[Looking for Charlie's main web site?]

New updates released for Java 8, 11, 17, and 19 as of Oct 18 2022

Here's a heads-up that some will want to hear about: there are new JVM updates released today (Oct 18, 2022) for the current long-term support (LTS) releases of Oracle Java, 8, 11, and 17, as well as the new interim update 19. (Note that prior to Java 9, releases of Java were known technically as 1.x, so 8 is referred to in resources below as 1.8.)

TLDR: The new updates are 1.8.0_351, (aka 8u351), 11.0.17, 17.0.5, and 19.0.1 respectively). And as is generally the case with these Java updates, most of them have the same changes and fixes as each other (though not always).

Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so take that "critical" nomenclature for what it is. For more on each of them, including what changed and the several security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. And if you may be skipping to this from a JVM update from before Apr 2021, I share also a bit more info as well as for users of Adobe ColdFusion (including where to find the updated Java versions from Adobe, what JVM versions Adobe CF supports, and more).

For some folks, that's all they need to hear. For others, read on for topics like:

  • Finding more info on these Oct 2022 Java updates
  • News for my CF audience (getting the Java updates from Adobe or Oracle, how to update, why you should NOT for now use Java 17 with CF, etc)
  • Should you apply the update? how soon?
  • Beware a change in the April 2021 JVM update, if you may be skipping over it
  • Wrapping up, getting more help

Finding more info on these Jul 2022 Java updates

First, see the technotes for each of 1.8.0_351, 11.0.17, and 17.0.5, and 19.0.1.

Second, see the Java security fixes in these Oct 2022 updates or Text Form of Risk Matrix for Oracle Java SE. Note that both those documents cover all Oracle products, but I have linked to the Java-specific sections of the pages.

Finally, see the listing of specific bug fixes in each update, as offered in a link at the bottom of those update technotes for each release above.

If you are not using Adobe ColdFusion, you can skip the next section.

News for my CF audience

Since the focus of my blog and work is indeed mostly focused on those using Adobe ColdFusion, I will clarify for them that:

  • The Adobe downloads page for CF-related installers DOES now have the updated Java downloads in its bottom section. (It did not have them when I wrote this post, and indeed it has sometimes taken days, causing confusion and heartburn, though more recently they've been there within a day or two of their release.)
  • Whereas prior to May 2022, they offered a drop-down of versions at the bottom of that page, now they just list each version on its own, which is nice. (The drop-down was often out of order or not fully updated.)
  • Of course, the Oracle site does of course always have the new downloads they day they come out, for all the current versions on this one page. Note that the top of the page offers the LATEST Java versions (Java 17 and above), while Java 11 and 8 are offered later down the page. You DO need to sign in there to obtain them, but an account is free. And while some assert that CF folks "must use those from the CF downloads page", I've confirmed that the installers are binary identical (at least for the identical build number, which may change slightly over time on the Oracle site though not the Adobe site). As this installer includes the Java license, I can't see how anyone could assert that it matters WHERE you get the same installer.

As for keeping posted on updates, as a CFer (other than my blog posts or news shared from others), note that if you use Pete Freitag's wonderful HackmyCF service, he generally gets it updated within the day or two of the release of a new JVM version, warning if you are not running that latest supported Java version for your given CF version.

As for keeping track of what CF versions support what Java versions:

