Download Java MSI.
Java logo 512×512 for Microsoft EndPoint Configuration Manager (SCCM/MECM/MEMCM) deployments:
Java 8.0.2710.9
IANA Data 2020a
JDK 8u271 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u271 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_271-b09 |
7 | 1.7.0_281-b06 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the following Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u271) be used after the next critical patch update scheduled for January 19, 2021.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u271) on February 20, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
New Features
Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default
Weak named curves are disabled by default by adding them to the following disabledAlgorithms
security properties: jdk.tls.disabledAlgorithms
, jdk.certpath.disabledAlgorithms
, and jdk.jar.disabledAlgorithms
. The named curves are listed below.
With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms
property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves
, is implemented that can list the named curves common to all of the disabledAlgorithms
properties. To use the new property in the disabledAlgorithms
properties, precede the full property name with the keyword include
. Users can still add individual named curves to disabledAlgorithms
properties separate from this new property. No other properties can be included in the disabledAlgorithms
properties.
To restore the named curves, remove the include jdk.disabled.namedCurves
either from specific or from all disabledAlgorithms
security properties. To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves
property.
Curves that are disabled through jdk.disabled.namedCurves
include the following: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519,
Support for Kerberos Cross-Realm Referrals (RFC 6806)
The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.
As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).
Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the sun.security.krb5.disableReferrals
security or system property to false. To configure a custom maximum number of referral hops, set the sun.security.krb5.maxReferrals
security or system property to any positive value.
Improve Certificate Chain Handling
A new system property, jdk.tls.maxHandshakeMessageSize
, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).
A new system property, jdk.tls.maxCertificateChainLength
, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.
Tools Warn If Weak Algorithms Are Used
The keytool
and jarsigner
tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms
security property in the java.security
configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.
Support for canonicalize in krb5.conf
The ‘canonicalize’ flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.
The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).
Removed Features and Options
Java Plugin is Removed from JDK 8u for Linux, Solaris, and MacOS Platforms
NPAPI is considered to be a vulnerable plugin and has been disabled in many browsers. No browsers currently support Java Plugin, which is NPAPI-based, on Linux, Solaris, and MacOS platforms.
Starting from 8u271, the part of Java Plugin responsible for integration and interaction with a browser (in particular libnpjp2
library) and an associated artifact will not be built and is not part of the JRE distribution on Linux, Solaris, and MacOS platforms.
Other notes
Added Property to Control LDAP Authentication Mechanisms Allowed to Authenticate Over Clear Connections
A new environment property, jdk.jndi.ldap.mechsAllowedToSendCredentials
, has been added to control which LDAP authentication mechanisms are allowed to send credentials over clear
LDAP connections – a connection not secured with TLS. An encrypted
LDAP connection is a connection opened by using ldaps
scheme, or a connection opened by using ldap
scheme and then upgraded to TLS with a STARTTLS extended operation.
The value of the property, which is by default not set, is a comma separated list of the mechanism names that are permitted to authenticate over a clear
connection. If a value is not specified for the property, then all mechanisms are allowed. If the specified value is an empty list, then no mechanisms are allowed (except for none
and anonymous
). The default value for this property is ‘null’ ( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials")
returns ‘null’). To explicitly permit all mechanisms to authenticate over a clear
connection, the property value can be set to "all"
. If a connection is downgraded from encrypted
to clear
, then only the mechanisms that are explicitly permitted are allowed.
The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.
Note: none
and anonymous
authentication mechanisms are exempted from these rules and are always allowed regardless of the property value.
Added 3 SSL Corporation Root CA Certificates
The following root certificates have been added to the cacerts truststore:
+ SSL Corporation
+ sslrootrsaca
DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrootevrsaca
DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrooteccca
DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
Added Entrust Root Certification Authority – G4 certificate
The following root certificate has been added to the cacerts truststore:
+ Entrust
+ entrustrootcag4
DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
8u RPM Installer Failed to Install on SUSE When Updating Alternatives
Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java
and javac
. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn’t register the javac
group with alternatives framework. All links unique to the javac
group have been moved into the java
group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.
The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java
group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command:
[macos] Invisible (or Hidden) Text in the Installer Window Using Mac’s Dark Mode
Some text in the Installer window is hidden/invisible when using Dark mode on macOS. To workaround this issue, switch to Light mode when running the installer.
