to avoid crash or inconsistency if the rare situation occurs that the application gets swapped out after the munlockall() invocation.

Issue ID

Description

ZVM-16112

Applications using munlockall() require -XX:-UseThreadStateNativeWrapperProtocol on the command line to avoid crash or inconsistency if the rare situation occurs that the application gets swapped out after the munlockall() invocation.