JDK 8u331 Release Notes

Java SE 8u331 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u331 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.


Changes in Java SE 8u331 b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8277922 client-libs javax.accessibility Unable to click JCheckBox in JTable through Java Access Bridge
JDK-8282583 xml jaxp Update BCEL md to include the copyright notice
JDK-8283350 core-libs java.time (tz) Update Timezone Data to 2022a

Java™ SE Development Kit 8, Update 331 (JDK 8u331)

April 19, 2022

The full version string for this update release is 8u331-b09 (where "b" means "build"). The version number is 8u331.


IANA TZ Data 2021e

For more information, refer to Timezone Data Versions in the JRE Software.


Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u331 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u331-b09
7 7u341-b08


Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u331) be used after the next critical patch update scheduled for July 19, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u331) on 2022-08-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


New Features

 New XML Processing Limits

Three processing limits have been added. These are:

  • jdk.xml.xpathExprGrpLimit

Description: Limits the number of groups an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10.

  • jdk.xml.xpathExprOpLimit

Description: Limits the number of operators an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 100.

  • jdk.xml.xpathTotalOpLimit

Description: Limits the total number of XPath operators in an XSL Stylesheet.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10000.

Supported processors

  • jdk.xml.xpathExprGrpLimit and jdk.xml.xpathExprOpLimit are supported by the XPath processor.

  • All three limits are supported by the XSLT processor.

Setting properties

For the XSLT processor, the properties can be changed through the TransformerFactory. For example,

        TransformerFactory factory = TransformerFactory.newInstance();

        factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");

For both the XPath and XSLT processors, the properties can be set through the system property and configuration file located in the conf directory of the Java installation. For example,

        System.setProperty("jdk.xml.xpathExprGrpLimit", "20");

or in the file,



There are two known issues:

  1. An XPath expression that contains a short form of the parent axis ".." can return incorrect results. See JDK-8284920 for details.
  2. An invalid XPath expression that ends with a relational operator such as ‘<’ ‘>’ and ‘=’ will cause the processor to erroneously throw StringIndexOutOfBoundsException instead of XPathExpressionException. See JDK-8284548 for details.
JDK-8270504 (not public)

Other Notes

 Only Expose Certificates With Proper Trust Settings as Trusted Certificate Entries in macOS KeychainStore

On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry method or the keytool -importcert command on a KeychainStore keystore now fails with a KeyStoreException. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.

JDK-8278449 (not public)

 Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280

The gencert command of the keytool utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.

See JDK-8257497

 Parsing of URL Strings in Built-in JNDI Providers Is More Strict

The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:

  -Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict"    (to control "ldap:" URLs)

  -Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict"     (to control "dns:" URLs)
  -Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict"     (to control "rmi:" URLs)
  -Dcom.sun.jndi.corbaURLParsing="legacy" | "compat" | "strict"   (to control "iiop:" and "iiopname:" URLs) 


The default value is "compat" for all of the three providers.

  • The "legacy" mode turns the new validation off.
  • The "compat" mode limits incompatibilities.
  • The "strict" mode is stricter and may cause regression by rejecting URLs that an application might consider as valid.

In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use constructors or its factory method to build URLs rather than handcrafting URL strings.

If an illegal URL string is found, a java.lang.IllegalArgumentException or a javax.naming.NamingException (or a subclass of it) is raised.

JDK-8278972 (not public)


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8259343 client-libs [macOS] Update JNI error handling in Cocoa code.
2 JDK-8251840 client-libs java.awt Java_sun_awt_X11_XToolkit_getDefaultScreenData should not be in make/mapfiles/libawt_xawt/mapfile-vers
3 JDK-8259237 client-libs javax.swing Demo selection changes with left/right arrow key. No need to press space for selection.
4 JDK-8074883 client-libs javax.swing Tab key should move to focused button in a button group
5 JDK-8258554 client-libs javax.swing javax/swing/JTable/4235420/ fails in GTK L&F
6 JDK-8272105 client-libs javax.swing fails in 8u
7 JDK-8275703 core-libs java.lang System.loadLibrary fails on Big Sur for libraries hidden from filesystem
8 JDK-8274779 core-libs HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
9 JDK-8209178 core-libs Proxied HttpsURLConnection doesn't send BODY when retrying POST request
10 JDK-8272473 core-libs java.time Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
11 JDK-8279618 core-libs java.util Deserializing HashMap throws access denied suppressAccessChecks
12 JDK-8274658 core-libs java.util:i18n ISO 4217 Amendment 170 Update
13 JDK-8277795 core-libs javax.naming ldap connection timeout not honoured under contention
14 JDK-8266187 core-svc java.lang.instrument Memory leak in appendBootClassPath()
15 JDK-8273575 core-svc java.lang.instrument memory leak in appendBootClassPath(), paths must be deallocated
16 JDK-8276957 docs guides Fix broken JDK8 documentation links
17 JDK-8166140 hotspot compiler C1: Possible integer overflow in LIRGenerator::generate_address on several platforms
18 JDK-8183543 hotspot compiler Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check"
19 JDK-8132306 hotspot gc java/lang/ref/ fails with "RuntimeException: Error: poll() returned null; expected ref object"
20 JDK-8273341 hotspot runtime Update Siphash to version 1.0
21 JDK-8189641 javafx accessibility [Accessibility, windows] NPE when navigating to ComboBox with empty string
22 JDK-8151974 javafx accessibility Invisible controls are still accessible by screen readers.
23 JDK-8089884 javafx controls TextInputControls capturing function key events
24 JDK-8274022 javafx controls Additional Memory Leak in ControlAcceleratorSupport
25 JDK-8244075 javafx controls Accelerator of ContextMenu's MenuItem is not removed when ContextMenu is removed from Scene
26 JDK-8276847 javafx web JSException: ReferenceError: Can't find variable: IntersectionObserver
27 JDK-8278980 javafx web Update WebKit to 613.1
28 JDK-8281711 javafx web Cherry-pick WebKit 613.1 stabilization fixes
29 JDK-8282099 javafx web Cherry-pick WebKit 613.1 stabilization fixes (2)
30 JDK-8242544 javafx window-toolkit CMD+ENTER key event crashes the application when invoked on dialog
31 JDK-8257497 security-libs Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280
32 JDK-8274736 security-libs Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
33 JDK-8241248 security-libs NullPointerException in
34 JDK-8275811 security-libs Incorrect instance to dispose
35 JDK-8141508 tools javac java.lang.invoke.LambdaConversionException: Invalid receiver type ...
36 JDK-8255035 xml jaxp Update BCEL to Version 6.5.0
37 JDK-8276141 xml jaxp XPathFactory set/getProperty method