/Java News Roundup: Hibernate 6.0, JobRunr 5.0, JHipster 7.8.0, Spring CVEs, JReleaser 1.0-RC2

Java News Roundup: Hibernate 6.0, JobRunr 5.0, JHipster 7.8.0, Spring CVEs, JReleaser 1.0-RC2

This week’s Java roundup for March 28th, 2022 features news from JDK 19, Spring Boot, Spring CVEs, Apache Tomcat point releases, Quarkus Tools for Visual Studio Code, Micronaut 3.4.1, JetBrains joins the Micronaut Foundation, Open Liberty Paketo Liberty Buildpack, Hibernate 6.0, JobRunr 5.0, WildFly 26.1 Beta S2I images, JReleaser 1.0-RC2, MicroStream 7.0-M2, JHipster 7.8.0, JMH 1.35.

JDK 19

Build 16 of the JDK 19 early-access builds was made available this past week, featuring updates from Build 15 that include fixes to various issues. More details may be found in the release notes.

For JDK 19, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

Spring Framework versions 5.3.18 and 5.2.20 were released in response to CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+, where a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to a remote code execution via data binding. This has been dubbed as Spring4Shell. InfoQ will follow up with a more detailed news story.

Spring Framework 5.3.17 was released to address CVE-2022-22950: Spring Expression DoS Vulnerability, where it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service condition.

Spring Cloud Function versions 3.1.7 and 3.2.3 were released to address CVE-2022-22963: Remote Code Execution in Spring Cloud Function by Malicious Spring Expression, where it is possible for a user, while using routing functionality, to provide a specially crafted SpEL routing expression that may result in a remote code execution that would expose access to local resources.

Versions 2.6.6 and 2.5.12 of Spring Boot were released featuring dependency upgrades to Spring Framework 5.3.18 and Jackson BOM versions 2.13.2.20220328 and 2.12.6.20220326, respectively. Both of these point releases contain Spring Framework versions 5.3.18 and 5.2.20 that address CVE-2022-22965.

Spring Cloud Azure 4.0 has been released that ships with: simplified dependency management; extended support of the Azure Support module; and a redesigned Spring module dependency model to provide a more flexible approach to address different application approaches.

As a follow-up from SpringOne 2021, Jürgen Höller, senior staff engineer and Spring Framework project lead at VMware, provided an update on the adoption of JDK 17 and beyond, writing:

We established the new baseline on our main branches, with a few milestones out already. The feedback has been very positive, not only in terms of framework improvements but also in terms of the motivation for a Java upgrade at the application level. Of course, it does not end with JDK 17 LTS: JDK 18 is an immediate option already, JDK 19 will be the current release when we go final later this year, with JDK 20 to be in early access by then – and JDK 21 LTS on the horizon already.

Apache Tomcat

It was a busy week for the Apache Tomcat team as they provided point releases for the 8.5, 9.0 and 10.0 release trains.

Versions 8.5.78, 9.062, 10.0.2 and 10.1.0-M14 alpha all feature: an update to the packaged version of the Tomcat Native Library 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n; improved logging of unknown HTTP/2 settings frames; additional warnings if incompatible TLS configurations are used (such as HTTP/2 with CLIENT-CERT authentication); and a hardening of the class loader to provide a mitigation for CVE-2022-22965, i.e., Spring4Shell.

The 8.5 and 9.0 release trains serve as the open-source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies.

The 10.0 and 10.1 milestone release trains serve as the open-source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications.

The Micronaut Foundation has released Micronaut 3.4.1 featuring: support for the @JsonNaming and @JsonProperty annotations in the BeanIntrospectionModule class; allow serialization of null; an update to jackson-databind 2.13.2.2; and dependency upgrades to Micronaut Serialization 1.0.1; Micronaut AOT 1.0.1; Micronaut Maven Plugin 3.2.1; and Micronaut Servlet 3.2.2. Further details about this release may be found in the changelog.

The Micronaut Foundation also has announced that JetBrains s.r.o has joined the foundation as a Tools and Infrastructure Partner. JetBrains joins Gradle Inc., who joined in early January 2022 as the very first partner. Established in June 2020 as a non-for-profit organization, the Micronaut Foundation, supported by the Technology Advisory Board, advances innovation and adoption of the Micronaut framework.

Open Liberty

IBM has introduced the Paketo Liberty Buildpack, a set of executables that inspects application source code and creates a build plan. Based on Paketo Buildpacks that implements the Cloud Native Computing Foundation buildpack specification, Paketo Liberty Buildpacks is designed to transform application source code into container images and maintain them.

JobRunr, a utility to perform background processing in Java, has released version 5.0 to include a number of new features such as: support for Spring Native and the Mapped Diagnostics Context provided by SLF4J; schedule recurring jobs with a defined interval; integration with MicroMeter; easier integration with multiple databases; and support to execute jobs on the last day of the week or last day of the month. InfoQ will follow up on a more detailed news story.

One week after the first beta release, the second beta release of MicroStream 7.0 was made available featuring a new Android type handler due to reflection restrictions in newer versions of Android.

Java Microbench Harness (JMH)

JMH 1.35 has been released featuring fixes such as: SingleShot mode should handle more than one invocation of the @OperationsPerInvocations annotation; the async profiler using the wrong option for profiler output; the perfasm profiler not accepting the freq=max and showCounts=x options, the latter to support for configurable event count normalization; and an improvement in the perfasm metadata in which the actual version number, not compilationID, being displayed.