java

JDK 24.0.1 Release Notes

Java Development Kit 24 Release Notes

Java™ SE Development Kit 24.0.1 (JDK 24.0.1)

Release date: April 15, 2025

The full version string for this update release is 24.0.1+9 (where "+" means "build"). The version number is 24.0.1. This JDK conforms to version 24 of the Java SE Specification (JSR 399 2025-03-18).

 

IANA TZ Data 2025a

JDK 24.0.1 contains IANA time zone data 2025a which contains the following changes:

  • Paraguay adopts permanent -03 starting spring 2024.
  • Improve pre-1991 data for the Philippines.
  • Etc/Unknown is now reserved.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 24.0.1 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
2424.0.1+9
2121.0.7+8
1717.0.15+9
1111.0.27+8
81.8.0_451-b10

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 24.0.1) be used after the next critical patch update scheduled for July 15, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

 

Notable Issues Resolved

core-svc/javax.management
 Resolved: OperatingSystemMXBean CpuLoad() Methods Return -1.0 on Windows (JDK-8350820)

On Windows, the OperatingSystemMXBean CPU load methods, getSystemCpuLoad, getCpuLoad, and getProcessCpuLoad, were failing and always returning -1. This error affected CPU usage monitoring of Windows targets. This is resolved in this release.

 

Other Notes

security-libs/javax.net.ssl
 Distrust TLS Server Certificates Anchored by Camerfirma Root Certificates and Issued After April 15, 2025 (JDK-8346587)

The JDK will stop trusting TLS server certificates issued after April 15, 2025 and anchored by Camerfirma root certificates, in line with similar plans announced by Google, Mozilla, Apple, and Microsoft.

TLS server certificates issued on or before April 15, 2025 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after April 15, 2025.

An application will receive an exception with a message indicating the trust anchor is not trusted, for example:

"TLS Server certificate issued after 2025-04-15 and anchored by a distrusted legacy

Camerfirma root CA: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., 
SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU"

The JDK can be configured to trust these certificates again by removing "CAMERFIRMA_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Camerfirma Root certificates included in the JDK:

Root Certificates distrusted after 2025-04-15
Distinguished Name SHA-256 Fingerprint
CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU

0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0
CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

core-svc/tools
 JarInputStream Treats Signed JARs with Multiple Manifests As Unsigned (JDK-8337494 (not public))

The JarInputStream class now treats a signed JAR as unsigned if it detects a second manifest within the first two entries in the JAR file. A warning message "WARNING: Multiple MANIFEST.MF found. Treat JAR file as unsigned." is logged if the system property, -Djava.security.debug=jar, is set.

security-libs/java.security
 Compatible OCSP readtimeout Property with OCSP Timeout (JDK-8347506)

In JDK 21, an enhanced syntax for various timeout properties was released through JDK-8179502. This included a new system property, com.sun.security.ocsp.readtimeout, which allows users to control the timeout while reading OCSP responses after a successful TCP connection has been established.

This changes the default posture of this property to be the value of the com.sun.security.ocsp.timeout system property from its original default of 15 seconds. If the com.sun.security.ocsp.timeout system property is also not set, then its default 15 second timeout is propagated to the default for com.sun.security.ocsp.readtimeout.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

Issues fixed in 24.0.1:
# JBS Component/Subcomponent Summary
1JDK-8347911client-libs/javax.imageioLimit the length of inflated text chunks
2JDK-8345614core-libs/java.lang:reflectImprove AnnotationFormatError message for duplicate annotation interfaces
3JDK-8347256hotspot/gcEpsilon: Demote heap size and AlwaysPreTouch warnings to info level
4JDK-8347564hotspot/gcZGC: Crash in DependencyContext::clean_unloading_dependents
5JDK-8346082hotspot/jvmtiOutput JVMTI agent information in hserr files
6JDK-8347129hotspot/runtimecpuset cgroups controller is required for no good reason
7JDK-8344361security-libs/java.securityRestore null return for invalid services from legacy providers
8JDK-8349058tools/javac'internal proprietary API' warnings make javac warnings unusable