May 2, 2022
The full version string for this update release is 18.0.1.1+2 (where "+" means "build"). The version number is 18.0.1.1.
The security baselines are unchanged from the release of JDK 18.0.1.
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
18 | 18.0.1+10 |
17 | 17.0.3+8 |
11 | 11.0.15+8 |
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 18.0.1.1) be used after the next critical patch update scheduled for July 19, 2022.
The Windows implementation of java.io.File
allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS
has been added to control this behavior. To disable ADS support in java.io.File
, the system property [jdk.io](http://jdk.io).File.enableADS
should be set to false
(case ignored). Stricter path checking however prevents the use of special devices such as NUL:
This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8284920 | xml | javax.xml.path | Incorrect Token type causes XPath expression to return incorrect results |
JDK-8284548 | xml | jaxp | Invalid XPath expression causes StringIndexOutOfBoundsException |
April 19, 2022
The full version string for this update release is 18.0.1+10 (where "+" means "build"). The version number is 18.0.1.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 18.0.1 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
18 | 18.0.1+10 |
17 | 17.0.3+8 |
11 | 11.0.15+8 |
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 18.0.1) be used after the next critical patch update scheduled for July 19, 2022.
Three processing limits have been added to the XML libraries. These are:
jdk.xml.xpathExprGrpLimit
Description: Limits the number of groups an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10.
jdk.xml.xpathExprOpLimit
Description: Limits the number of operators an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 100.
jdk.xml.xpathTotalOpLimit
Description: Limits the total number of XPath operators in an XSL Stylesheet.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10000.
Supported processors
jdk.xml.xpathExprGrpLimit
and jdk.xml.xpathExprOpLimit
are supported by the XPath processor.
All three limits are supported by the XSLT processor.
Setting properties
For the XSLT processor, the properties can be changed through the TransformerFactory
. For example,
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");
For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties
configuration file located in the conf
directory of the Java installation. For example,
System.setProperty("jdk.xml.xpathExprGrpLimit", "20");
or in the jaxp.properties
file,
jdk.xml.xpathExprGrpLimit=20
There are two known issues:
On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry
method or the keytool -importcert
command on a KeychainStore keystore now fails with a KeyStoreException
. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.
The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:
-Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict" (to control "ldap:" URLs)
-Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict" (to control "dns:" URLs)
-Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict" (to control "rmi:" URLs)
The default value is "compat" for all of the three providers.
In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI
constructors or its factory method to build URLs rather than handcrafting URL strings.
If an illegal URL string is found, a java.lang.IllegalArgumentException
or a javax.naming.NamingException
(or a subclass of it) is raised.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 18.0.1 Bug Fixes page.