This week's Java roundup for October 16th, 2023, features news from OpenJDK, JDK 22, BellSoft, Oracle VS Code extension, WildFly 30, Payara Platform, MicroProfile 6.1, EclipseCon and releases for GraalVM Native Build Tools, Spring Boot, Spring Security, Spring Authorization Server, Spring Cloud Dataflow, Micronaut, Quarkus, Open Liberty, Apache TomEE, Apache Tomcat, JHipster and JHipster Lite.
OpenJDK
JEP 456, Unnamed Variables and Patterns, has been promoted from Candidate to Proposed to Target for JDK 22. This JEP proposes to finalize this feature after one previous round of preview: JEP 443, Unnamed Patterns and Variables (Preview), delivered in JDK 21. This feature will “enhance the language with unnamed patterns, which match a record component without stating the component's name or type, and unnamed variables, which can be initialized but not used.” Both of these are denoted by the underscore character as in r instanceof _(int x, int y)
and r instanceof _
. The review is expected to conclude on October 26, 2023.
JDK 22
Build 20 of the JDK 22 early-access builds was made available this past week featuring updates from Build 19 that include fixes to various issues. More details on this build may be found in the release notes.
For JDK 22, developers are encouraged to report bugs via the Java Bug Database.
BellSoft
Concurrent with Oracle's Critical Patch Update (CPU) for October 2023, BellSoft has released CPU patches for versions 21.0.0.0.1, 17.0.8.1.1, 11.0.20.1.1, 8u391, 7u401 and 6u401 of Liberica JDK, their downstream distribution of OpenJDK. In addition, Patch Set Update (PSU) versions 21.0.1, 17.0.9, 11.0.21 and 8u392, containing CPU and non-critical fixes, have also been released.
Oracle
Oracle has introduced their Oracle Java Platform Extension for Visual Studio Code that brings full-featured Java development (edit/compile/debug/test cycle) for Maven and Gradle projects to VSCode along with other features such as a project explorer, debugging and launch configurations, a JDK downloader and supported refactorings.
GraalVM
On the road to version 1.0, Oracle Labs has released version 0.9.28 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides: revert to the previous version of the escapeArg()
method defined in the NativeImageUtils
class to fix issues with Windows path escaping; improve detection of major JDK versions; and a removal of the use of the deprecated Gradle JavaPluginConvention
class and replace with the JavaPluginExtension
class. More details on this release may be found in the changelog.
Spring Framework
The first release candidate of Spring Boot 3.2.0 provides bug fixes, improvements in documentation, dependency upgrades and new features such as: break the cycle between TransactionManagerCustomizers
class and TransactionManager
interface; auto-configure the HikariCheckpointRestoreLifecycle
class for a user-defined instance of an HikariDataSource
class; and support for adding a Gradle Provider
interface in the buildInfo
Gradle task. More details on this release may be found in the release notes.
Similarly, versions 3.1.5, 3.0.12 and 2.7.17 of Spring Boot have been released featuring bug fixes, improvements in documentation, dependency upgrades, and the most notable change: correcting the behavior of the spring.jms.listener.concurrency
property in which the maximum number of users was set to the value of this property and the minimum number of consumers was always set to 1. This is in contrast with the documentation, and developers should set their desired maximum value in the spring.jms.listener.max-concurrency
property. More details on these releases may be found in the release notes for version 3.1.5, version 3.0.12 and version 2.7.17.
The first and second release candidates of Spring Security 6.2.0, along with service releases 6.1.5, 6.0.8 and 5.8.8, all deliver bug fixes and dependency upgrades. New features in all of these versions are: document how to publish an AuthenticationManager
@Bean
without the now deprecated WebSecurityConfigurerAdapter
class; and use of the Gradle Version Catalog for dependencies. New features in the release candidate include: Servlet Path support for the AuthorizeHttpRequestsConfigurer
class; and allow instances of the AuthenticationConverter
interface to be settable in the BasicAuthenticationFilter
class. More details on this release may be found in the release notes for version 6.2.0-RC2, version 6.2.0-RC1, version 6.1.5, version 6.0.8 and version 5.8.8.
The first release candidate of Spring Authorization Server 1.2.0 ships with dependency upgrades and a new feature that adds a reusable default authentication failure handler class, OAuth2ErrorAuthenticationFailureHandler
. More details on this release may be found in the release notes.
