Payara Platform 6, Spring Updates and CVEs, Asynchronous Stack Trace VM API

This week’s Java Roundup for October 31, 2022 includes what’s new from OpenJDK, JDK 20, JavaFX 20, GZC 20, Spring Framework Milestone, Point and Release Candidates, Payara Platform 6, Micronaut 3.7.3, MicroProfile 6.0- RC2, Hibernate ORM Point Releases , Apache TomEE 9.0-RC1, Apache Camel 3.18.3, GraalVM Native Build Tools 0.9.17, JReleaser 1.3.1, JobRunr 5.3.1, JDKMon 17.0.39 and J-Fall 2022.

OpenJDK

JEP 435, Asynchronous Stack Trace VM API, has been promoted from its Draft 8284289 to candidate As of last week. This HotSpot JEP proposes to define a well-tested, efficient, and reliable API to collect stack traces asynchronously and ingest information about both Java and native stack frames.

JDK20

Build 22 of the JDK 20 Early Access builds was also made available last week and includes updates from Build 21 that include fixes for various issues. See the release notes for more details on this build.

For JDK 20, developers are encouraged to report bugs through the Java Bug Database.

JavaFX20

Build 6 and Build 5 of the JavaFX 20 Early Access builds have been made available to the Java community. Designed to work with the JDK 20 Early Access builds, JavaFX application developers can build and test their applications using JavaFX 20 on the JDK 20.

Generation ZGC

Build 20-genzgc+2-20 of the Generational ZGC Early Access builds has also been made available to the Java community and is based on an incomplete version of JDK 20.

spring frame

On the way to Spring Framework 6.0.0, the third release candidate was made available, which includes 22 bug fixes and improvements, including: Support for @RequestPart Arguments in the methods defined in the @HttpExchange Annotation; the introduce SimpleValueStyler Class for use with the ToStringCreator Class; and provide AOT support for customers of the HttpServiceProxyFactory Class. This is the last release candidate before the planned GA release in November 2022. Please see the release notes for more details on this release.

The second release candidate of Spring Data 2022.0.0, codenamed Turing, has been made available with numerous bug fixes and a refined integration of observability by Micrometer for the Spring Data MongoDB, Spring Data Redis and Spring Data for Apache Cassandra modules. All modules have also been upgraded to their RC2 equivalents. For more details about this release, see the release notes.

Spring Security versions 5.7.5 and 5.6.9 have been released and contain fixes for: the AuthorizationFilter class incorrectly extends the OncePerRequestFilter Class; and incorrect area assignment. For more details on this release, see the 5.7.5 and 5.6.9 release notes.

On the way to Spring Cloud 2022.0.0, the first release candidate has been made available, shipping with upgrades to the RC1 equivalents of all sub-projects except Spring Cloud CLI, Spring Cloud for Cloud Foundry and Spring Cloud Sleuth, which are from the Version were removed train. For more details about this release, see the release notes.

The first release candidate of Spring Authorization Server 1.0.0 was made available with new features including: a requirement where the @Configuration Note used in conjunction with @EnableWebSecurity Annotation; replace that loadContext() method with loadDeferredContext() method defined in the SecurityContextRepository Interface; and implement improvements from the 0.4 release train in main. For more details about this release, see the release notes.

Similarly, the first release candidate of Spring Authorization Server 0.4.0 was made available, which includes improvements to custom endpoints related to the OidcUserInfoEndpointFilter and OidcClientRegistration classes. For more details about this release, see the release notes.

On the way to Spring Modulith 0.1, the second milestone release delivers new features such as: removing obsolete ones spring.factories property in the observability module; and ensuring that the test autoconfiguration is ordered first. InfoQ will follow with more detailed news about Spring Modulith, which was unveiled in late October 2022.

VMware released three Common Vulnerabilities and Exposures (CVEs) in the past week:

  • CVE-2022-31691, Remote code execution via YAML editors in STS4 extensions for Eclipse and VSCode, a vulnerability reported for Spring Tools, would allow an attacker under certain conditions to perform malicious remote code execution inside a special YAML syntax to execute.
  • CVE-2022-31692, Authorization Rules Can Be Bypassed via Forward or Include Dispatcher Types in Spring Security, a vulnerability reported for Spring Security that could affect the AuthorizationFilter Class.
  • CVE-2022-31690, Privilege Escalation in spring-security-oauth2-client, a vulnerability also reported for Spring Security, would allow an attacker under certain conditions to change a browser-initiated request to the authorization server, which is capable of doing so, to a Privilege escalation at subsequent approval.

