openhab-core: Java 11.0.20 breaks OpenHAB 3.4.4 (Improved ZIP64 Extra Field Validation)
After upgrade of zulu11 Java from 11.0.19 to 11.0.20 starting OpenHAB 3.4.4 failed starting with messages like
2023-07-21 14:55:10.438 [ERROR] [Events.Framework ] - FrameworkEvent ERROR
java.util.zip.ZipException: Exception in opening zip file: /var/lib/openhab/cache/org.eclipse.osgi/18/0/bundleFile
[...]
Caused by: java.util.zip.ZipException: Invalid CEN header (invalid zip64 extra data field size)
This seems to be triggered by the following change in Java 11.0.20 (same with 17.0.8): https://www.oracle.com/java/technologies/javase/11all-relnotes.html
core-libs/java.util.jar ➜ Improved ZIP64 Extra Field Validation (JDK-8302483 (not public)) java.util.zip.ZipFile has been updated to provide additional validation of ZIP64 extra fields when opening a ZIP file. This validation may be disabled by setting the system property jdk.util.zip.disableZip64ExtraFieldValidation to true.
This topic is already discussed in the community forum: https://community.openhab.org/t/openhab-not-working-with-zulu11-0-20/147910
Expected Behavior
OpenHAB should work with recent Java version.
Current Behavior
OpenHAB 3.4.4 fails starting with suggested zulu11 in most recent 11.0.20 version.
Possible Solution
As a workaround it helps adding
EXTRA_JAVA_OPTS="-Djdk.util.zip.disableZip64ExtraFieldValidation=true"
to /etc/default/openhab (for a Debian system, this may be different on other systems).
It may be better to either change the code to support additional ZIP64 extra fields or at least do some Java voodoo to automatically set the above option.
Steps to Reproduce (for Bugs)
- Start with a working system with OpenHAB 3.4.4 and ZULU11 11.0.19
- Upgrade ZULU11 to 11.0.20
- OpenHAB does not work any more.
Your Environment
- Version used: OpenHAB 3.4.4-2 (Debian Package), zulu11 11.0.20-1 (Debian Package), both installed via apt repos.
- Debian 11 (bullseye) on amd64 architecture
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 19 (12 by maintainers)
Commits related to this issue
- Disable "Improved ZIP64 Extra Field Validation" The org.apache.aries.javax.jax.rs-api bundle contains geronimo-osgi-locator.jar as a library which seems to have an "Invalid CEN header". This causes b... — committed to wborn/openhab-distro by wborn a year ago
- Disable "Improved ZIP64 Extra Field Validation" in itests This prevents ZipException stacktraces when running the itests on JDK 17.0.8 or newer. Related to: * openhab/openhab-core#3718 * openhab/op... — committed to wborn/openhab-addons by wborn a year ago
- Disable "Improved ZIP64 Extra Field Validation" in itests This prevents ZipException stacktraces when running the itests on JDK 17.0.8 or newer. Related to: * openhab/openhab-core#3718 * openhab/op... — committed to wborn/openhab-addons by wborn a year ago
- Disable "Improved ZIP64 Extra Field Validation" in itests (#15389) This prevents ZipException stacktraces when running the itests on JDK 17.0.8 or newer. Related to: * openhab/openhab-core#3718... — committed to openhab/openhab-addons by wborn a year ago
- Disable "Improved ZIP64 Extra Field Validation" in itests (#15389) This prevents ZipException stacktraces when running the itests on JDK 17.0.8 or newer. Related to: * openhab/openhab-core#3718... — committed to Pshatsillo/openhab-addons by wborn a year ago
It would be nice to get rid of these workarounds because apparently the “Improved ZIP64 Extra Field Validation” was a rush job to mitigate CVE-2023-22036. That also explains why JDK-8302483 is not public.
See: https://connortumbleson.com/2023/07/31/invalid-cen-header/
I still think:
are the best next steps.
Doing 2 before 1 isn’t that big of a deal as if it’s solves we’ll just never know which bundle temporarily had a bad header. If it doesn’t fix it, we’ve lost nothing.