23.04.0.0

Need help?

Schedule a consultation with an Azul performance expert.

23.04.0.0

Release date: April 28, 2023

This PSU release is based on Azul Prime 23.03.0.0 and corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	1.8.0_372-b2
11	11.0.19+7-LTS
17	17.0.7+7-LTS

What’s New

April 2023 CPU and PSU release security fixes.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2023-21930	JSSE	TLS	Yes	7.4	Network	High	None	None	Unchanged	High	High	None	17, 11, 8	Note 1
CVE-2023-21967	JSSE	HTTPS	Yes	5.9	Network	High	None	None	Unchanged	None	None	High	17, 11, 8	Note 1
CVE-2023-21939	Swing	HTTP	Yes	5.3	Network	Low	None	None	Unchanged	None	Low	None	17, 11, 8	Note 1
CVE-2023-21937	Networking	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 11, 8	Note 1
CVE-2023-21938	Libraries	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 11, 8	Note 2
CVE-2023-21968	Libraries	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 11, 8	Note 1
CVE-2023-21954 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	5.9	Network	High	None	None	Unchanged	High	None	None	None	Note 1
CVE-2023-21986 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Native Image	None	No	5.7	Local	Low	None	None	Changed	None	Low	Low	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2023-21930

JSSE

TLS

Yes

7.4

Network

High

None

Unchanged

High

None

17, 11, 8

Note 1

CVE-2023-21967

JSSE

HTTPS

Yes

5.9

Network

High

None

Unchanged

None

High

17, 11, 8

Note 1

CVE-2023-21939

Swing

HTTP

Yes

5.3

Network

Low

None

Unchanged

None

Low

None

17, 11, 8

Note 1

CVE-2023-21937

Networking

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 11, 8

Note 1

CVE-2023-21938

Libraries

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 11, 8

Note 2

CVE-2023-21968

Libraries

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 11, 8

Note 1

CVE-2023-21954 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

5.9

Network

High

None

Unchanged

High

None

Note 1

CVE-2023-21986 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Native Image

None

5.7

Local

Low

None

Changed

None

Low

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Notes

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2023

Cloud Native Compiler (CNC) 1.7 client support.
The command line option, AllocCodeCacheInLower2G, is now supported on the AArch64 system architecture, which is set to true by default. This option allocates code cache and related data structures at virtual address within 2 GB. To allow allocation to higher memory addresses, use -XX:-AllocCodeCacheinLower2G.
A new command line option, GPGCCommitInitialHeapLazily, has been introduced, which is set to false by default. When enabled, this option prevents the whole of the initial heap size, InitialHeapSize or -Xms, from being committed from the OS upfront.

With this option enabled, use the option GPGCLazyInitialHeapCommitPercent to specify how much of Xms shall be committed from the OS upfront, at startup. The default value for GPGCLazyInitialHeapCommitPercent is 50. The remainder gets committed based on regular elastic heap heuristics.
The command line option InitialHeapSize is now incorporated in Azul Prime in order to keep compatibility with OpenJDK. InitialHeapSize can be used instead of -Xms<size> on the command line.

Note	The command line argument `MaxHeapSize` can also be used instead of `-Xmx<size>`

Known Issues

There are no new issues to report in this release.

Resolved Issues

Issue ID	Description
ZVM-25950	Backport JDK-7059899 Stack overflows in Java code cause 64-bit JVMs to exit due to SIGSEGV

Issue ID

Description

ZVM-25950

Backport JDK-7059899 Stack overflows in Java code cause 64-bit JVMs to exit due to SIGSEGV