24.10.0.0

Need help?

Schedule a consultation with an Azul performance expert.

24.10.0.0

Release date: November 5, 2024

This PSU release is based on the Azul Zing Build of OpenJDK (Zing) 24.09.0.0 and corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	1.8.0_431-b4
11	11.0.24.0.101+1-LTS
17	17.0.12.0.101+1-LTS
21	21.0.4.0.101+1-LTS

What’s New

Zing 24.10.0.0 features an update to JVMTI behavior in order to bring it to the modern standard. Previously, a few commercial Java application performance monitoring tools have been reporting too long GC pause times because Zing was reporting non-pausing concurrent GC durations wrongly as GC pauses over JVMTI events JVMTI_EVENT_GARBAGE_COLLECTION_START (GarbageCollectionStart) and JVMTI_EVENT_GARBAGE_COLLECTION_FINISH (GarbageCollectionFinish).

The new correct reporting may increase the actual GC pauses slightly if monitoring software attached with -javaagent using JVMTI is active.
Zing 24.10.0.0 enables the previously implemented command line option OptimizeIdentityHashForDistribution by default. This option implements an optimization to the distribution of identity hash codes. Enabling this option optimizes the protocol for distributing hash codes. Otherwise, some hash table implementations are prone to an unreasonable number of collisions.
The version of libstdc++ packaged with Zing has been upgraded from libstdc++.so.6.0.24 to libstdc++.so.6.0.32.
October 2024 CPU and PSU release security fixes.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2024-21208	Networking	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	21, 17, 11, 8	Note 1
CVE-2024-21217	Serialization	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	21, 17, 11, 8	Note 2
CVE-2024-36138 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK: Node (Node.js)	Multiple	Yes	8.1	Network	High	None	None	Unchanged	High	High	High	None
CVE-2023-42950 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (WebKitGTK)	Multiple	Yes	7.5	Network	High	None	Required	Unchanged	High	High	High	None	Note 1
CVE-2024-25062 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (libxml2)	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None	Note 1
CVE-2024-21235 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	4.8	Network	High	None	None	Unchanged	Low	Low	None	None	Note 2
CVE-2024-21210 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	None	Note 2
CVE-2024-21211 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	None	Note 2

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2024-21208

Networking

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

21, 17, 11, 8

Note 1

CVE-2024-21217

Serialization

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

21, 17, 11, 8

Note 2

CVE-2024-36138 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

Multiple

Yes

8.1

Network

High

None

Unchanged

High

None

CVE-2023-42950 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (WebKitGTK)

Multiple

Yes

7.5

Network

High

None

Required

Unchanged

High

None

Note 1

CVE-2024-25062 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (libxml2)

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

Note 1

CVE-2024-21235 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

4.8

Network

High

None

Unchanged

Low

None

Note 2

CVE-2024-21210 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

Note 2

CVE-2024-21211 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

Note 2

Notes:

ID	Notes
1	This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Notes

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for October 2024

Known Issues

There are no new issues to report in this release.

Resolved Issues

Issue ID	Description
ZVM-31914	Disable limit on CNC reconnection attempts
ZVM-32504	Crash when multiple threads race to fill the last slot available in VM internal constant table
ZVM-32164	Make sure RN’s initialization order is not affected by parallel application activity
ZVM-31866	ReadyNow threads should not cause OOM
ZVM-31197	Null returned in unixSystem.getUsername()

Issue ID

Description

ZVM-31914

Disable limit on CNC reconnection attempts

ZVM-32504

Crash when multiple threads race to fill the last slot available in VM internal constant table

ZVM-32164

Make sure RN’s initialization order is not affected by parallel application activity

ZVM-31866

ReadyNow threads should not cause OOM

ZVM-31197

Null returned in unixSystem.getUsername()