JDK 8u341 Release Notes

Java SE 8u341 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u341 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.


Changes in Java SE 8u341 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8291973 install install JavaSE 8 RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash


Changes in Java SE 8u341 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8197387 core-svc tools jcmd Started by "root" Must Be Allowed to Access All VM Processes
JDK-8072439 hotspot runtime Further refinement of the fix JDK-8047720 - Xprof hangs on Solaris
JDK-8087557 javafx accessibility Alert Dialog Content Is Not Fully Read by Screen Reader
JDK-8291087 javafx accessibility Wrong Position of Focus of Screen Reader on Windows with Screen Scale > 1
JDK-8197387 javafx accessibility Exceptions with TextArea & TextField when Deleted Last Char


Changes in Java SE 8u341 b31

Fixes from the prior BPR are included in this version.

Java™ SE Development Kit 8, Update 341 (JDK 8u341)

July 19, 2022

The full version string for this update release is 8u341-b10 (where "b" means "build"). The version number is 8u341.


IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.


Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u341 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u341-b10
7 7u351-b07


Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u341) be used after the next critical patch update scheduled for October 18, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u341) on 2022-11-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


New Features

 Enable TLSv1.3 by Default on JDK 8u for Client Roles

The TLSv1.3 implementation is available in JDK 8u from 8u261 and enabled by default for server roles but disabled by default for client roles. From this release onwards, TLSv1.3 is now also enabled by default for client roles. You can find more details in the Additional Information section of the Oracle JRE and JDK Cryptographic Roadmap.

Note that TLS 1.3 is not directly compatible with previous versions. Enabling it on the client may introduce compatibility issues on either the server or the client side. Here are some more details on potential compatibility issues that you should be aware of:

  • TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions use a duplex-close policy. For applications that depend on the duplex-close policy, there may be compatibility issues when upgrading to TLS 1.3.
  • The signature_algorithms_cert extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application may use non-supported signature algorithms.
  • The DSA signature algorithm is not supported in TLS 1.3. If a server is configured to only use DSA certificates, it cannot upgrade to TLS 1.3.
  • The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 and prior versions. If an application hard-codes cipher suites which are no longer supported, it may not be able to use TLS 1.3 without modifying the application code, for example TLS_AES_128_GCM_SHA256 (1.3 and later) versus TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (1.2 and earlier).
  • The TLS 1.3 session resumption and key update behaviors are different from TLS 1.2 and prior versions. The compatibility should be minimal, but it could be a risk if an application depends on the handshake details of the TLS protocols.
  • TLS 1.3 requires that the implementation support new cryptographic algorithms which previous versions of TLS did not, such as RSASSA-PSS. If your application is configured to use 3rd party JCE provider(s) which do not support the required algorithms, you may get handshake failures.
See JDK-8245263

 HTTPS Channel Binding Support for Java GSS/Kerberos

Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through

Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.

The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully as below:

jdk.https.negotiate.cbt (default: "never")

This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos or the Negotiate authentication scheme using Kerberos are employed over HTTPS with HttpsURLConnection. There are three possible settings:

  • "never". This is also the default value if the property is not set. In this case, CBTs are never sent.
  • "always". CBTs are sent for all Kerberos authentication attempts over HTTPS.
  • "domain:" Each domain in the list specifies destination host or hosts for which a CBT is sent. Domains can be single hosts like foo, or, or literal IP addresses as specified in RFC 2732, or wildcards like * which matches all hosts under and its sub-domains. CBTs are not sent to any destinations that don't match one of the list entries

The channel binding tokens generated are of the type "tls-server-end-point" as defined in RFC 5929.

See JDK-8279842

Other Notes

 Update to Detect Ambiguous IPv4 Address Literals

The class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress class methods are updated to throw an for invalid IPv4 address literals. To disable this check, the new "" system property can be set to "true".

See JDK-8277608 (not public)
 JDK Bundle Extensions Truncated When Downloading Using Firefox 102

On and, certain JDK bundle extensions are getting truncated on download when using Firefox version 102. The downloaded bundles have no file extension like ".exe", ".rpm", ".deb". If you are not able to upgrade to Firefox ESR 102.0.1 or Firefox 103 when it is released, then as a workaround you can:

  • manually add a file extension to the file name after download.
  • use a different browser

See JDK-8277093
 Vector Should Throw ClassNotFoundException for a Missing Class of an Element

java.util.Vector is updated to correctly report ClassNotFoundException that occurs during deserialization using, object) when the class of an element of the Vector is not found. Without this fix, a StreamCorruptedException is thrown that does not provide information about the missing class.