Enhanced Support of Proxy Class
The deserialization of java.lang.reflect.Proxy
objects can be limited by setting the system property jdk.serialProxyInterfaceLimit
. The limit is the maximum number of interfaces allowed per Proxy in the stream. Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.
x86
msiexec.exe /i "jre1.8.0_271.msi"/qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1
x64
msiexec.exe /i "jre1.8.0_27164.msi" /qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1 REMOVEOLDERJRES=1
For uninstall use:
x86
msiexec /x {26A24AE4-039D-4CA4-87B4-2F32180271F0} /qn /norestart
x64
msiexec /x {26A24AE4-039D-4CA4-87B4-2F64180271F0} /qn /norestart
Java 8.0.2610.12
Release Highlights
- IANA Data 2020a
JDK 8u261 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software. - New Feature: JDK/JRE Runtime Windows Visual Studio Library (DLL) Dependency Changes
As part of ongoing maintenance, the Microsoft Visual Studio 2017 tool chain will be used to build JDK 7 and JDK 8 for Windows. JDK 8u261, in the July 2020 CPU, was built with Visual Studio 2017. With the release of the October 2020 CPU, JDK 7u281 will move to Visual Studio 2017. - New Feature: JEP 332 Transport Layer Security (TLS) 1.3
JDK 8u261 includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). For more details including a list of the features that are supported, refer to the Java Secure Socket Extension (JSSE) Reference Guide documentation and JEP 332. - New Feature: New System Properties to Configure the TLS Signature Schemes
Two new System Properties are added to customize the TLS signature schemes in JDK.jdk.tls.client.SignatureSchemes
is added for TLS client side, andjdk.tls.server.SignatureSchemes
is added for server side. - New Feature: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS
The JDK SunJSSE implementation now supports the TLS FFDHE mechanisms defined in RFC 7919. If a server cannot process thesupported_groups
TLS extension or the named groups in the extension, applications can either customize the supported group names withjdk.tls.namedGroups
, or turn off the FFDHE mechanisms by setting the System Propertyjsse.enableFFDHE
to false.
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the following Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u261) be used after the next critical patch update scheduled for October 13, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u261) on November 13, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version.
x86
msiexec.exe /i "jre1.8.0_261.msi"/qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1
x64
msiexec.exe /i "jre1.8.0_26164.msi" /qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1 REMOVEOLDERJRES=1
For uninstall use:
x86
msiexec /x {26A24AE4-039D-4CA4-87B4-2F32180261F0} /qn /norestart
x64
msiexec /x {26A24AE4-039D-4CA4-87B4-2F64180261F0} /qn /norestart
Java 8.0.2510.8
TLS Application-Layer Protocol Negotiation Extension
JEP 244 has enhanced the Java Secure Socket Extension (JSSE) to provide support for the TLS Application-Layer Protocol Negotiation Extension (RFC 7301). New methods have been added to the javax.net.ssl
classes SSLEngine
, SSLSocket
, and SSLParameters
to allow clients and servers to negotiate an application layer value as part of the TLS handshake.
Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature
The SunRsaSign and SunJCE providers have been enhanced with support for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS signature and OAEP using FIPS 180-4 digest algorithms. New constructors and methods have been added to relevant JCA/JCE classes under the java.security.spec
and javax.crypto.spec
packages for supporting additional RSASSA-PSS parameters.
WebEngine Limits JavaScript Method Calls for Certain Classes
JavaScript programs that are run in the context of a web page loaded by WebEngine can communicate with Java objects passed from the application to the JavaScript program. JavaScript programs that reference java.lang.Class
objects are now limited to the following methods:getCanonicalName
getEnumConstants
getFields
getMethods
getName
getPackageName
getSimpleName
getSuperclass
getTypeName
getTypeParameters
isAssignableFrom
isArray
isEnum
isInstance
isInterface
isLocalClass
isMemberClass
isPrimitive
isSynthetic
toGenericString
toString
No methods can be called on the following classes:java.lang.ClassLoader
java.lang.Module
java.lang.Runtime
java.lang.System
java.lang.invoke.*
java.lang.module.*
java.lang.reflect.*
java.security.*
sun.misc.*
New Oracle Specific JDK 8 Updates System Property to Fallback to Legacy Base64 Encoding Format
Oracle JDK 8u231 upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue where XML signature using Base64 encoding resulted in appending 
or 
to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without 
or 
.
Therefore, a new Oracle JDK 8 Updates only system property, – com.sun.org.apache.xml.internal.security.lineFeedOnly,
is made available to fall back to legacy Base64 encoded format.
Users can set this flag in one of two ways:
-Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true
System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")
This new system property is disabled by default. It has no effect on default behavior nor when com.sun.org.apache.xml.internal.security.ignoreLineBreaks
property is set.
