Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Java News Roundup: JDK 18 in Rampdown, JDK 19 Expert Group, Log4j2 Vulnerability, MicroProfile 5.0

Java News Roundup: JDK 18 in Rampdown, JDK 19 Expert Group, Log4j2 Vulnerability, MicroProfile 5.0

This item in japanese

Lire ce contenu en français

This week's Java roundup for December 6th, 2021, features news from OpenJDK JEPs, JDK 18 having moved into Rampdown Phase One, the creation of JDK 19 expert group, the discovery of a remote code execution vulnerability in Log4J, MicroProfile 5.0, and various Spring, Hibernate and Quarkus point releases.


After its review had concluded, JEP 421, Deprecate Finalization for Removal, was promoted from Proposed to Target to Targeted status for JDK 18. This JEP deprecates the finalization mechanism, first introduced in JDK 1.0, for removal in a future JDK release. While finalization was designed to avoid resource leaks, it suffered several critical flaws such as unpredictable latency, uncontrolled behavior and threading, and was always enabled by default.

JDK 18

Build 27 of the JDK 18 early-access builds was made available this past week, featuring updates from Build 26 that include fixes to various issues. More details may be found in the release notes.

As per the JDK 18 release schedule, Mark Reinhold, chief architect, Java Platform Group at Oracle, formally declared that JDK 18 has entered Rampdown Phase One. This means that the main-line source repository has been forked to the JDK stabilization repository and no additional JEPs will be added for JDK 18. Therefore, the final set of nine (9) features for the GA release in March 2022 include:

Developers are encouraged to report bugs via the Java Bug Database.

JDK 19

JSR 394, Java SE 19, was submitted this past week to formally announce the six-member expert group for JDK 19, namely Simon Ritter (Azul Systems), Manoj Palat (Eclipse Foundation), Andrew Haley (Red Hat), Christoph Langer (SAP SE), Iris Clark (Oracle) and Brian Goetz (Oracle). Clark and Goetz will serve as the specification leads. Other notable dates at this time include a public review from June 2022 through August 2022 and the GA release in September 2022.

Build 1 of the JDK 19 early-access builds was also made available this past week.

Remote Code Execution Vulnerability in Log4j2

A zero-day exploit in the popular Log4j2 logging utility was discovered this past week affecting versions 2.0 through 2.14.1. CVE-2021-44228, a remote code execution vulnerability, takes advantage of a flaw in the Java Naming and Directory Interface allowing malicious code to be executed within logs. Contributors to Log4j2 quickly addressed this vulnerability with a new version 2.15.0. InfoQ has followed up with this detailed news story.


The MicroProfile Working Group has released MicroProfile 5.0 featuring updates to all eight community-developed APIs, namely Config 3.0, Fault Tolerance 4.0, Health 4.0, JWT Authentication 2.0, Metrics 4.0, OpenAPI 3.0, OpenTracing 3.0 and Rest Client 3.0.

The CDI, JAX-RS, JSON-P and JSON-B APIs, originally based on their equivalent JSRs, are now based on their equivalent Jakarta EE 9.1 specifications, namely Jakarta Contexts and Dependency Injection 3.0 (CDI), Jakarta RESTful Web Services 3.0 (JAX-RS), Jakarta JSON Processing 2.0 (JSON-P) and Jakarta JSON Binding 2.0 (JSON-B). The Jakarta Annotations 2.0 specification, a collection of annotations representing common semantic concepts that enable a declarative style of programming, was recently added to the core set of MicroProfile APIs.

Context Propagation 1.3 was the only updated standalone specification.

InfoQ will follow up with a more detailed news story.

Spring Framework

While there were only three point releases over at Spring, the team focused on addressing the Log4j2 vulnerability in Spring Boot. Developers maintaining Spring Boot applications would only be affected by this vulnerability if they have selected their default logging to Log4j2.

Spring Tools 4 for Eclipse, Visual Studio Code, and Theia 4.13.0 has been released to include the Eclipse 2021-12 and builds for the Apple Silicon platform (ARM M1). Further details may be found in the changelog.

With the recent release of the Spring Cloud 2021.0.0 (aka Jubilee), Spring Cloud Sleuth 3.1.0 was made available featuring support for a number of Spring-related technologies such as Spring Cloud Config, Spring Cloud Stream Reactive, Spring Session and Spring Cloud Task. There is also support for Cassandra.

Spring Native 0.11 has been released with new features such as a new annotation, @DocumentReference, to support lazy loading for Spring Data MongoDB, restore support for Spring Integration, and support for non-Spring Boot tests. Spring Native should be used with GraalVM 21.3, Spring Boot 2.6 and Spring Cloud 2021.0.


Hibernate ORM 5.6.2.Final, a maintenance release in the version 5.6 release train, features a reversal of deprecations identified in version 5.6.1.Final based on Java community feedback as "many users highlighted that this deprecation was confusing as it's not 'actionable': since there is no replacement API yet, they had no way to resolve such deprecations other than ignoring them." More details may be found in their list of issues.

Hibernate Search 6.1.0.Beta1 has been released with new features such as distributed indexing that dynamically scales, support for Jakarta EE 9.1, and custom Elasticsearch index mapping. Among some breaking changes, the database-polling coordination strategy was renamed to outbox-polling.


A second maintenance release, Quarkus 2.5.2.Final, was made available by Red Hat this past week featuring numerous bug fixes and improvements in documentation. Further details may be found in the changelog.

Rate this Article