See JDK-8277093

 Default JDK Compressor Will Be Closed when IOException Is Encountered

DeflaterOutputStream.close() and GZIPOutputStream.finish() methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry() method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.

See JDK-8193682
 OperatingSystemMXBean.getProcessCpuLoad Is Now Container Aware

For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.

See JDK-8269851


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u341 release:

# BugId Component Subcomponent Summary
1JDK-8259869client-libs[macOS] Remove desktop module dependencies on JNF Reference APIs
2JDK-8274751client-libsjava.awtDrag And Drop hangs on Windows
3JDK-8272806client-libsjava.awt[macOS] "Apple AWT Internal Exception" when input method is changed
4JDK-8133713client-libsjavax.accessibility[macosx] Accessible JTables always reported as empty
5JDK-8277922client-libsjavax.accessibilityUnable to click JCheckBox in JTable through Java Access Bridge
6JDK-7124301client-libsjavax.accessibility[macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
7JDK-7124298client-libsjavax.accessibility[macosx] Nothing heard from VoiceOver when tabbing between a nested tab group and a parent tab group
8JDK-7124293client-libsjavax.accessibility[macosx] VoiceOver reads percentages rather than the actual values for sliders. should throw ClassNotFoundException for a missing class of an element
10JDK-8279842core-libsjava.netHTTPS Channel Binding support for Java GSS/Kerberos
11JDK-8282293core-libsjava.netDomain value for system property jdk.https.negotiate.cbt should be case-insensitive
12JDK-8288033core-libsjava.nio(dc) DatagramChannel.disconnect uses disconnectx which is not supported on macOS 10.8.3
13JDK-8285515core-libsjava.nio(dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
14JDK-8258795core-libsjava.util:i18nUpdate IANA Language Subtag Registry to Version 2021-05-11
15JDK-8247469core-svcjavax.managementgetSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
16JDK-8273747deploywebstartGrant JWS JavaFX apps access to Windows trust store
17JDK-8283886docsguidesFix broken links in the security guide of JDK 8u docs
18JDK-6584403docsguidesRequest to add a CA/CSR certificate cookbook to JSSE Reference Guide
19JDK-8173625installinstallJRE 8u121 fails to install with blank dialog box (username with character #)
20JDK-8090477javafxcontrolsCustomizable visibility timing for Tooltip
21JDK-8205915javafxcontrols[macOS] Accelerator assigned to button in dialog fires menuItem in owning stage
22JDK-8222211javafxgraphicsCreating animated gif image from non FX App thread causes exception
23JDK-8280840javafxmediaUpdate libFFI to 3.4.2
24JDK-8283403javafxmediaUpdate Glib to 2.72.0
25JDK-8283218javafxmediaUpdate GStreamer to 1.20.1
26JDK-8282054javafxmediaMediaplayer not working with HTTP Live Stream link with query parameter appended with file extension m3u8
27JDK-8286256javafxwebUpdate libxml2 to 2.9.14
28JDK-8283328javafxwebUpdate libxml2 to 2.9.13
29JDK-8286257javafxwebUpdate libxslt to 1.1.35
30JDK-8282134javafxwebCertain regex can cause a JS trap in WebView
31JDK-8281459javafxwebWebKit 613.1 build broken on M1
32JDK-8280841javafxwebUpdate SQLite to 3.37.2
33JDK-8284184javafxwebCrash in GraphicsContextJava::drawLinesForText on
34JDK-8278759javafxwebPointerEvent: buttons property set to 0 when mouse down
35JDK-8277734javafxwebWebView: Update Public Suffix List to 3c213aa
36JDK-8278851security-libsjava.securityCorrect signer logic for jars signed with multiple digest algorithms TLSv1.3 by default on JDK 8u for Client roles hangs if it is called during the ssl handshake
39JDK-8275082security-libsjavax.xml.cryptoUpdate XML Security for Java to 2.3.0
40JDK-8279520security-libsorg.ietf.jgssSPNEGO has not passed channel binding info into the underlying mechanism
41JDK-8157391toolsjdeps left JarFile open fails on headless macos