Update Release Notes

Java™ SE Development Kit 7, Update 21 (JDK 7u21)

The full version string for this update release is 1.7.0_21-b11 (where "b" means "build") except for Mac OS X for which it is 1.7.0_21-b12. The version number is 7u21.


This update release contains several enhancements and changes including the following:

Olson Data 2012i

JDK 7u21 contains Olson time zone data version 2012i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 7u21 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
7 1.7.0_21
6 1.6.0_45
5.0 1.5.0_45

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The expiration date for JRE 7u21 is 07/18/2013.

Blacklisted Jars and Certificates

Oracle now manages a certificate and jar blacklist repository. This data is updated on client computers daily on the first execution of a Java applet or web start application.

Changes to Java Control Panel's Security Settings

In this release, low and custom settings are removed from the Java Control Panel(JCP)'s Security Slider.

Depending on the security level set in the Java Control Panel and the user's version of the JRE, self-signed or unsigned applications might not be allowed to run. The default setting of High permits all but local applets to run on a secure JRE. If the user is running an insecure JRE, only applications that are signed with a certificate issued by a recognized certificate authority are allowed to run.

Changes to Security Dialogs

As of JDK 7u21, JavaScript code that calls code within a privileged applet is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library attribute.

The JDK 7u21 release enables users to make more informed decisions before running Rich Internet Applications (RIAs) by prompting users for permissions before an RIA is run. These permission dialogs include information on the certificate used to sign the application, the location of the application, and the level of access that the application requests. For more information, see User Acceptance of RIAs.

Changes to Application Signing

Starting from JDK 7u21, it is recommended that all applications be signed. In addition, it is also possible to restrict signed applications to the security sandbox.

Therefore, the previous use of the term "unsigned" to mean an application that ran in the security sandbox and "signed" to mean an application that ran with extended permissions, is no longer meaningful.

The terminology in the Java Tutorial and the Java SE Guides has been changed to use "sandbox application" for applications that are restricted to the security sandbox, and "privileged application" for applications that have extended permissions.

Unsigned or self-signed applications may not be supported in future JDK update releases.

For more information on signing applications, see Understanding Signing and Verification. Deploying with Applet Tag describes setting permissions for an applet within the applet tag.

Changes to RMI

From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by default. In previous releases the default value was false.

This change of default value may cause RMI-based applications to break unexpectedly. The typical symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nested java.lang.ClassNotFoundException.

For more information, see RMI Enhancements.

Server JRE

A new Server JRE package, with tools commonly required for server deployments but without the Java plug-in, auto-update or installer found in the regular JRE package, is available starting from this release. The Server JRE is specifically targeted for deploying Java in server environments and is available for 64-bit Solaris, Windows and Linux platforms. For more information on installing this package, see Installation Instructions.

Some of the tools included in the initial release of the Server JRE package, may not be available in future versions of the Server JRE. Please check future release notes for tools availability if you use this package.

JDK for Linux on ARM

JDk 7u21 release includes support for JDK for Linux on ARM. The product offers headful support for ARMv6 and ARMv7.

The following JDK features are not included or supported in this product:

  • Java WebStart
  • Java Plug-In
  • Garbage First (G1) Collector
  • JavaFX SDK or JavaFX Runtime

In addition, some features of the Serviceability Agent are also not available for Linux on ARM platform.

Java support on ARM is specific to the GNOME Desktop Environment version 1:2.30+7.

Changes to Runtime.exec

On Windows platform, the decoding of command strings specified to Runtime.exec(String), Runtime.exec(String,String[]) and Runtime.exec(String,String[],File) methods, has been improved to follow the specification more closely. This may cause problems for applications that are using one or more of these methods with commands that contain spaces in the program name, or are invoking these methods with commands that are not quoted correctly.

For example, Runtime.getRuntime().exec("C:\\My Programs\\foo.exe bar") is an attempt to launch the program "C:\\My" with the arguments "Programs\\foo.exe" and "bar". This command is likely to fail with an exception to indicate "C:\My" cannot be found.

The example Runtime.getRuntime().exec("\"C:\\My Programs\\foo.exe\" bar") is an attempt to launch the program "\"C:\\My". This command will fail with an exception to indicate the program has an embedded quote.

Applications that need to launch programs with spaces in the program name should consider using the variants of Runtime.exec that allow the command and arguments to be specified in an array.

Alternatively, the preferred way to create operating systems processes since JDK 5.0 is using java.lang.ProcessBuilder. The ProcessBuilder class has a much more complete API for setting the environment, working directory and redirecting streams for the process.

Auto-download of JRE through JNLP Disabled

Prior to the release of JDK 7u21, the ability to automatically download a JRE through JNLP was disabled at the web server on Windows platform.

If there is a need to download the JRE automatically when an applet or Java Web Start application is run, use the Deployment Toolkit.

Removal of the usePolicy Permission

The permission named usePolicy that enabled system administrators to disable the Java Plug-In's default security prompting behavior is no longer available.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory.

Known Issues

Area: install/install
Synopsis: Installing SUNWj7rt fails checksum

While installing the Solaris package for JRE, SUNWj7rt, as part of the installation process the user may see some unexpected checksum failures. These errors do not affect the installed JRE in any way.

See 8011175.

Area: install/install
Synopsis: Installing SUNWj7dev to a no-default location fails checksum

While installing the Solaris pacakge for JDK, SUNWj7dev as part of the installation process, especially when the JDK is installed at a non-default location, user may see some unexpected checksum failures. These errors do not affect the installed JDK in any way.

See 8011174.

Area: deploy/deployment_toolkit
Synopsis: Cannot remove trusted sandbox certs via the ControlPanel or trusted certs per location.

With the new sandbox security dialog box changes in JDK 7u21, user can now trust signed sandbox apps, and optionally trust all apps signed by the same certificate from the same URL. However, there is no way to remove the trusted sandbox certificates through the Control Panel, as one can for other trusted certificates.

The workaround is to manually remove the sandbox.certs keystore from the security directory in user's deployment home directory or remove individual entries using keytool.

Area: deploy/plugin
Synopsis: Security popup while closing application

Starting in JDK 7u21, JavaScript code that calls code within a signed applet running with all permissions is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library=true attribute.

For a signed applet running with all permissions to JavaScript call, no security dialog (with mixed code warning) should pop up. However mixed code warning is being shown in some scenarios.

As a workaround, if the applet jar is running with all-permissions and uses "Trusted-library:true" attribute as manifest entry, the mixed code warning will not popup.

Area: deploy/plugin
Synopsis: Per-Applet/Global Packages, Java and netscape Keyword support removed

Starting in 7u21, the support for calling from JavaScript to Java via global java, netscape and Packages JavaScript keyword for Firefox/Chrome, and also the per-applet Packages keyword for IE, are all removed.

Area: deploy/deploy
Synopsis: jnlp-applet could not been launched if its jar has been returned with HTTP HEADER Cache-Control: NoStore

Applet/applications could fail to load if response HEADER contains "Cache-Control : no-store" value.

As a workaround users can either:

  • Disable cache using Java Control Panel if they don't want to cached the application contents.
  • Use header value "Cache-Control : no-cache" which will force caches (both proxy and browser) to submit the request every time to the origin server for validation before using a cached contents.

Area: deploy/webstart
Synopsis: Javaws can't switch to offline app run mode if app can't be launched online.

The command javaws <jnlp_url> will fail to launch the cached application if system is offline, even if the application JNLP file has <offline-allowed> element specified. As a workaround users can either:

  • Launch Javaws explicitly with javaws -offline <jnlp_url>
  • Launch the cached application via Java Cache Viewer