← Back to all briefings
Developer 7 min read Published Updated Credibility 71/100

Java 17 LTS Release

Java 17 shipped on 14 September 2021 as the first long-term support (LTS) release since Java 11, introducing sealed classes, pattern matching for switch (preview), strong encapsulation of JDK internals, macOS/AArch64 support, and new foreign-memory and vector APIs, while retiring the Security Manager and requiring modernization of build and dependency practices.

Kodi C.

Editor & Research Lead

Fact-checked and reviewed — Kodi C.

Developer pillar illustration for Zeph Tech briefings
Developer enablement and platform engineering briefings

Java 17 arrived on as the next long-term support (LTS) line after Java 11, consolidating three years of previewed functionality and performance work. It rolls in sealed classes (JEP 409), pattern matching for switch (JEP 406, preview), strong encapsulation of JDK internals (JEP 403), the macOS/AArch64 port (JEP 391), and modernized rendering and randomness pipelines (JEPs 382 and 356). The release also removes the experimental AOT/JIT toolchain (JEP 410) and deprecates the Security Manager for removal (JEP 411). Teams should treat Java 17 as the strategic baseline for workloads leaving Java 8 and Java 11, especially because most major vendors (Oracle, Eclipse Temurin/Adoptium, Red Hat, Amazon Corretto, Microsoft Build of OpenJDK) provide multiyear support streams and build images for cloud container targets.

Release changes and feature coverage

Java 17 aggregates over a dozen JEPs and hundreds of bug fixes. The release notes emphasize language, runtime, and platform coverage improvements:

  • Language evolution: Sealed classes (JEP 409) allow explicit control over inheritance hierarchies, enforcing exhaustive pattern handling. Pattern matching for switch (JEP 406, preview) reduces boilerplate when branching on types and guard clauses. These features complement records, var, and text blocks introduced in earlier releases, enabling cleaner domain models.
  • Runtime and library modernization: JEP 403 strongly encapsulates internal JDK APIs by default, closing the temporary --illegal-access escape hatch introduced in Java 9. JEP 411 deprecates the Security Manager for removal, signaling a pivot toward container isolation and library-level sandboxing. JEP 356 (Enhanced Pseudo-Random Number Generators) adds streamable PRNGs (LXM, Xoshiro/Xoroshiro) with pluggable algorithms.
  • Platform breadth: JEP 391 delivers the macOS/AArch64 port for Apple Silicon, while JEP 382 introduces a new macOS rendering pipeline using Metal to replace the deprecated OpenGL stack. Container image builds benefit from better cgroup v2 detection and reduced native footprint through the removed AOT/JIT toolchain (JEP 410).
  • Foreign and vector APIs: The incubating Foreign Function & Memory API (JEP 412) simplifys safe interaction with native code without JNI boilerplate, and the second incubation of the Vector API (JEP 414) enables SIMD-friendly code paths that map to x86 and AArch64 instruction sets.

Because Java 17 is an LTS release, libraries and frameworks (Spring 6, Quarkus 2.6+, Micronaut 3.3+, Hibernate 6) have aligned compatibility roadmaps. Most cloud providers supply Java 17 base images and managed runtimes (AWS Corretto 17, Azure Java 17, Google Cloud Java 17 images), so platform teams can standardize CI/CD and container builds on this baseline.

Upgrade and migration tasks

Migrating from Java 8 or Java 11 requires deliberate compatibility reviews, especially because Java 17 closes long-standing transitional flags:

  • Address encapsulation breakages: The --illegal-access option is ignored starting in Java 17. Libraries that rely on sun.misc. Unsafe or other internal packages must shift to supported APIs (for example, VarHandle, java.util.concurrent primitives) or use the --add-opens flag explicitly per module. Audit startup logs for illegal reflective access warnings during test runs.
  • Rebuild with --release 17 and update toolchains: Ensure Maven and Gradle toolchains point to a Java 17 JDK, and set maven.compiler.release or Gradle’s java.toolchain.languageVersion = JavaLanguageVersion.of(17). Replace deprecated source/target pairs with the --release flag to align bytecode and standard library linkage.
  • Framework support testing: Verify application servers and frameworks on compatible versions: Spring Boot 3 requires Java 17+, while Jakarta EE 9+ aligns with Java 11/17. For older app servers (WebLogic 12c, JBoss EAP 7.2), consult vendor matrices; many require patch sets or newer minor versions for Java 17 certification.
  • macOS and Apple Silicon builds: If you ship macOS desktop applications or native launchers, switch to Java 17 distributions that include the AArch64 port and Metal pipeline. Test SWT/JavaFX rendering on Apple Silicon to confirm layout and performance parity.
  • Functional changes to APIs: TLS 1.0/1.1 are disabled by default; enable only if required and risk-accepted. The default Locale data now favors CLDR; cross-check formatting changes for finance and localization workflows.

Create a migration playbook with phased environments: start by recompiling and running tests under Java 17 with illegal-access warnings treated as failures, then containerize the runtime using vendor-supported images, and finally validate observability tooling (JFR/JMC, async-profiler) against the new JDK’s perf map formats.

Security and ops impact

Java 17’s security posture is shaped by the September 2021 Critical Patch Update (CPU), which addressed vulnerabilities such as CVE-2021-35550, CVE-2021-35556, CVE-2021-35557, and CVE-2021-35559 across TLS, HotSpot, and JNDI components. Always consume the latest 17.x patch (for example, 17.0.12+) from your vendor to inherit CPU fixes; base images lagging behind amplify exposure to JNDI and TLS issues.

