Safeguard
Vulnerabilities

OpenJDK Vulnerabilities: Tracking and Patching

OpenJDK vulnerabilities are disclosed and patched through Oracle's quarterly Critical Patch Update cycle, but tracking them well means watching your specific JDK distribution and version line, not just assuming a generic update covers you.

Safeguard Research Team
Research
5 min read

OpenJDK vulnerabilities are disclosed and patched primarily through Oracle's quarterly Critical Patch Update (CPU) cycle, released in January, April, July, and October, which bundles fixes across the JDK's core libraries, the JVM itself, and associated tooling. Because OpenJDK is the open-source reference implementation that multiple vendors build their own distributions from — Eclipse Temurin, Amazon Corretto, Red Hat's build, Azul Zulu — tracking vulnerabilities well means knowing which distribution and version line you're actually running, not just assuming "Java" as a category gets patched uniformly across every build.

Why does tracking OpenJDK vulnerabilities require knowing your specific distribution?

Because each vendor's build backports fixes on its own release schedule, and version numbers alone don't tell you what's actually patched without checking the specific build's release notes. Oracle's CPU advisories apply directly to Oracle JDK, but Temurin, Corretto, and other OpenJDK-based distributions typically follow with their own releases shortly after, incorporating the same upstream fixes — the timing isn't always identical, and a team assuming "Java 17 is Java 17 everywhere" can end up running a distribution that hasn't yet backported a fix Oracle shipped weeks earlier. This is compounded by long-term support (LTS) version lines: Java 8, 11, 17, and 21 are the LTS releases most production environments actually run, and each needs its own patch tracking, since a fix in the latest release doesn't automatically mean it's been backported to every older LTS line still in wide use.

What's a real example of an OpenJDK vulnerability worth knowing?

CVE-2022-21449, nicknamed the "Psychic Signatures" bug, is a strong example because it shows how a subtle implementation flaw in core cryptographic code can undermine an entire authentication mechanism. The bug affected the ECDSA signature verification logic in Java 15 through 18: under certain conditions, the implementation would accept an all-zero signature as valid, meaning an attacker could forge a signature that passed verification without knowing the actual private key. Since ECDSA underpins TLS certificate verification and various token-signing schemes, any Java application on an affected version using ECDSA signature checks — verifying a JWT, validating a TLS handshake — was potentially bypassable with a trivially crafted forged signature. Oracle patched it in the April 2022 CPU, and it's a useful case study in why cryptographic library code deserves particular scrutiny during any security review, since a flaw there doesn't just create one vulnerability, it silently invalidates the security guarantee every caller assumed was being enforced.

How should teams prioritize which OpenJDK patches to apply first?

By checking whether the specific fixed component is actually reachable in their application, the same reachability principle that applies to any dependency vulnerability. Not every CPU release fix affects every application — a patch to an obscure JMX management feature matters far less to a typical web service than a fix to core TLS or serialization handling that every network-facing Java application touches on every request. Version-only tracking (checking whether you're "on the latest JDK patch version") is a reasonable baseline, but pairing it with an understanding of which specific CVEs were fixed and whether your application exercises the affected code paths — deserialization, cryptographic verification, JNDI lookups, the categories that have produced the most severe Java CVEs historically — lets a team prioritize an emergency out-of-cycle patch for something like Psychic Signatures over a routine quarterly update for a component nothing in the application touches.

Does staying current on JDK versions actually reduce vulnerability exposure?

Substantially, yes, and it's one of the more mechanically simple risk reductions available, because unsupported JDK version lines stop receiving security patches entirely regardless of severity. Running an EOL (end-of-life) Java version means every subsequently disclosed CVE against that codebase goes permanently unpatched on your systems, accumulating risk with no path back except an upgrade — the same dynamic that makes running EOL PHP or unsupported OS versions a persistent, compounding liability rather than a one-time gap. Staying on a currently supported LTS line, tracking CPU releases against your specific distribution, and applying them promptly closes off the single largest and most preventable category of OpenJDK risk: known, already-patched vulnerabilities sitting unaddressed in production because the update cycle simply wasn't followed.

FAQ

How often does Oracle release OpenJDK security patches?

Quarterly, in January, April, July, and October, as part of the Critical Patch Update cycle. Out-of-cycle emergency patches are occasionally released for especially severe vulnerabilities.

Are all OpenJDK distributions patched on the same schedule?

Not exactly — vendors like Eclipse Temurin, Amazon Corretto, and Red Hat typically follow Oracle's upstream fixes closely but on their own release timing, so it's worth checking your specific distribution's advisories rather than assuming uniform timing.

What was CVE-2022-21449?

A flaw in Java's ECDSA signature verification (affecting versions 15 through 18) that allowed forged signatures to pass validation, potentially bypassing authentication and TLS verification relying on ECDSA. It was fixed in Oracle's April 2022 Critical Patch Update.

Does upgrading to the latest JDK feature release matter as much as patching within an LTS line?

For most production teams, staying current within a supported LTS line (applying quarterly patches) matters more day to day than chasing the newest feature release, since LTS lines receive the same security fixes without the compatibility risk of a major version jump.

How Safeguard Helps

Safeguard's SCA engine tracks the specific JDK distribution and version your projects build against, matches it against current CVE data, and flags when a production dependency touches a vulnerable code path — like cryptographic verification or deserialization — rather than treating every CPU release fix as equally urgent regardless of relevance.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.