Similarly, versions 1.1.3, 1.0.4 and 0.4.4 of Spring Authorization Server have been released featuring minor bug fixes and dependency upgrades to respective versions of: Spring Boot 3.1.4, 3.0.11 and 2.7.16; Spring Security 6.1.5, 6.0.8 and 5.8.8; and Spring Framework 6.0.13, 6.0.13 and 5.3.30. More details on these releases may be found in the release notes for version 1.1.3, version 1.0.4 and version 0.4.4.
The release of Spring Cloud Dataflow 2.11.1 delivers notable changes such as: ensure that the Launch API in the TaskOperations
interface is backwards compatible; add common security configuration modules to dependency management that fixed issues after creating a monorepo; and dependency upgrades to json-smart 2.4.11, Nimbus JOSE + JWT 9.31, snappy-java 1.1.10.4 and Apache Commons Compress 1.24.0 to address various CVEs. More details on this release may be found in the release notes.
WildFly
Red Hat has released version 30.0.0 of WildFly featuring: support for JDK 21 as WildFly 30 has passed the TCKs as a compatible implementation of the Jakarta EE Core Profile. This release also supports most of the MicroProfile 6.0 specifications, but cannot claim to be a compatible implementation as Red Hat does not support the MicroProfile Metrics specification. It is important to note that Red Hat recommends developers remain running their applications on JDK 17 and JDK 11 because they haven't certified WildFly 30 on the Jakarta EE Platform and Jakarta EE Web Profile. Despite this, Red Hat says that “WildFly 30 is a great choice for evaluating how your applications run on SE 21.” More details on this release may be found in the release notes.
Payara
Payara has released their October 2023 edition of the Payara Platform that includes Community Edition 6.2023.10, Enterprise Edition 6.7.0 and Enterprise Edition 5.56.0 featuring: bug fixes; a dependency upgrade to the aforementioned json-smart 2.4.11 in the OIDC client to address CVE-2023-1370, a vulnerability a vulnerability in json-smart where parsing too many nested JSON structured arrays and objects, due to no defined limit, could cause a stack overflow and crash the software; and a new timeout option, --timeout
, to the Payara domain commands such as start-domain
and stop-domain
. More details on these versions may be found in the release notes for Community Edition 6.2023.10 and Enterprise Edition 6.7.0 and Enterprise Edition 5.56.0.
MicroProfile
The MicroProfile Working Group has released version 6.1 of MicroProfile featuring updates to specifications: MicroProfile Config 3.1, MicroProfile Metrics 5.1 and MicroProfile Telemetry 1.1.
Notable changes in MicroProfile Config include: an update to the TCK to align with breaking changes in the Jakarta EE Contexts and Dependency Injection 4.0 specification that include an empty beans.xml
file and change in bean discovery mode from all
to annotated
; and the MissingValueOnObserverMethodInjectionTest
class, that asserts a DeploymentException
, fails a different reason due to the the ConfigObserver
bean being defined as @ApplicationScoped
(proxyable) and final
(not proxyable). More details on this release may be found in the release notes.
Notable changes in MicroProfile Metrics include: introduce MicroProfile Config properties that customize how Histogram
and Timer
metrics track and output statistics for percentiles and histogram-buckets; define the @RegistryScope annotation as a qualifier; and include a new recommendation for multi-application deployments to use the mp.metrics.defaultAppName
property to eliminate the problems caused by the requirement to have consistent tag sets for multi-app application server implementations. More details on this release may be found in the release notes.
Notable changes in MicroProfile Telemetry 1.1 include: a clarification of which API classes must be available to users; an implementation of tests that is not timestamp dependent; and a clarification of the behavior of the Span
and Baggage
beans when the current span or baggage changes. More details on this release may be found in the release notes.
The initial compatible implementation for MicroProfile 6.1 is Open Liberty 23.0.0.10-beta.
Micronaut
The Micronaut Foundation has disclosed a vulnerability in the OAuth2 section of their Micronaut Security module. CVE-2023-36820, a vulnerability in which the IdTokenClaimsValidator
class skips the audience claim validation if the token is issued by the same identity issuer/provider resulting in improper access control.
