Here's a heads-up that some will want to hear about: there are new JVM updates released today (Oct 18, 2022) for the current long-term support (LTS) releases of Oracle Java, 8, 11, and 17, as well as the new interim update 19. (Note that prior to Java 9, releases of Java were known technically as 1.x, so 8 is referred to in resources below as 1.8.)
TLDR: The new updates are 1.8.0_351, (aka 8u351), 11.0.17, 17.0.5, and 19.0.1 respectively). And as is generally the case with these Java updates, most of them have the same changes and fixes as each other (though not always).
Update: After posting this, I learned of some rather surprising implications of a new feature of the new JDK installer. For more, see a new section on this below.
Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so take that "critical" nomenclature for what it is. For more on each of them, including what changed and the several security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. And if you may be skipping to this from a JVM update from before Apr 2021, I share also a bit more info as well as for users of Adobe ColdFusion (including where to find the updated Java versions from Adobe, what JVM versions Adobe CF supports, and more).
For some folks, that's all they need to hear. For others, read on for topics like:
Finding more info on these Oct 2022 Java updates
News for my CF audience (getting the Java updates from Adobe or Oracle, how to update, why you should NOT for now use Java 17 with CF, etc)
Should you apply the update? how soon?
Beware a change in the Oct 22 JVM update regarding Java no longer trusting jars signed with SHA-1
Beware a change in the April 2021 JVM update, if you may be skipping over it
Wrapping up, getting more help
[More]
From: Charlie Arehart - Server Troubleshooting