Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Java News Roundup: OpenJDK, Spring Updates and CVEs, Payara Platform, Apache Tomcat Updates

Java News Roundup: OpenJDK, Spring Updates and CVEs, Payara Platform, Apache Tomcat Updates

This item in japanese

Lire ce contenu en français

This week's Java roundup for May 16th, 2022, features news from OpenJDK for JDK 19, Jakarta EE 10, Spring milestone and point releases and CVEs, May 2022 Payara Platform release, Quarkus 2.9.1.Final, Micronaut 3.4.4, WildFly 16.1.1, Hibernate ORM 5.6.9.Final, Hibernate Reactive 11.5.Final, JDKMon 17.0.25, JobRunr 5.1.2, JReleaser early-access, Apache Tomcat point releases and Apache Camel 3.17.0.


Despite its one-week review having ended on May 19, 2022, JEP 405, Record Patterns (Preview), still remains as Proposed to Target status for JDK 19. This JEP, under the auspices of Project Amber, proposes to enhance the language with record patterns to deconstruct record values. Record patterns may be used in conjunction with type patterns to "enable a powerful, declarative, and composable form of data navigation and processing." Type patterns were recently extended for use in switch case labels via JEP 406, Pattern Matching for switch (Preview) (delivered in JDK 17), and JEP 420, Pattern Matching for switch (Second Preview) (delivered in JDK 18).

JEP 428, Structured Concurrency (Incubator), was promoted from its JEP Draft 8277129 to Candidate status. This incubating JEP, under the auspices of Project Loom, proposes to simplify multithreaded programming by introducing a library to treat multiple tasks running in different threads as a single unit of work. This can streamline error handling and cancellation, improve reliability, and enhance observability.

JDK 19

Build 23 of the JDK 19 early-access builds was made available this past week, featuring updates from Build 22 that include fixes to various issues. More details may be found in the release notes.

As the target date established for Rampdown Phase 1 approaches June 9, 2022, the feature set for JDK 19 currently stands at these six features:

Developers are encouraged to report bugs via the Java Bug Database.

Jakarta EE

On the road to Jakarta EE 10, Ivar Grimstad, Jakarta EE developer advocate at the Eclipse Foundation, announced in his Hashtag Jakarta EE weekly blog that the new target date for the Jakarta EE 10 Platform specification to enter its release review is June 9, 2022. This decision was made to ensure that enterprise applications will be fully compatible with JDK 11 and JDK 17. Also, Eclipse GlassFish, having recently provided an intermediate pre-release between versions 7.0.0-M4 and the upcoming 7.0.0-M5, is well on its way to passing the TCK for JDK 11, but work remains for passing the TCK on JDK 17.

Spring Framework

It was a very busy week for the Spring team, providing a number of point releases, milestone releases and CVEs related to Spring Boot, Spring for GraphQL, Spring Data, Spring Session and Spring Security.

Spring Boot 2.7.0 was released to deliver: auto-configuration and metrics for Spring for GraphQL 1.0; and new annotations, @DataCouchbaseTest and @DataElasticsearchTest, for testing on Couchbase and Elasticsearch, respectively. Dependency upgrades include: Spring Data 2021.2, Spring HATEOAS 1.5, Spring LDAP 2.4, Spring Security 5.7 and Spring Session 2021.2. More details on this release may be found in the release notes. InfoQ will follow up with a more detailed news story.

Spring Boot 2.6.8 has been released featuring 35 bug fixes, documentation improvements, and dependency upgrades. More details on this release may be found in the release notes.

Spring Boot 2.5.14 has been released featuring 29 bug fixes, documentation improvements, and dependency upgrades. The 2.5 release train has reached end-of-life and developers should consider upgrading to a higher version of Spring Boot. More details on this release may be found in the release notes.

On the road to Spring Boot 3.0.0, the third milestone release was made available featuring: auto-configuration for Micrometer Observation, Tracing, and OtlpMeterRegistry; and support for REST Assured and Pooled JMS have been reinstated. More details on this release may be found in the release notes.

Two years since the first commit and 10 months since it was first introduced to the Java community, Spring for GraphQL 1.0 has been released featuring: an annotation-based programming model for data fetchers; Querydsl and Query by Example repositories as data fetchers; improved server, client and testing over HTTP, WebSocket, and RSocket; and field-level security through annotations on data @Controller methods. InfoQ will follow up with a more detailed news story.

Spring Data 2021.2 and the fourth milestone release of 2022.0 have been made available. The 2022.0 release train will be based on Spring Framework 6, JDK 17 and Jakarta EE 9. Features for Spring Data 2021.2, codenamed Raj, include: declarative Update methods in the data-mongodb module; improved support for @IdClass handling in the data-jpa module; reindexing support in the data-elasticsearch module; and direct projections for the data-cassandra module. More details on this release may be found in the release notes.

Spring Session 2021.2 has been released featuring a dependency upgrade to Spring Data 2021.2. This release is also a gateway to the next generation of Spring Session that will be built on Spring Framework 6.0.

