JDK 17.0.15 Release Notes
Java™ SE Development Kit 17, Update 17.0.15 (JDK 17.0.15)
April 15, 2025
The full version string for this update release is 17.0.15+9 (where "+" means "build"). The version number is 17.0.15. This JDK conforms to version 17.1 of the Java SE Specification (JSR 392 MR 1 2024-07-02).
IANA TZ Data 2025a
JDK 17.0.15 contains IANA time zone data 2025a which contains the following changes:
- Paraguay adopts permanent -03 starting spring 2024.
- Improve pre-1991 data for the Philippines.
- Etc/Unknown is now reserved.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime at the time of the release of JDK 17.0.15 are specified in the following table:
| Java Family Version | Security Baseline (Full Version String) |
|---|---|
| 17 | 17.0.15+9 |
| 11 | 11.0.27+8 |
| 8 | 1.8.0_451-b10 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 17.0.15) be used after the next critical patch update scheduled for July 15, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
New Features
This feature delivers an enhanced syntax for properties related to certificate, CRL, and OCSP connect and read timeouts. The new syntax allows the timeout values to be specified either in seconds or milliseconds. This feature also delivers three new System properties related to connect and read timeouts.
New properties: The existing com.sun.security.ocsp.timeout property will now be paired with the new com.sun.security.ocsp.readtimeout property. The former property will be used to set timeouts for the transport-layer connection while the latter will be used to manage timeouts for reading the data. The default value for the com.sun.security.ocsp.readtimeout System property will be the same as whatever value is set for the com.sun.security.ocsp.timeout property, even if the latter property is not set (in which case both properties will be set to the default value of com.sun.security.ocsp.timeout). The new com.sun.security.cert.timeout and com.sun.security.cert.readtimeout properties will be used to control connect and read timeouts, respectively, when following an X.509 certificate's AuthorityInfoAccess extension. For the certificate fetching properties, the com.sun.security.enableAIAcaIssuers property must be set to true in order for fetching to occur and these property timeouts to be enabled.
Enhanced timeout syntax: The new syntax applies to the aforementioned properties, and also to the com.sun.security.crl.timeout and com.sun.security.crl.readtimeout properties as well. The allowed syntax is as follows:
- A decimal integer will be interpreted in seconds and ensures backward compatibility.
- A decimal integer ending in "s" (case-insensitive, no space) appended to it. This will also be interpreted in seconds.
- A decimal integer value with "ms" (case-insensitive, no space) appended to it. This will be interpreted as milliseconds. For example, a value of "2500ms" will be a 2.5 second timeout.
- Negative, non-numeric, or non-decimal (for example, hexadecimal values prepended by "0x") values will be interpreted as illegal and will default to the 15 second timeout.
- Whether the value is interpreted in seconds or milliseconds, a value of zero will disable the timeout.
Native PKCS11 mechanisms which support decryption but not encryption, or signature verification but not signing, are considered legacy and are disabled by default. The legacy mechanism check in SunPKCS11 provider is enhanced with the service type. For example, prior to this fix, a mechanism supporting encryption, decryption, and verification but not signing, is considered legacy and can't be used at all. After this fix, the corresponding Cipher service using this mechanism is available since both encryption and decryption are supported. However, the corresponding Signature service is not since only verification is supported. To bypass the legacy mechanism check, set the PKCS11 provider configuration attribute "allowLegacy" to true. The default value is false. Note that it is the caller's responsibility to make sure the legacy mechanism is not used for the unsupported functionality.
Other Notes
The JDK will stop trusting TLS server certificates issued after April 15, 2025 and anchored by Camerfirma root certificates, in line with similar plans announced by Google, Mozilla, Apple, and Microsoft.
TLS server certificates issued on or before April 15, 2025 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.
The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after April 15, 2025.
An application will receive an exception with a message indicating the trust anchor is not trusted, for example:
"TLS Server certificate issued after 2025-04-15 and anchored by a distrusted legacy
Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A.,
SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"
The JDK can be configured to trust these certificates again by removing "CAMERFIRMA_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.