Developers are recommended to update to Spring Tools 4.16.1 and Spring Security versions 5.7.5 and 5.6.9.

Payara

Payara released its November 2022 release of Payara Platform, which launched Payara Community 6.2022.1 as the first stable release of Payara 6 Community, serving as the compatible implementation for Jakarta EE 10 Platform, Web Profile and Core Profile. Payara 6 now serves as the updated current version of the Payara Platform community. For more details about this release, see the release notes.

Payara Community 5.2022.4 is the penultimate version in the Payara 5 Community. For more details about this release, see the release notes.

Payara Enterprise 5.45.0 offers five bug fixes, one security fix and two improvements. For more details about this release, see the release notes.

All of these new versions address a zero-day vulnerability in which attackers can exploit the content of the WEB-INF and META-INF Folder when an application is deployed in the root context.

micronaut

The Micronaut Foundation has released Micronaut 3.7.3 with bug fixes and patched versions of Micronaut Test Resources, Micronaut Servlet, Micronaut Security, Micronaut Kafka and Micronaut Redis. There were also dependency upgrades to SnakeYAML 1.33 and Netty 4.1.84. For more details about this release, see the release notes.

micro profile

On the way to MicroProfile 6.0, the MicroProfile Working Group has provided the second release candidate of MicroProfile 6.0, which updates all specifications. It’s also important to note that the MicroProfile OpenTracing specification has been superseded by the new MicroProfile Telemetry specification. The expected GA release of MicroProfile 6.0 is expected in late November/early December 2022.

hibernate

Red Hat’s performance team has identified a specific code pattern that causes severe performance degradation on large, multi-core servers. Many libraries including Hibernate ORM are affected. The release of Hibernate ORM 6.1.5.Final ships with some patches as a first step to fix this issue. The Hibernate team claims early testing is promising.

Hibernate ORM 5.6.13.Final has been released and includes bug fixes and improvements such as the access modifier of the getOp() method defined in the SimpleExpression Class changed from protected to public to support developers migrating from the old Criteria API. There were also dependency upgrades to ByteBuddy 1.12.18 and Byteman 4.0.20.

Shortly after the release of Hibernate ORM 5.6.13, a critical regression was discovered where a ClasscastException was triggered via a check for an implementation of the Managed interface instead of an implementation of the ManagedEntity Interface. Hibernate ORM 5.6.14.Final was released to fix this issue.

Apache Software Foundation

Apache TomEE 9.0.0-RC1 release ships with full MicroProfile 5.0 compatibility and dependency upgrades like Eclipse Mojarra 3.0.2, HSQLDB 2.7.1, Hibernate 6.1.4.Final, Log4J2 2.18.0, Tomcat 10.0.27 and Jackson 2.13.4. For more details about this release, see the release notes.

Apache Camel 3.18.3 was released with 52 bug fixes, improvements and dependency upgrades including: Spring Boot 2.7.5, camel-hbase 2.5.0 and kamelets 0.9.0 in camel-jbang Module. For more details about this release, see the release notes.

GraalVM Native Build Tools

On the way to version 1.0, Oracle Labs released version 0.9.17 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest version features improvements such as: a new requiredVersion property to check for a minimal version of GraalVM; and make the GraalVM installation check lazy. See the changelog for more details about this release.

JReleaser

Version 1.3.1 of JReleaser, a Java utility that streamlines the creation of project releases, has been released and includes a fix for Nexus2 polling status after close/release/delete operations were not reported when those remote operations failed. For more details about this release, see the release notes.

job run no

JobRunr 5.3.1 has been released and includes fixes for: JobRunr does not fail zero Values ​​for an instance of the MDC Class; DB migration is applied multiple times when the time to run the first run takes excessive time; and inheritance in background jobs does not always work.

JDKMon

Version 17.0.39 of JDKMon, a tool that monitors and updates installed JDKs, was released this week. Created by Gerrit Grunwald, chief engineer at Azul, this new version comes with a CVE detection tool for GraalVM builds, where the CVEs are sorted by severity.

J-case conference

J-Fall 2022, sponsored by the Nederlandse Java User Group (NLJUG), took place last week at Pathé Ede in Ede, The Netherlands, with speakers from the Java community presenting keynotes, technical sessions, workshops and hands-on labs .

Comments are closed.