Software Update: Oracle Java 9.0.4

Oracle has released version 9.0.4 of Java Standard Edition, as usual in Java SE Development Kit (JDK), Java Runtime Environment (JRE), and Server Java Runtime Environment (Server JRE). The downloads are available for Windows, Linux, macOS and Solaris. The corresponding release notes look like this:

Java SE Development Kit 9.0.4 (JDK 9.0.4)

The full version string for this update release is 9.0.4+11 (where “+” means “build”). The version number is 9.0.4.

For the January CPU, two different JDK9 bundles have been released:

• Oracle JDK 9.0.4 (contains non-public commercial features, deploy, installers, etc.)
• OpenJDK 9.0.4 (built only from OpenJDK source code)

This page provides release notes for both bundles. Content that only applies to a specific bundle is presented in sections that contain either OpenJDK or Oracle JDK in their titles. Changes that apply to both bundles are presented in sections that do not have OpenJDK or Oracle JDK in their titles.

NOTE: This is the final planned release for JDK 9.
Users of JDK 9 should update to JDK 10 between its release in March 2018 and the next planned Critical Update Release in April 2018.

IANA Dates 2017c
JDK 9.0.4 contains IANA time zone data version 2017c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 9.0.4 are specified in the following table:
JRE Family Version JRE Security Baseline 9 9.0.4+11 8 1.8.0_161-b12 7 1.7.0_171-b11 6 1.6.0_181-b10

JRE Expiration Date for Oracle JDK
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 9.0.4) will expire with the release of the next critical patch update scheduled for April 17, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 9.0.4) on May 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features in OpenJDK 9

• security-libs/java.security – Open source the root certificates in Oracle’s Java SE Root CA program
  The OpenJDK 9 binary for Linux x64 contains an empty cacerts keystore. This prevents TLS connections from being established because there are no Trusted Root Certificate Authorities installed. As a workaround for OpenJDK 9 binaries, users had to set the javax.net.ssl.trustStore System Property to use a different keystore.
  “JEP 319: Root Certificates” addresses this problem by populating the cacerts keystore with a set of root certificates issued by the CAs of Oracle’s Java SE Root CA Program. As a prerequisite, each CA must sign the Oracle Contributor Agreement (OCA) or an equivalent agreement, to grant Oracle the right to open-source their certificates.

New Features

• security-libs/javax.net.ssl ​​- Added TLS session hash and extended master secret extension support
  Support has been added for the TLS session hash and extended master secret extension (RFC 7627) in JDK JSSE provider. Note that in general, server certificate change is restricted if endpoint identification is not enabled and the previous handshake is a session-resumption abbreviated initial handshake, unless the identities represented by both certificates can be regarded as the same. However, if the extension is enabled or negotiated, the server certificate changing restriction is not necessary and will be discarded accordingly. In case of compatibility issues, an application may disable negotiation of this extension by setting the System Property jdk.tls.useExtendedMasterSecret to false in the JDK. By setting the System Property jdk.tls.allowLegacyResumption to false, an application can reject abbreviated handshaking when the session hash and extended master secret extension is not negotiated. By setting the System Property jdk.tls.allowLegacyMasterSecret to false, an application can reject connections that do not support the session hash and extended master secret extension.
• security-libs/javax.net.ssl ​​- Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS
  The JDK SunJSSE implementation now supports the TLS FFDHE mechanisms defined in RFC 7919. If a server cannot process the supported_groups TLS extension or the named groups in the extension, applications can either customize the supported group names with jdk.tls.namedGroups, or turn off the FFDHE mechanisms by setting the System Property jsse.enableFFDHEExtension to false.
• other-libs/corba – Add additional IDL stub type checks to org.omg.CORBA.ORBstring_to_object method
  Applications that either explicitly or implicitly call org.omg.CORBA.ORB.string_to_object, and wish to ensure the integrity of the IDL stub type involved in the ORB::string_to_object call flow, should specify additional IDL stub type checking. This is an “opt in” feature and is not enabled by default.
  To take advantage of the additional type checking, the list of valid IDL interface class names of IDL stub classes is configured by one of the following:
  • Specifying the security property com.sun.CORBA.ORBIorTypeCheckRegistryFilter located in the file conf/security/java.security in Java SE 9 or in jre/lib/security/java.security in Java SE 8 and earlier.
  • Specifying the system property com.sun.CORBA.ORBIorTypeCheckRegistryFilter with the list of classes. If the system property is set, its value overrides the corresponding property defined in the java.security configuration.

  If the com.sun.CORBA.ORBIorTypeCheckRegistryFilter property is not set, the type checking is only performed against a set of class names of the IDL interface types corresponding to the built-in IDL stub classes.

changes

• security-libs/javax.crypto – RSA public key validation
  In 9.0.4, the RSA implementation in the SunRsaSign provider will reject any RSA public key that has an exponent that is not in the valid range as defined by PKCS#1 version 2.2. This change will affect JSSE connections as well as applications built on JCE.
• security-libs/javax.crypto – Provider default key size is updated
  This change updates the JDK providers to use 2048 bits as the default key size for DSA instead of 1024 bits when applications have not explicitly initialized the java.security.KeyPairGenerator and java.security.AlgorithmParameterGenerator objects with a key size.
  If compatibility issues arise, existing applications can set the system property jdk.security.defaultKeySize introduced in JDK-8181048 with the algorithm and its desired default key size.
• security-libs/javax.crypto – Stricter key generation
  The generateSecret(String) method has been mostly disabled in the javax.crypto.KeyAgreement services of the SUN and SunPKCS11 providers. Invoking this method for these providers will result in a NoSuchAlgorithmException for most algorithm string arguments. The previous behavior of this method can be re-enabled by setting the value of the jdk.crypto.KeyAgreement.legacyKDF system property to true (case insensitive). Re-enabling this method by setting this system property is not recommended.
• security-libs/javax.net.ssl ​​- Disable exportable cipher suites
  To improve the strength of SSL/TLS connections, exportable cipher suites have been disabled in SSL/TLS connections in the JDK by the jdk.tls.disabledAlgorithms Security Property.
• core-svc/javax.management – JMX Connections need deserialization filters
  New public attributes, RMIConnectorServer.CREDENTIALS_FILTER_PATTERN and RMIConnectorServer.SERIAL_FILTER_PATTERN have been added to RMIConnectorServer.java. With these new attributes, users can specify the deserialization filter pattern strings to be used while making a RMIServer.newClient() remote call and while sending deserializing parameters over RMI to server respectively.
  The user can also provide a filter pattern string to the default agent via management.properties. As a result, a new attribute is added to management.properties.
  Existing attribute RMIConnectorServer.CREDENTIAL_TYPES is superseded by RMIConnectorServer.CREDENTIALS_FILTER_PATTERN and has been removed.

Bug Fixes

• deploy/webstart – JNLP files won’t launch from IE11 on Windows 10 Creators Update
  Web-start applications cannot be launched when clicking JNLP link from IE 11 on Windows 10 Creators Update when 64-bit JRE is installed. Workaround is to uninstall 64-bit JRE and use only 32-bit JRE.
• This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 9.0.4 Bug Fixes page.