Open JDK build number for JDK 8 is displayed incorrectly in java -version output.
25.04.0.0
25.04.0.0
Release date: May 7, 2025
This CPU release is based on the Azul Zing Build of OpenJDK (Zing) 25.03.0.0 and corresponds to the following OpenJDK versions:
| Major Version | OpenJDK Version |
|---|---|
8 |
1.8.0_451-b2 |
11 |
11.0.26.0.101+2-LTS |
17 |
17.0.14.0.101+2-LTS |
21 |
21.0.6.0.101+2-LTS |
What’s New
-
Zing 25.04.0.0 changes the default values for the following command line options:
-
-XX:DefensiveHeapShrinkingXmxSacrificePercenthas changed from 5% to 10% by default. For more information about this option, see Command Line Options, Defensive Heap Shrinking -
-XX:+AccountInactiveFileCacheAsAvailableMemoryhas changed from false to true by default. This option tells the VM to include inactive file cache when computing available memory for new allocations, used with elastic heaps and defensive heap shrinking. -
-XX:RNOConnectionTimeoutMillishas changed from 5000 milliseconds to 10000 milliseconds. For more information about this option, see Command Line Options, ReadyNow Orchestrator JVM Options
-
-
Zing 25.04.0.0 introduces three new command line options:
-
-XX:PeriodicCCFTriggerIntervalSec- When using incremental code cache flushing,-XX:+UseIncrementalCodeCacheFlushing, this parameter sets the maximum interval, in seconds, before the old garbage collector is asked to re-enable flushing of code blobs. This option is set to 3600 by default. -
-XX:+UnifiedCompilerFrontendReplay- Allows us to collect more information about a crashing compile to improve reproducibility outside of the VM. This option is true by default. -
-XX:ProfilePersistCodeProfilesPeriodSec- Enables periodic dumping of runtime bytecode profiling counters to the ReadyNow profile log at the interval specified, in seconds. If you set the option to 0, a dump occurs only on a graceful JVM shutdown. The default value is -1, which disables the feature.
-
-
April 2025 CPU release security fixes.
CVE fixes
| CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
JSSE |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
21, 17, 11, 8 |
Note 2 |
|
2D |
Multiple |
Yes |
5.6 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
Low |
21, 17, 11, 8 |
Note 1 |
|
CVE-2025-23083 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Node (Node.js) |
None |
No |
7.7 |
Local |
Low |
None |
None |
Unchanged |
High |
High |
None |
None |
|
CVE-2024-47606 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (gstreamer) |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
CVE-2024-54534 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
JavaFX (WebKitGTK) |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
CVE-2025-30691 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Compiler |
Multiple |
Yes |
4.8 |
Network |
High |
None |
None |
Unchanged |
Low |
Low |
None |
None |
Note 1 |
Notes:
| ID | Notes |
|---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
Additional CVEs addressed are:
-
The patch for CVE-2024-54534 also addresses CVE-2024-27856, CVE-2024-40866, CVE-2024-44185, CVE-2024-44187, CVE-2024-44244, CVE-2024-44296, CVE-2024-44308, CVE-2024-44309, CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54543, CVE-2025-24143, CVE-2025-24150, CVE-2025-24158, and CVE-2025-24162.
-
The patch for CVE-2024-47606 also addresses CVE-2024-47544, CVE-2024-47545, CVE-2024-47546, CVE-2024-47596, CVE-2024-47597, CVE-2024-47775, CVE-2024-47776, CVE-2024-47777, and CVE-2024-47778.
For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for April 2025
Known Issues
| Issue ID | Description |
|---|---|
ZVM-34474 |
Resolved Issues
| Issue ID | Description |
|---|---|
ZVM-34453 |
Wrong amount of memory uncommitted when elastic heaps are enabled (Xms not equal to Xmx) since Zing 25.02.1.0 |
ZVM-34292 |
Crash at safepoint in first call instrumentation of JNI-called methods with a large number of arguments |
ZVM-34329 |
Crash in malloc_usable_size when using jemalloc as allocator |