The foundation has also released version 4.1.5 of the Micronaut Framework featuring Micronaut Core 4.10.0 and updates to modules: Micronaut AWS, Micronaut RxJava 3, Micronaut Discovery Client, Micronaut Reactor, Micronaut Object Storage. There was also a dependency upgrade to Netty 4.1.100.Final. More details on this release may be found in the release notes.
Quarkus
Versions 3.2.7 and 2.16.12 of Quarkus primarily address several CVEs:
- CVE-2023-44487, a vulnerability in which Tomcat's implementation of HTTP/2 was vulnerable to the rapid reset attack causing a denial of service that was typically manifested as an
OutOfMemoryError
. - CVE-2023-39410, a vulnerability in Apache Avro that would allow an attacker to deserialize untrusted or corrupted data resulting in consuming memory beyond the allowed constraints and therefore leading to the system to run out of memory.
- CVE-2023-34454, a vulnerability in snappy-java that would allow an attacker to take advantage of unchecked multiplications causing a possible integer overflow resulting in an unrecoverable fatal error.
More details on these releases may be found in the changelogs for version 3.2.7 and version 2.6.12.
The Quarkus team has also documented their journey in addressing CVE-2023-44487 that includes an overview of the CVE, threads vs. event loops and their solution.
Open Liberty
IBM has released 23.0.0.10 of Open Liberty featuring support for JDK 21 and an update to the featureUtility
command that now verifies feature authenticity by default when a new feature is installed into Open Liberty. This replaces the verified checksums, but checksums do not ensure the authenticity of downloaded files.
Apache Software Foundation
The release of Apache TomEE 9.1.1 ships with bug fixes, dependency upgrades and the most notable change that drops support for their own shade of CFX in favor of Apache CXF 4.0. This release also includes fixes and backports for several CVEs:
- CVE-2023-34981, a vulnerability in which a regression in the fix for Bug 66512 could lead to an information leak if a response did not include any HTTP headers, then no Apache JServ Protocol (AJP)
SEND_HEADERS
message would be sent for the response. This was fixed in Bug 66591 and developers are encouraged to migrate to minimal versions 11.0.0-M6, 10.1.9, 9.0.75 or 8.5.89. - CVE-2023-42795, an exposure that occurs when recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
- CVE-2023-35116, a vulnerability in Jackson Databind 2.15.2 and below such that an attacker can craft an object that uses cyclic dependencies that may result in a denial of service. It is important to note that this CVE is in dispute because FasterXML, creators of Jackson, believe that the steps to construct a cyclic data structure with an attempt to serialize it cannot be achieved by an external attacker.
More details on this release may be found in the release notes.
Versions 10.1.15 and 8.5.95 of Apache Tomcat both feature notable fixes: a regression with HTTP compression after refactoring code; and a regression in the clean-up of unnecessary use of fully qualified class names in versions 10.1.14 and 8.5.94 that broke the JDBC pool. More details on these releases may be found in the release notes for version 10.1.15 and version 8.5.95.
JHipster
The first release candidate of JHipster 8.0.0 provides bug fixes, dependency upgrades and notable changes such as: the JHipster-generated equals()
method is now safe to use in Hibernate; improved code coverage of the MetricsComponent
class; and improved support of JHipster Blueprints. More details on this release may be found in the release notes.
Version 0.45.0 of JHipster Lite has been released featuring bug fixes, improvements in documentation, dependency upgrades and new features/improvements such as: a new YamlFileSpringPropertiesHandler
class in preparation for supporting YAML configuration; new toString()
methods added to various JHipster classes for improved debugging; and support for processing multi-line comments in Spring property files. More details on this release may be found in the release notes.
The JHipster team also celebrated their 10th anniversary this past week. The very first commit was published on October 21, 2013.
EclipseCon
EclipseCon 2023 was held at the Forum am Schlosspark and the Film-und-Medienzentrum (FMZ) in Ludwigsburg, Germany, this past week featuring speakers from the Java Community who presented on topics such as: Automotive & Mobility, IOT & Edge, Open Source Best Practices, Programming Languages & Runtimes, and Tools & IDEs. The conference also featured a Community Day that brings together like-minded individuals, passionate experts, and curious minds from all walks of life for meetings, project updates, workshops, presentations or panel discussions. Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation, posted his daily summaries for Community Day, Day One, Day Two and Day Three.