Chapter 1. Overview of alt-java
Red Hat packages contain a mitigation for the SSB vulnerability in the form of a patch for the java binary. This patch disables an optimization present in x86-64 (Intel and AMD) processors. Disabling that optimization reduces the risk of kernel side-channel attacks, but also reduces CPU performance.
Since the patch reduces performance, it has been removed from the java launcher. A new binary alt-java is now available. From the January 2021 Critical Patch Update release (1.8.0 282.b08, 11.0.10.9) onwards, the alt-java binary is included in OpenJDK 8 and OpenJDK 11 GA RPM packages.
Additional resources
- For more information about the performance impact of SSB mitigation, see Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639 on the Red Hat Customer Portal
-
For more information about the
javabinary patch, see RH1566890 in the Red Hat Bugzilla documentation.