CVE-2022-22978, Authorization Bypass in RegexRequestMatcher, was issued, but inadvertently identified as CVE-2022-22975. Applications using an instance of the RegexRequestMatcher class with ‘.’ in a regular expression are potentially vulnerable to an authorization bypass.

CVE-2022-22976, BCrypt Skips Salt Rounds for Work Factor of 31, has also been issued to address an integer overflow error that causes the encoder to not perform any salt rounds.

Spring Security versions 5.7.1, 5.6.5 and 5.5.8 have been released that deliver a bug fix where an instance of the StrictHttpFirewall class incorrectly rejects valid Chinese, Japanese, Korean and Vietnamese (CJKV) characters.

Spring Security versions 5.7.0, 5.6.4, 5.5.7 have also been released to address the aforementioned CVE-2022-22978 and CVE-2022-22976 vulnerabilities.

On the road to Spring Security 6.0.0, the fifth milestone release was made available to deliver notable changes such as: authorization required on every dispatch type; change the default of the shouldFilterAllDispatchTypes property to true; change the default security context filter from the SecurityContextPersistenceFilter class to the SecurityContextHolderFilter class; and remove all deprecations defined in the SAML API. This release also includes the fix where an instance of the StrictHttpFirewall class incorrectly rejects valid CJKV characters.


Payara has released the May 2022 edition of their Payara Platform as an enterprise-only release. Payara Platform Enterprise 5.39.0 edition delivers four bug fixes, two component upgrades, and five improvements that include: support for JDK 17; and the ability to specify the timeout options upon invoking the Admin Console. More details on this release may be found in the release notes.


One week after the release of Quarkus 2.9.0, Red Hat has provided a maintenance release with Quarkus 2.9.1.Final that features bug fixes and improvements in documentation along with dependency upgrades that include: GraalVM 22.1, Hibernate Reactive 1.1.5.Final, Hibernate ORM 5.6.9.Final, Micrometer BOM 1.8.6 and Infinispan 13.0.10.Final. More details on this release may be found in the changelog.


The Micronaut Foundation has released Micronaut 3.4.4 featuring updates to Micronaut modules: Micronaut Maven Plugin 3.2.4, Micronaut SQL 4.2.3, Micronaut JAX-RS 3.2.1, Micronaut Oracle Cloud 2.1.3, Micronaut MQTT 2.1.1 and Micronaut OpenAPI 4.0.1. More details on this release may be found in the release notes.


Five weeks after the release of WildFly 26.1, Red Hat has provided a maintenance release with version 26.1.1 featuring many component upgrades that includes: WildFly Core 18.1.1.Final, Smallrye Config 2.10.0, Smallrye Health 3.2.1, Netty 4.1.76, and RESTEasy 6.0.1.Final. More details on this release may be found in the release notes.


JBoss has provided updates on Hibernate ORM and Hibernate Reactive this past week.

Hibernate ORM 5.6.9.Final, a maintenance release in the 5.6 release train, delivers patches and critical bug fixes.

Hibernate Reactive 1.1.5.Final delivers a critical bug fix for developers using the Stage.SessionFactory and Stage.Session interfaces. Developers should also upgrade to this latest release if their application generates an occasional "No Vert.x context active" error message.


The latest version of JDKMon, a new tool that monitors and updates installed JDKs, has been made available to the Java community. Created by Gerrit Grunwald, principal engineer at Azul, version 17.0.25 ships with: fixes related to the Linux version; and the indicator for CVEs has been replaced with a new one.


Ronald Dehuysser, founder and primary developer of JobRunr, a utility to perform background processing in Java, has released version 5.1.2 featuring: support for providing an interval instead of cron expression with the @Recurring annotation; and allow an instance of the JobContext class to be set in MockJobContext tests.


An updated early-access release of JReleaser was made available this past week featuring: dependency upgrades to aws-java-sdk 1.12.220, jsonschema 4.24.3, sshj 0.33.0, tika 2.4.0 and mockito 4.5.1.

Apache Tomcat

It was also a busy week for the Apache Tomcat team as they provided point releases for the 9.0, 10.0 and 10.1 release trains.

Versions 9.0.63, 10.0.21 and 10.1.0-M5 all feature: a property source that sources values from Kubernetes service bindings; identification of the root cause of the Linux kernel duplicate accept bug; a dependency upgrade to Tomcat Native Library 1.2.3 to support Windows binaries built with OpenSSL 1.1.1o; and support for encrypted PKCS#1 formatted private keys when configuring the internal, in-memory key store.

Apache Tomcat 10.1.0-M15 is an alpha milestone release to provide developers with early access to the new features in Apache Tomcat 10.1 release train.

Apache Camel

The Apache Software Foundation has released Apache Camel 3.17.0 featuring 220 bug fixes, improvements and dependency upgrades that include: Spring Boot 2.6.7; Kamelets 0.8.1 for the camel-jbang module; Google Cloud Libraries BOM 25.2.0; Jakarta Mail 1.6 (Jakarta EE 8); and the maven-bundle-plugin module to fix OSGi reproducibility issues. More details in this release may be found in the release notes.

About the Author

Rate this Article