OpenJDK, Spring and CVE updates, Payara platform, Apache Tomcat updates

This week’s Java Roundup for May 16, 2022 features OpenJDK news for JDK 19, Jakarta EE 10, Spring Milestones and Point Releases and CVEs, May Payara Platform Release 2022, Quarkus 2.9.1.Final, Micronaut 3.4.4, WildFly 16.1. 1, Hibernate ORM 5.6.9.Final, Hibernate Reactive 11.5.Final, JDKMon 17.0.25, JobRunr 5.1.2, JReleaser early-access, Apache Tomcat point releases and Apache Camel 3.17.0.


Although its week-long exam ended on May 19, 2022, JEP 405, Record Patterns (Preview), still remains as Proposed to target status for JDK 19. This JEP, under the auspices of the Amber project, proposes to improve the language with save templates to deconstruct the record values. Registration templates can be used in conjunction with types of models to “enable a powerful, declarative, and composable form of navigation and data processing”. Type patterns have recently been extended for use in switch case labels via JEP 406, Pattern Matching for switch (Preview) (shipped in JDK 17) and JEP 420, Pattern Matching for switch (Second Preview) (shipped in JDK 18).

JEP 428, Structured Concurrency (Incubator), was promoted from its PEC project 8277129 for Candidate status. This incubating JEP, under the auspices of the Loom project, proposes to simplify multithreaded programming by introducing a library to treat multiple tasks executed in different threads as a single unit of work. This can streamline error handling and cancellation, improve reliability, and improve observability.

JDK 19

Version 23 of the early access builds of JDK 19 was made available last week, with updates to version 22 that include fixes to various issues. More details can be found in the release notes.

As the established target date for Rampdown Phase 1 approaches June 9, 2022, the feature set for JDK 19 currently sits at these six features:

Developers are encouraged to report bugs through the Java Bug Database.

Jakarta EE

On the road to Jakarta EE 10, Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation, announced in his weekly blog Hashtag Jakarta EE that the new target date for the Jakarta EE 10 platform specification to enter its release review is June 9, 2022 This decision was made to ensure that enterprise applications will be fully compatible with JDK 11 and JDK 17. Also, Eclipse GlassFish, having recently provided an intermediate pre-release between 7.0 .0-M4 and the upcoming 7.0.0-M5, is on track to pass the TCK for JDK 11, but work remains to pass the TCK on JDK 17.

spring frame

It’s been a busy week for the Spring team, delivering a number of point releases, milestone releases, and CVEs related to Spring Boot, Spring for GraphQL, Spring Data, Spring Session, and Spring Security.

Spring Boot 2.7.0 was released to provide: automatic configuration and metrics for Spring for GraphQL 1.0; and new annotations, @DataCouchbaseTest and @DataElasticsearchTest, for testing on Couchbase and Elasticsearch, respectively. Dependency upgrades include: Spring Data 2021.2, Spring HATEOAS 1.5, Spring LDAP 2.4, Spring Security 5.7, and Spring Session 2021.2. More details about this release can be found in the release notes. InfoQ will follow with more detailed news.

Spring Boot 2.6.8 has been released with 35 bug fixes, documentation improvements, and dependency upgrades. More details about this release can be found in the release notes.

Spring Boot 2.5.14 has been released with 29 bug fixes, documentation improvements, and dependency upgrades. The 2.5 release train has reached its end of life and developers should consider upgrading to a higher version of Spring Boot. More details about this release can be found in the release notes.

On the way to Spring Boot 3.0.0, the third stage release has been made available with: auto-configuration for micrometric observation, plotting and OtlpMeterRegistry; and support for REST Assured and Pooled JMS has been restored. More details about this release can be found in the release notes.

Two years after the first commit and 10 months since its first introduction to the Java community, Spring for GraphQL 1.0 was released with: an annotation-based programming model for data fetchers; Querydsl and Query by Example repositories as data retrievers; improved server, client, and testing on HTTP, WebSocket, and RSocket; and security at the field level with data annotations @Controller methods. InfoQ will follow with more detailed news.

Spring Data 2021.2 and the fourth milestone release of 2022.0 have been released. The 2022.0 release train will be based on Spring Framework 6, JDK 17, and Jakarta EE 9. Features of Spring Data 2021.2, codenamed Raj, include: Update methods in the data-mongodb module; better support for @IdClass handling in the data-jpa module; support for reindexing in data-elasticsearch module; and direct projections for data-cassandra module. More details about this release can be found in the release notes.

Spring Session 2021.2 has been released with a dependency upgrade to Spring Data 2021.2. This release is also a gateway to the next generation of Spring Session which will be based on Spring Framework 6.0.

CVE-2022-22978, Authorization Bypass in RegexRequestMatcher, was issued, but inadvertently identified as CVE-2022-22975. Applications using an instance of RegexRequestMatcher class with ‘.‘ in a regular expression are potentially vulnerable to permission bypass.

