This week's Java roundup for March 28th, 2022, features news from JDK 19, Spring Boot, Spring CVEs, Apache Tomcat point releases, Quarkus Tools for Visual Studio Code, Micronaut 3.4.1, JetBrains joining the Micronaut Foundation, Open Liberty Paketo Liberty Buildpack, Hibernate 6.0, JobRunr 5.0, WildFly 26.1 Beta S2I images, JReleaser 1.0-RC2, MicroStream 7.0-M2, JHipster 7.8.0, and JMH 1.35.
JDK 19
Build 16 of the JDK 19 early-access builds was made available this past week, featuring updates from Build 15 that include fixes to various issues. More details may be found in the release notes.
For JDK 19, developers are encouraged to report bugs via the Java Bug Database.
Spring Framework
Spring Framework versions 5.3.18 and 5.2.20 were released in response to CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+, where a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to a remote code execution via data binding. This has been dubbed as Spring4Shell. InfoQ will follow up with a more detailed news story.
Spring Framework 5.3.17 was released to address CVE-2022-22950: Spring Expression DoS Vulnerability, where it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service condition.
Spring Cloud Function versions 3.1.7 and 3.2.3 were released to address CVE-2022-22963: Remote Code Execution in Spring Cloud Function by Malicious Spring Expression, where it is possible for a user, while using routing functionality, to provide a specially crafted SpEL routing expression that may result in a remote code execution that would expose access to local resources.
Versions 2.6.6 and 2.5.12 of Spring Boot were released featuring dependency upgrades to Spring Framework 5.3.18 and Jackson BOM versions 2.13.2.20220328 and 2.12.6.20220326, respectively. Both of these point releases contain Spring Framework versions 5.3.18 and 5.2.20 that address CVE-2022-22965.
Spring Cloud Azure 4.0 has been released that ships with: simplified dependency management; extended support of the Azure Support module; and a redesigned Spring module dependency model to provide a more flexible approach to address different application approaches.
As a follow-up from SpringOne 2021, Jürgen Höller, senior staff engineer and Spring Framework project lead at VMware, provided an update on the adoption of JDK 17 and beyond, writing:
We established the new baseline on our main branches, with a few milestones out already. The feedback has been very positive, not only in terms of framework improvements but also in terms of the motivation for a Java upgrade at the application level. Of course, it does not end with JDK 17 LTS: JDK 18 is an immediate option already, JDK 19 will be the current release when we go final later this year, with JDK 20 to be in early access by then - and JDK 21 LTS on the horizon already.
Apache Tomcat
It was a busy week for the Apache Tomcat team as they provided point releases for the 8.5, 9.0 and 10.0 release trains.
Versions 8.5.78, 9.062, 10.0.2 and 10.1.0-M14 alpha all feature: an update to the packaged version of the Tomcat Native Library 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n; improved logging of unknown HTTP/2 settings frames; additional warnings if incompatible TLS configurations are used (such as HTTP/2 with CLIENT-CERT authentication); and a hardening of the class loader to provide a mitigation for CVE-2022-22965, i.e., Spring4Shell.
The 8.5 and 9.0 release trains serve as the open-source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies.
The 10.0 and 10.1 milestone release trains serve as the open-source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
Quarkus
Red Had has released Quarkus Tools for Visual Studio Code 1.10.0 featuring: a more easily discoverable "Deploy to OpenShift'' command; a new Qute Language Server to support completion, validation, hover, etc.; enhancements to the Qute Templating Engine; validate that the @ConfigMapping
annotation may only be placed on interfaces; and support for the @ApplicationPath
annotation to handle the project URL as an alternative to the properties support extension. More details on this release may be found in the changelog.
Micronaut
The Micronaut Foundation has released Micronaut 3.4.1 featuring: support for the @JsonNaming
and @JsonProperty
annotations in the BeanIntrospectionModule
class; allow serialization of null
; an update to jackson-databind
2.13.2.2; and dependency upgrades to Micronaut Serialization 1.0.1; Micronaut AOT 1.0.1; Micronaut Maven Plugin 3.2.1; and Micronaut Servlet 3.2.2. Further details about this release may be found in the changelog.
The Micronaut Foundation also has announced that JetBrains s.r.o has joined the foundation as a Tools and Infrastructure Partner. JetBrains joins Gradle Inc., who joined in early January 2022 as the very first partner. Established in June 2020 as a non-for-profit organization, the Micronaut Foundation, supported by the Technology Advisory Board, advances innovation and adoption of the Micronaut framework.
Open Liberty
IBM has introduced the Paketo Liberty Buildpack, a set of executables that inspects application source code and creates a build plan. Based on Paketo Buildpacks that implements the Cloud Native Computing Foundation buildpack specification, Paketo Liberty Buildpacks is designed to transform application source code into container images and maintain them.
WildFly
The WildFly 26.1 Beta Source-to-Image (S2I) Docker images have been released on quay.io, Red Hat's utility to build, analyze and distribute container images. The quay.io/wildfly/wildfly-centos7 and quay.io/wildfly/wildfly-runtime-centos7 images, deprecated since WildFly 26, will be replaced with a new architecture based on version 3.0 of the WildFly Application Server Maven Plugin.
Hibernate
Hibernate ORM 6.0 was released this past week that ships with new features such as: support for the Jakarta Persistence specification; performance improvements via a change from read-by-name to read-by-position from a ResultSet
; a new Mapping Model SPI related to the new read-by-position paradigm; redesigned annotations for type safety; and an updated Semantic Query Model. InfoQ will follow up with a more detailed news story.
JobRunr
JobRunr, a utility to perform background processing in Java, has released version 5.0 to include a number of new features such as: support for Spring Native and the Mapped Diagnostics Context provided by SLF4J; schedule recurring jobs with a defined interval; integration with MicroMeter; easier integration with multiple databases; and support to execute jobs on the last day of the week or last day of the month. InfoQ will follow up on a more detailed news story.
JReleaser
On the road to version 1.0.0, the second release candidate and updated early-access releases of JReleaser were made available this past week featuring: dependency upgrades to aws-java-sdk
1.12.191, jsonschema
4.24.1 and Download Gradle Plugin (downloadPluginVersion
) 5.0.4; a fix the commit message that is not properly parsed on Windows; and a fix to resolve the "Cannot parse version '2000.0.0[.A]' with 'YYYY.MINOR.MICRO[.MODIFIER]'" error message.
JHipster
Version 7.8.0 of JHipster has been released to include: a dependency upgrade to Spring Boot 2.6.6; support for Java 18; an implementation of the React Micro Frontend; a fix to Couchbase pagination requests for entities with relationships; and many library upgrades. More details about this release may be found in the changelog.
MicroStream
One week after the first beta release, the second beta release of MicroStream 7.0 was made available featuring a new Android type handler due to reflection restrictions in newer versions of Android.
Java Microbench Harness (JMH)
JMH 1.35 has been released featuring fixes such as: SingleShot
mode should handle more than one invocation of the @OperationsPerInvocations
annotation; the async
profiler using the wrong option for profiler output; the perfasm
profiler not accepting the freq=max
and showCounts=x
options, the latter to support for configurable event count normalization; and an improvement in the perfasm
metadata in which the actual version number, not compilationID
, being displayed.