  • See first a past blog post I've done with a table of what CF versions formally support what Oracle Java versions.
  • While Java 17 is indeed a new long-term support release for Java, so too are Java 8 and 11 still LTS releases. And ColdFusion 2021 and 2018 (the currently supported CF versions) do NOT yet support Java 17. They only support Java 11. (While CF2018 did support Java 12 for a time, that version lived only for 6 months, like all version between 11 and 17, so Adobe did not "keep up" with all those short-term versions.) We can expect a coming update to CF 2021 (and hopefully 2018) to add support for Java 17, as has been the pattern in the past. (CF2016 supported Java 8 or 11, depending on what CF update had been applied. More on CF2016 in a later bullet point here.)
  • As for Java 19 and other short-term updates that follow it (like updates 12-16 had been), being an interim update I do not expect Adobe will be updating to support it (like they did not offer CF updates to support the interim updates before 17)
  • And in a post I did on the Apr 2019 jvm updates (which I point to in that "table" post), I cover such things as how CF only formally supports Oracle Java and not others, the short-lived Java 12 support, and more.
  • Finally, if you are on older, unsupported versions of CF (CF2016 or earlier) or Java (older updates to Java 11 or 8, or Java 7 or earlier), you are playing a dangerous game of Russian Roulette. You may not have been struck yet, but in Oct 2021 I offered a post about a nasty ransomware vulnerability hitting those who had failed to update CF with a fix Adobe had provided years ago! Even CF2016, last updated in March 2021, does not have security fixes in the updates for CF2018 and 2021 that Adobe released in Sept 2021, and any beyond. Don't be "that person", still running such older CF versions.

As for how you would go about updating Java within CF:

  • There are varying steps depending on how you installed CF (or Lucee, where it also depends on whether you're running it on Tomcat as a service), and so on
  • I'll note that if you're using Commandbox, it can update the JVM automatically if you like)
  • Otherwise, I have various resources I've created (blog posts, presentations) discussing especially updating CF and the JVM within CF, and these are covered at my cfupdate page.

I can also offer direct remote consulting help. See the bottom section here.

Should you apply the update? how soon?

(This and the next section apply whether one may be using CF or not.)

As whether you "should" apply this JVM update (going from some earlier point release of a given version to another), of course each org has to decide for themselves whether the security fixes bug fixes, and any feature changes are of concern for them. Some folks/orgs tend to wait for some period of time to "let others be the guinea pigs", while others are concerned about security and so apply any new update with security fixes right away.

Of course, the best approach is to try things in a testing environment first, but many eschew that (for any of many reasons, at their peril). Even then, of course some problems don't show themselves in testing but only in production.

As noted in the security page above, even if you may not think you "need the changes in this update", do beware that you would be vulnerable to problems fixed in PREVIOUS updates. So it's always best to be on the latest update to the JVM version (like Java 8 or 11) you're using, as soon as possible.

Indeed, I'll share that the Oracle security technotes above speak of how the fixes included in this update address vulns in the immediately preceding point release, which could mislead some. They may think, "oh, well since I am not ON that immediately preceding update, then I don't need this update!". No, no, no. You'd really need to look at the technotes for THAT preceding point release and so on--all the preceding ones, back to the point release you ARE now running--to decide if these updates to that version "affect you". But really, for most people, they should just stay updated, for the sake of ensuring they have all the latest security updates and bug fixes.

Beware a change in the April 2021 JVM update, if you may be skipping over it

Finally, I want to point out that if you may be moving to this JVM update from an older one from before the JVM updates released in April 2021 (Java 11.0.11 and 1.8.0_291, respectively), do note that when you apply this update you will therefore inherit a rather important change that was introduced in those updates (and which remains, after them.)

Briefly, Java now no longer supports calling out (via https/tls) to servers that don't support at least TLS 1.2 or above. If you may be calling out to servers (via cfhttp or Java's httpclient, or via configuration of the CF Admin pointing to database servers, mail server, ldap servers, and the like), such requests will break upon applying those or later JVM updates, if those servers don't yet support at least TLS 1.2 or above.

Of course, you may not be responsible for and may have no control over those other servers you're calling out to, so you may prefer to tell Java to allow you to keep calling out to those for now. You can do that, via a simple one-line configuration change in a Java configuration file (not JVM args). More in a moment. That said, you are removing a protection that Oracle thinks is in your interest (modern browsers do also warn or even reject attempts to access servers via https if they don't support at least TLS 1.2 or above. This change is about how Java itself reacts to them.)

For more on this Java security change, and that configuration change needed to "undo it", see my post from April 2021 on those JVM updates released then.

