VM fails to remove stale hsperfdata files after backport of JDK-8286030
24.01.0.0
24.01.0.0
Release date: January 31, 2024
This release is based on Azul Prime 23.12.0.0 and corresponds to the following OpenJDK versions:
| Major Version | OpenJDK Version |
|---|---|
8 |
1.8.0_402-b3 |
11 |
11.0.22+7-LTS |
17 |
17.0.10+7-LTS |
21 |
21.0.2+13-MTS |
What’s New
-
From Azul Prime 24.01.0.0, the garbage collector’s (GC) CPU usage is logged by default. Previously, you had to use the option
-XX+:PrintGCDetails. You can view these metrics now by default in GC Log Analyzer in the GC CPU Usage graph. GC CPU Usage is split into 3 metrics, "marking CPU usage," "relocation CPU usage," and "fixup pass," which appear as "New GC Mark," "New GC Reloc," and "New GC Fixup" in the GC CPU Usage graph. -
Azul Prime 24.01.0.0 includes a new lightweight, fully functional distribution of the Java Runtime Environment (JRE) for Java 8, 11, 17 and 21. The new Java JREs saves a significant amount of space by removing various debugging options and developer options. The Azul Prime Builds of JRE still fully supports Optimizer Hub and Azul Vulnerability Detection (AVD).
-
Azul Prime 24.01.0.0 introduces a small but significant change to the behavior of
-XX:ProfileStartupLimitInSeconds. Now, when you set this option to0, it means 0 seconds. Previously, if you set this flag to0, it would be interpreted as "infinite". You can still specify "infinite" by using any negative number, for example-1. The default behavior without setting this option remains the same, i.e. the default remains60. -
January 2024 CPU and PSU release security fixes.
CVE fixes
| CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Security |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
17 |
Note 1 |
|
Security |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
21, 17, 11, 8 |
Note 3 |
|
Scripting |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
11, 8 |
Note 2 |
|
Security |
None |
No |
4.7 |
Local |
High |
Low |
None |
Unchanged |
High |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
Low |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
HTTP |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 2 |
CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
None |
Note 2 |
CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
|
Notes:
| ID | Notes |
|---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
3 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service. |
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for January 2024
Resolved Issues
| Issue ID | Description |
|---|---|
ZVM-29440 |
|
ZVM-19215 |
Backport JDK-8215451: IsSameObject should not keep objects alive. |
ZVM-29526 |
[JCK-runtime-21] JCK test crashed api/javax_net/ssl/SSLSocket/Description.html with V [libjvm.so+0x6339b8] void GPGC_MarkAlgorithm::drain_stacks(GPGC_GCManagerOldStrong*)+0x638 |
ZVM-29388 |
aarch64 builds contain debug symbols - much larger than x64 |
ZVM-29384 |
Backport JDK-8153413: Exceptions::_throw always logs exceptions, penalizing performance |
ZVM-4337 |
[JVMTI] Zing does not provide inlining data on CompiledMethodLoad |