  • Monitor Security Manager deprecation: Because JEP 411 marks the Security Manager for removal, applications that depended on policy files must migrate to container-based isolation, library sandboxing (for example, Google Tink, Envoy/OPA sidecars), or process-level controls (seccomp/AppArmor). Document this change for auditors who previously relied on java.policy attestations.
  • Cryptography defaults and compliance: Java 17 enables TLS 1.3 by default and ships updated ciphers (AES/GCM/ChaCha20-Poly1305). Review FIPS requirements; many vendors supply FIPS builds or guidance for linking to approved crypto providers. Update trust stores with current CA bundles to avoid certificate validation errors caused by stricter path building.
  • Operational telemetry: The Flight Recorder and Mission Control toolchain remains stable; ensure JVM flags (-XX:MaxRAMPercentage, -XX:+UseContainerSupport) are tuned for cgroup v2. For Kubernetes, validate liveness/readiness probes post-upgrade because startup profiles change with the removed AOT/JIT components.
  • Supply chain governance: Align build pipelines with reproducible builds and SBOM generation (for example, using cyclonedx-maven-plugin or Gradle’s cyclonedx plugin). Java 17 adoption should coincide with dependency updates to log4j 2.17+ to avoid CVE-2021-44228 and follow-on vulnerabilities.

Document support windows: Java 17 receives Premier support from Oracle through 2026 (with vendor-specific timelines extending further). set up a quarterly cadence for patch upgrades, and include regression tests around serialization filters (JEP 415) because context-specific filters tighten deserialization paths and may block legacy transports unless configured.

Implementation checklist: (1) Upgrade toolchains to a vendor-supported Java 17 distribution, (2) turn illegal-access warnings into CI failures, (3) retest frameworks and app servers with TLS 1.3 and CLDR defaults, (4) update observability agents and SBOM tooling, and (5) schedule patch-rollups aligned with the Java CPU calendar (January, April, July, October).

Release changes anchored to the LTS baseline

Java 17, released 14 September 2021, is the first LTS since Java 11 and is documented in the official release notes. Language improvements include sealed classes (JEP 409) for controlled inheritance, pattern matching for instanceof (JEP 394), and a preview of pattern matching for switch (JEP 406). The platform introduces the new macOS rendering pipeline for Apple Silicon (JEP 382) and restores a 64-bit ARM macOS port. Strong encapsulation of JDK internals is now the default (JEP 403), limiting deep reflection unless --add-opens flags are supplied. Other changes include a new macOS Notarization-friendly installer, updated Unicode 13 support, and deprecation of the Security Manager for future removal (JEP 411).

Packaging and licensing adjustments matter for enterprises: Oracle’s No-Fee Terms and Conditions (NFTC) apply to Oracle JDK 17 binaries, while OpenJDK distributions remain available. ZGC and Shenandoah garbage collectors are production-ready, offering low-latency options beyond G1.

Upgrade and migration tasks

Teams upgrading from Java 8 or 11 should inventory illegal reflective access. Java 17 emits warnings and may block access entirely in future releases; refactor to supported APIs or add targeted --add-opens only where necessary. Verify build tools (Maven, Gradle) and application servers support JDK 17 bytecode levels (class file version 61). For macOS deployments, confirm native libraries are available for aarch64 and that notarization scripts account for the new bundle identifiers.

Security Manager deprecation requires a replacement strategy for sandboxing; consider containerization, Process API controls, or third-party policy agents. TLS 1.0/1.1 are disabled by default per JEP 319, so retest connections to legacy systems and enable per-endpoint exceptions only when risk-assessed. Update JDBC drivers and JVM agents to versions certified for 17, especially those using JVMTI or bytecode instrumentation.

Security and ops impact

Stay current with CPU (Critical Patch Update) bundles, as Java 17 receives quarterly fixes that often include OpenJDK CVEs. Early updates addressed vulnerabilities such as CVE-2021-35567 (Serialization in RMI) and CVE-2021-35586 (libpng). Monitor Oracle security alerts or your chosen distribution’s advisory feed (for example, Adoptium, Amazon Corretto) and bake automated JDK updates into base image rebuilds.

Operational tuning should revisit garbage collector choices; ZGC and Shenandoah can reduce pause times for large heaps but require observability updates to track new GC logs. Enable container awareness flags (-XX:+UseContainerSupport is on by default) and verify memory limits are respected in Kubernetes. Because CDS (class data sharing) and AppCDS are available out of the box, consider building shared archives for faster cold starts while ensuring they are regenerated after dependency changes to avoid classpath drift.

More on this topic

Further reading from our research library.

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Secure Software Supply Chain Tooling Guide

    Engineer developer platforms that deliver verifiable provenance, SBOM distribution, vendor assurance, and runtime integrity aligned with SLSA v1.0, NIST SP 800-204D, and CISA SBOM…

  • AI-Assisted Development Governance Guide

    Govern GitHub Copilot, Azure AI, and internal generative assistants with controls aligned to NIST AI RMF 1.0, EU AI Act enforcement timelines, OMB M-24-10, and enterprise privacy…

  • Developer Enablement & Platform Operations Guide

    Plan AI-assisted development, secure SDLC controls, and runtime upgrades using our research on GitHub Copilot, GitHub Advanced Security, and major language lifecycles.

Coverage intelligence

Published
Coverage pillar
Developer
Source credibility
71/100 — medium confidence
Topics
Java · Software Development · Runtime Briefing · Briefing · Developer
Sources cited
2 sources (iso.org, github.com)
Reading time
7 min

Source material

  1. Industry Standards and Best Practices — International Organization for Standardization
  2. GitHub Security Advisory Database
  • Java
  • Software Development
  • Runtime Briefing
  • Briefing
  • Developer
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.