Later JDK family versions might only support the recommended property: com.sun.org.apache.xml.internal.security.ignoreLineBreaks
x86
msiexec.exe /i "jre1.8.0_251.msi"/qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1
x64
msiexec.exe /i "jre1.8.0_25164.msi" /qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1 REMOVEOLDERJRES=1
For uninstall use:
x86
msiexec /x {26A24AE4-039D-4CA4-87B4-2F32180251F0} /qn /norestart
x64
msiexec /x {26A24AE4-039D-4CA4-87B4-2F64180251F0} /qn /norestart
Java MSI 8.0.2410.7
Release Highlights
- IANA Data 2019c
JDK 8u241 contains IANA time zone data version 2019c. - New Feature: Allow SASL Mechanisms to Be Restricted
A security property namedjdk.sasl.disabledMechanisms
has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in themechanisms
argument ofSasl.createSaslClient
or themechanism
argument ofSasl.createSaslServer
. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.
- New Feature: SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40
The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.
- Other notes: New Checks on Trust Anchor Certificates
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
- Other notes: Exact Match Required for Trusted TLS Server Certificate
A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.
- Other notes: Added LuxTrust Global Root 2 Certificate
LuxTrust root certificate has been added to the cacerts truststore
- Other notes: Added 4 Amazon Root CA Certificates
Amazon root certificate has been added to the cacerts truststore
- Bug Fixes: Support for OpenType CFF Fonts
Previously, Oracle JDK 8 did not include OpenType CFF fonts (.otf fonts) into the standard logical fonts (such as “Dialog” and “SansSerif”). This resulted in missing glyphs when rendering text. In the most extreme cases where only CFF fonts were installed on the system, a Java exception could be thrown.
Several Linux distributions were affected by this issue because they rely on CFF fonts to support some languages, which is common for CJK (Chinese, Japanese, and Korean) languages.
Oracle JDK 8 now uses these CFF fonts, and this issue has been resolved.
- Bug Fixes: Better Serial Filter Handling
Thejdk.serialFilter
system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set withjava.io.ObjectInputFilter.Config.setSerialFilter
. Setting thejdk.serialFilter
withjava.lang.System.setProperty
has no effect.
For Configuration Manager deployments (or another authomated deployments) use:
x86
msiexec.exe /i "jre1.8.0_241.msi"/qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1
x64
msiexec.exe /i "jre1.8.0_24164.msi" /qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1 REMOVEOLDERJRES=1
For uninstall use:
x86
msiexec /x {26A24AE4-039D-4CA4-87B4-2F32180241F0} /qn /norestart
x64
msiexec /x {26A24AE4-039D-4CA4-87B4-2F64180241F0} /qn /norestart
Java MSI 8.0.2310.11
Release Highlights
- IANA Data 2019b
JDK 8u231 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software. - New Feature: New jdk.jceks.iterationCount System Property
A new system property has been introduced to control the iteration count value used for thejceks
keystore. The default value remains at 200000 but values between 10000 and 5000000 may be specified. The new system property name isjdk.jceks.iterationCount
and the value supplied should be an integer in the accepted range. The default value will be used if a parsing error is encountered. - New Feature: New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options. - Removed Features and Options: Removal of T2K Rasterizer and ICU Layout Engine From JavaFX. The T2K rasterizer and ICU layout engine have been removed from JavaFX.
- Other notes: [client-libs and javaFX] GTK3 Is Now the Default on Linux/Unix. Newer versions of Linux, Solaris, and other Unix flavor desktop environments use GTK3, while still supporting GTK2.
Previously, the JDK would default to loading the older GTK2 libraries. However, in this release, it defaults to loading GTK3 libraries. Loading is typically triggered by using the Swing GTK Look And Feel. The old behavior can be restored by using the system property:-Djdk.gtk.version=2.2
- Other notes: Remove Obsolete NIST EC Curves from the Default TLS Algorithms. This change removes obsolete NIST EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1. To re-enable these curves, use the
jdk.tls.namedGroups
system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. - For example:
java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1" ...
For System Center Configuration Manager deployments (or another authomated deployments) use:
x86
msiexec.exe /i "jre1.8.0_231.msi"/qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1
x64
msiexec.exe /i "jre1.8.0_23164.msi" /qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1 REMOVEOLDERJRES=1
For uninstall use:
x86
msiexec /x {26A24AE4-039D-4CA4-87B4-2F32180231F0} /qn /norestart
x64
msiexec /x {26A24AE4-039D-4CA4-87B4-2F64180231F0} /qn /norestart