CVE-2022-22976, BCrypt ignores salt rounds for a work factor of 31, was also issued to resolve an integer overflow error that prevents the encoder from performing salt rounds.

Spring Security versions 5.7.1, 5.6.5 and 5.5.8 have been released and provide a bug fix where an instance of the StrictHttpFirewall incorrectly rejects valid Chinese, Japanese, Korean, and Vietnamese (CJKV) characters.

Spring Security versions 5.7.0, 5.6.4, 5.5.7 have also been released to fix the aforementioned CVE-2022-22978 and CVE-2022-22976 vulnerabilities.

On the road to Spring Security 6.0.0, the fifth stage release has been made available to bring notable changes such as: required authorization for each deployment type; change the default value of shouldFilterAllDispatchTypes property at true; modify the default security context filter of the SecurityContextPersistenceFilter class at the SecurityContextHolderFilter classroom; and remove all deprecations defined in the SAML API. This release also includes the fix where an instance of StrictHttpFirewall class incorrectly rejects valid CJKV characters.


Payara has released the May 2022 edition of its Payara platform as an enterprise-only version. Payara Platform Enterprise 5.39.0 edition provides four bug fixes, two component upgrades and five enhancements which include: support for JDK 17; and the ability to specify timeout options when invoking the admin console. More details about this release can be found in the release notes.


One week after the release of Quarkus 2.9.0, Red Hat provided a maintenance release with Quarkus 2.9.1.Final which contains bug fixes and documentation improvements as well as dependency upgrades which include: GraalVM 22.1, Hibernate Reactive 1.1.5.Final, Hibernate ORM 5.6.9.Final, Micrometer BOM 1.8.6 and Infinispan 13.0.10.Final. More details about this release can be found in the changelog.


The Micronaut Foundation released Micronaut 3.4.4 with updates to Micronaut modules: Micronaut Maven Plugin 3.2.4, Micronaut SQL 4.2.3, Micronaut JAX-RS 3.2.1, Micronaut Oracle Cloud 2.1.3, Micronaut MQTT 2.1. 1 and Micronaut OpenAPI 4.0.1. More details about this release can be found in the release notes.


Five weeks after the release of WildFly 26.1, Red Hat provided a maintenance release with version 26.1.1 including many component upgrades including: WildFly Core 18.1.1.Final, Smallrye Config 2.10.0, Smallrye Health 3.2.1, Netty 4.1.76 and RESTEasy 6.0.1.Final. More details about this release can be found in the release notes.


JBoss provided updates on Hibernate ORM and Hibernate Reactive last week.

Hibernate ORM 5.6.9.Final, a maintenance release of the 5.6 release series, provides critical bug fixes and fixes.

Hibernate Reactive 1.1.5.Final provides a critical bug fix for developers using the Stage.SessionFactory and Stage.Session interfaces. Developers should also upgrade to this latest version if their application occasionally throws a “No active Vert.x context” Error message.


The latest version of JDKMon, a new tool that monitors and updates installed JDKs, has been released to the Java community. Created by Gerrit Grunwald, principal engineer at Azul, version 17.0.25 comes with: fixes related to the Linux version; and the indicator for CVEs has been replaced with a new one.

Job Runr

Ronald Dehuysser, founder and lead developer of JobRunr, a utility for performing background processing in Java, released version 5.1.2 including: support for providing an interval instead of a cron expression with the @Recurring annotation; and allow an instance of JobContext class to define in MockJobContext trials.


An updated early access version of JReleaser was made available last week with: dependency upgrades to aws-java-sdk 1.12.220, jsonschema 4.24.3, sshj 0.33.0, tika 2.4.0 and mockito 4.5.1.

Apache Tomcat

It was also a busy week for the Apache Tomcat team, which provided point releases for the 9.0, 10.0, and 10.1 trains.

Versions 9.0.63, 10.0.21, and 10.1.0-M5 all feature: a property source that retrieves values ​​from Kubernetes service bindings; identify the root cause of the Linux kernel duplicate acceptance bug; a dependency upgrade to Tomcat Native Library 1.2.3 to support Windows binaries built with OpenSSL 1.1.1o; and support for private keys encrypted in PKCS#1 format when configuring the internal in-memory keystore.

Apache Tomcat 10.1.0-M15 is an important alpha release to provide developers with early access to new features in the Apache Tomcat 10.1 release series.

apache camel

The Apache Software Foundation has released Apache Camel 3.17.0 with 220 bug fixes, improvements, and dependency upgrades, including: Spring Boot 2.6.7; Kamelets 0.8.1 for the camel-jbang module; Google Cloud Library Bill of Materials 25.2.0; Jakarta Mail 1.6 (Jakarta EE 8); and the maven-bundle-plugin module to fix OSGi reproducibility issues. More details about this release can be found in the release notes.

Source link

Steven L. Nielsen