B4J Question OpenJDK 11 security updates

[Chris2]

Reading the 'Why still OpenJDK 11' thread (https://www.b4x.com/android/forum/threads/why-still-openjdk-11.139404/) over the weekend has prompted me to ask the following questions which have been floating around in my head for a while.

We use OpenJDK 11 because it is a Long Term Support version and hence will still receive security updates/patches. But how are these updates applied to installed B4J apps?

Does the Windows/Mac/Linux machine on which the B4J app is installed identify that an embedded Java runtime has been installed and update it via Windows Updates or the equivalent?
Or should we as developers be updating our apps with the patched OpenJDK 11 when/if security updates are released?

If the later is the case, then why is the suggested version 11.0.1 (on Installation section of the B4J product page) the one that's available for download rather than later OpenJDK 11 versions?
Is it just that there have been no security updates since 11.0.1, perhaps just 'cosmetic' patches not worth bothering with?

I'm just trying to gain some understanding here, so thanks in advance for any insight anyone can give.

 

[Erel]

It is not updated automatically, however the JRE is not an operating system. If for example you are building a UI app then no one can "inject" anything to your app.

 

[Chris2]

If for example you are building a UI app then no one can "inject" anything to your app.

Are you implying here that the situation is different for server apps?

 

[tchart]

Are you implying here that the situation is different for server apps?

@Chris2 up until recently I have always just distributed the JDK that Erel links to with my server based apps. This has never been an issue.

Rememeber with JRE/JDK there are public runtimes and private runtimes. I always bundle my applications with a private JRE (Erels one) and it is on that version forever (ie it does not update). Other applications shouldnt be using your JRE (since its private).

This is very similar to the enterprise software I use everyday. It is packaged with Open JRE and the vendor states to not update it (as its not supported etc).

However a few months ago the whole Log4J vulernability happened and all of a sudden many of my customers were asking whether I used Log4J (which i dont) but more importantly many IT advisories out there were telling users to update Java runtimes to try and mitigate the Log4J issue.

As a result I updated my installer to have the latest JRE from Open JDK (now called Temurin) - https://adoptium.net/releases.html?variant=openjdk11

I also sent my users instructions on how to remove the old JRE and update with the newer one. Very few did this.

Anyway, with the newer JRE, it has all security patches and my installer went from 150mb down to 65mb. This was due to the fact that I no longer ship the javafx or jmod libraries as these are not required for server apps.

 

[tchart]

If the later is the case, then why is the suggested version 11.0.1 (on Installation section of the B4J product page) the one that's available for download rather than later OpenJDK 11 versions?
Is it just that there have been no security updates since 11.0.1,

@Chris2 just to add the latest version of the JDK/JRE for Java 11 is jdk-11.0.14.1+1 - so 11.0.1 (from 2018) is rather out of date, and yes updates to it would include security patches.

Oracle release notes are here;

https://www.oracle.com/java/technologies/javase/11all-relnotes.html

 

[ThorstenStueker]

The 4x Applications I have deployed to my customers are using JDK11 and are packaged. While they are packaged the risk that somebody can inject code is 0! The point is that updating the JDK is always re-installing the JDK. Nothing else. Not a big deal while you can distribute it simply. And when packaging your applications with the runtime with Esels Packager you will have - on all platforms - a relative secure situation. It is always relative.

Looking on the risks I can realize directly that I have no problems with cyber security while I have no entrance points in the Java Install with the packed application. So package the Apps and give them away.

nobody asks this question for installed Applications like i.e. Office Software. They also need runtimes. Also Dotnet needs runtimes and they have to be actual. But packed Java Applications are different animals. They have not the open doors like a normal Java install. They are not present in the system and you can't call them directly.

 

[Chris2]

Thanks all of you for the responses. There's good detail here.
You've certainly increased my knowledge & understanding. Thank you.