Wrapping up, getting more help

Again, for direct help on any of these, I can offer remote screenshare consulting help and am usually able to quickly fix problems that might take many folks hours to resolve them (if they don't deal with these issues daily like I do, helping people). Or of course, comments and questions are welcome below.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
This is a bit beside the point of the article, but since we've discussed your Awesome CF Compose repository elsewhere, it would be great to see an example of how to put together a docker-compose file that picks the version of the JVM that is being used. That might already be in your repo and I just don't see it (or I simply don't understand what I'm seeing due to my naivete on the subject). But, point of fact, if I wanted to go into my local Dockerized dev environment and try out the latest JVM, I'm not sure how I would go about it.
# Posted By Ben Nadel | 10/24/22 5:31 AM
Thanks for the question/suggestion, Ben. I had not yet done it, so I just did. It's there (https://github.com/c...) as a new folder, /cf-2021-specific-java-version. See the Dockerfile for comments on how it works, and the options you have. (At some point I will also update the readme for that folder, but I wanted to get you something ASAP.)

Let me know what you think, and if it works for you.
# Posted By charlie arehart | 10/25/22 12:29 AM
Wow, this is great! You are awesome :D Some of this is magic to me, but I appreciate all the comments in the Dockerfile (glad you're not one of those "the code should just document itself" people). Will try this out locally.
# Posted By Ben Nadel | 10/25/22 8:00 AM
Just a heads up, I updated to the new version of JAVA 11 and then attempted to run Update 15 on CF 2018. I received a Failed Signature Verification error message. I then rolled back to the previous version of JAVA and the update installed without issue.
# Posted By Jeff Horne | 10/25/22 9:08 AM
Jeff, can you be more specific? Do you mean you got the "Failed Signature Verification" error message for the download of the CF update? when you tried to do it in the CF Admin? And what update of CF2018 were you on BEFORE doing the CF update? And what update of Java 11 were you on before doing the CF update?

I ask all this because if you DO mean you got that "Failed Signature Verification" error message during the download of the CF update within the CF Admin, that was a problem in CF2018 that's not about Java at all, but rather about if you were on update 3 or earlier of CF2018. It was a problem caused by a server cert change at Adobe. What's tragic is that the last CF2018 installer Adobe ever offered only updated CF2018 to update 2: so ANYONE who might have a CF2018 installer and install it today will hit this problem.

And the update screens as well as the technotes (for CF2018 updates) tell you that before you can do any subsequent update (within the CF Admin) you must do update 4 first. (To be clear, if one does a manual download and install of a later update, then this step is not needed. It's only the download in the CF Admin which does this "signature verificaton".)

So frankly, my guess is that you tried to kill two birds with one stone: updating the java AND trying then to update CF, and hitting this problem due to the latter.

If things are as I suspect, then you should find that you can reset CF to using the new JVM, and subsequent updates for CF2018 should have no problem. I realize you may choose to "leave well enough alone", but ntoe that it IS in your interest--and Adobe recommends for security reasons-- that you be on both the latest CF update and the latest update to Java for the Java version that your CF supports: and for CF2021 and 2018 currently, that is Java 11 (only), and so 11.0.17 as of last week.
# Posted By charlie arehart | 10/25/22 9:18 AM
I'm sorry. I was on JAVA 11.0.16 and CF 2018 update 14. I installed JAVA 11.0.17 and updated the jvm.config. Inside the CF Administrator, I click on the Download and Install. After the download, I received an error message modal that stated Failed Signature Verification.
# Posted By Jeff Horne | 10/25/22 10:18 AM
After setting the jvm.config back to JAVA 11.0.16 and restarting my instances. I reentered the CF Admin and clicked on Download and Install for hotfix 15. Once the update was complete, I updated the jvm.config again and set it to JAVA 11.0.17 and will do my smoke testing now.
# Posted By Jeff Horne | 10/25/22 10:20 AM
Copyright ©2022 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting