April 17, 2018
The full version string for this update release is 1.8.0_171-b11 (where "b" means "build"). The version number is 8u171.
JDK 8u171 contains IANA time zone data version 2018c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u171 are specified in the following table:
|JRE Family Version||JRE Security Baseline
(Full Version String)
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u171) will expire with the release of the next critical patch update scheduled for July 17, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u171) on August 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
The specification of
javax.crypto.CipherOutputStream has been clarified to indicate that this class catches BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client is not informed that integrity checks have failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (for example, GCM) if the application requires explicit notification when authentication fails. These applications can use the Cipher API directly as an alternative to using this class.
A new security property named
jceks.key.serialFilter has been introduced. If this filter is configured, the JCEKS KeyStore uses it during the deserialization of the encrypted Key object stored inside a SecretKeyEntry. If it is not configured or if the filter result is UNDECIDED (for example, none of the patterns match), then the filter configured by
jdk.serialFilter is consulted.
If the system property
jceks.key.serialFilter is also supplied, it supersedes the security property value defined here.
The filter pattern uses the same format as
jdk.serialFilter. The default pattern allows
javax.crypto.spec.SecretKeySpec but rejects all the others.
Customers storing a SecretKey that does not serialize to the above types must modify the filter to make the key extractable.
A new system property
jdk.disableLastUsageTracking has been introduced to disable JRE last usage tracking for a running VM. This property can be set in the command line by using either
-Djdk.disableLastUsageTracking. With this system property set, JRE last usage tracking will be disabled regardless of the
com.oracle.usagetracker.track.last.usage property value set in
"TeliaSonera Root CA v1" has been added to the
The secure validation mode of the XML Signature implementation has been enhanced to restrict EC keys less than 224 bits by default. The secure validation mode is enabled either by setting the property
org.jcp.xml.dsig.secureValidation to true with the
javax.xml.crypto.XMLCryptoContext.setProperty() method, or by running the code with a SecurityManager.
To improve the strength of SSL/TLS connections, 3DES cipher suites have been disabled in SSL/TLS connections in the JDK via the
jdk.tls.disabledAlgorithms Security Property.
A new JDK implementation specific system property
jdk.internal.FileHandlerLogging.maxLocks has been introduced to control the
java.util.logging.FileHandler MAX_LOCKS limit. The default value of the current MAX_LOCKS (100) is retained if this new system property is not set or an invalid value is provided to the property. Valid values for this property are integers ranging from 1 to Integer.MAX_VALUE-1.
On the Linux platform, a change has been made to Java RPM package installers for the internal JRE and JDK package names. Beginning with 7u181 and 8u171, the names of JRE and JDK packages have been changed from
jremajor.minor and from
This change was made so that multiple release families could co-exist on a disk and, by default, new update releases would override previous update releases.
The following are some of the notable bug fixes included in this release:
Server side HTTP-tunneled RMI connections have been disabled by default in this release. This behavior can be reverted by setting the runtime property
sun.rmi.server.disableIncomingHttp property to
false. Note, this should not be confused with the
sun.rmi.server.disableHttp property, which disables HTTP-tunneling on the client side and is false by default.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 8u171 Bug Fixes page.