The restrictions are imposed on the following Camerfirma Root certificates included in the JDK:
| Distinguished Name | SHA-256 Fingerprint |
|---|---|
| CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU |
0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3 |
| CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU |
06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0 |
| CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU |
13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA |
You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.
The JarInputStream class now treats a signed JAR as unsigned if it detects a second manifest within the first two entries in the JAR file. A warning message "WARNING: Multiple MANIFEST.MF found. Treat JAR file as unsigned." is logged if the system property, -Djava.security.debug=jar, is set.
In prior releases, JNI_GetCreatedJavaVMs:
jint JNI_GetCreatedJavaVMs(JavaVM **vmBuf, jsize bufLen, jsize *nVMs);
could return a JavaVM, via the vmBuf array, that was still in the process of being initialized and may not be ready for use. This has now changed so that it will only return fully initialized VMs. It is important that the programmer checks that the returned number of VMs, in nVMs, is greater than zero, before trying to use any vmBuf entries.
JDK 17 introduced a performance improvement that made OCSP clients unconditionally use GET requests for small requests, while doing POST requests for everything else. This is explicitly allowed and recommended by RFC 5019 and RFC 6960. However, we have seen OCSP responders that, despite RFC requirements, are not working well with GET requests.
This release introduces a new JDK system property to allow clients to fallback to POST-only behavior. This unblocks interactions with those OCSP responders through the use of -Dcom.sun.security.ocsp.useget={false,true}. This amends the original change that introduced GET OCSP requests (JDK-8179503). The default behavior is not changed; the option defaults to true. Set the option to false to disable GET OCSP requests. Any value other than false (case-insensitive) defaults to true.
This option is non-standard, and might go away once problematic OCSP responders get upgraded.
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
➜ Issues fixed in 17.0.15:
| # | JBS | Component | Summary |
|---|---|---|---|
| 1 | JDK-8274893 | client-libs | Update java.desktop classes to use try-with-resources |
| 2 | JDK-8312518 | client-libs/java.awt | [macos13] setFullScreenWindow() shows black screen on macOS 13 & above |
| 3 | JDK-8309733 | client-libs/javax.accessibility | [macOS, Accessibility] VoiceOver: Incorrect announcements of JRadioButton |
| 4 | JDK-8311160 | client-libs/javax.accessibility | [macOS, Accessibility] VoiceOver: No announcements on JRadioButtonMenuItem and JCheckBoxMenuItem |
| 5 | JDK-8283214 | client-libs/javax.accessibility | [macos] Screen magnifier does not show the magnified text for JComboBox |
| 6 | JDK-8283387 | client-libs/javax.accessibility | [macos] a11y : Screen magnifier does not show selected Tab |
| 7 | JDK-8339728 | client-libs/javax.accessibility | [Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class |
| 8 | JDK-8332866 | client-libs/javax.imageio | Crash in ImageIO JPEG decoding when MEM_STATS in enabled |
| 9 | JDK-8347911 | client-libs/javax.imageio | Limit the length of inflated text chunks |
| 10 | JDK-8301989 | client-libs/javax.swing | new javax.swing.text.DefaultCaret().setBlinkRate(N) results in NPE |
| 11 | JDK-8269516 | hotspot/compiler | AArch64: Assembler cleanups |
| 12 | JDK-8338100 | hotspot/compiler | C2: assert(!n_loop->is_member(get_loop(lca))) failed: control must not be back in the loop |
| 13 | JDK-8325937 | hotspot/runtime | runtime/handshake/HandshakeDirectTest.java causes "monitor end should be strictly below the frame pointer" assertion failure on AArch64 |
| 14 | JDK-8344145 | hotspot/test | Remove windows_x64_1803_or_later and it's usages in task definitions |
| 15 | JDK-8331959 | security-libs/javax.crypto:pkcs11 | Update PKCS#11 Cryptographic Token Interface to v3.1 |
| 16 | JDK-8331958 | security-libs/javax.smartcardio | Update PC/SC Lite for Suse Linux to 2.3.0 |