Amazon Corretto
CY2022
CY2023
CY2024
Future>
Release
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Q4
8.232.x
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.242.x
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.252.x
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.262.x
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.265.x
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.272.x
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.275.x
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.282.x
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.292.x
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.302.x
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.312.x
Divest
[2, 4, 5]
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.303.x
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.322.x
Approved w/Constraints
[2, 4, 5]
Divest
[2, 4, 5]
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.332.x
Approved w/Constraints
[1, 2, 4, 5]
Approved w/Constraints
[2, 4, 5]
Divest
[2, 4, 5]
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
8.342.x
Unapproved
Approved w/Constraints
[1, 2, 4, 5]
Approved w/Constraints
[2, 4, 5]
Divest
[4, 5, 6, 7]
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
8.352.x
Unapproved
Unapproved
Unapproved
Approved w/Constraints
[4, 5, 6, 7]
Divest
[4, 8, 9, 10]
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
8.362.x
Unapproved
Unapproved
Unapproved
Approved w/Constraints
[1, 4, 5, 6, 7]
Approved w/Constraints
[4, 8, 9, 10]
Divest
[4, 8, 9, 10]
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
8.363.x
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Approved w/Constraints
[1, 4, 8, 9, 10]
Approved w/Constraints
[1, 4, 8, 9, 10]
Approved w/Constraints
[1, 4, 8, 9, 10]
Unapproved
Unapproved
Unapproved
Unapproved
11.0.5.x
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.6.x
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.7.x
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.8.x
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.9.x
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.10.x
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.11.x
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.12.x
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.13.x
Divest
[2, 4, 5]
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.14.x
Approved w/Constraints
[2, 4, 5]
Divest
[2, 4, 5]
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.15.x
Approved w/Constraints
[1, 2, 4, 5]
Approved w/Constraints
[2, 4, 5]
Divest
[2, 4, 5]
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
11.0.16.x
Unapproved
Approved w/Constraints
[1, 2, 4, 5]
Approved w/Constraints
[2, 4, 5]
Divest
[4, 5, 6, 7]
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
11.0.17.x
Unapproved
Unapproved
Unapproved
Approved w/Constraints
[4, 5, 6, 7]
Divest
[4, 8, 9, 10]
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
11.0.18.x
Unapproved
Unapproved
Unapproved
Approved w/Constraints
[1, 4, 5, 6, 7]
Approved w/Constraints
[4, 8, 9, 10]
Divest
[4, 8, 9, 10]
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
11.0.19.x
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Approved w/Constraints
[1, 4, 8, 9, 10]
Approved w/Constraints
[1, 4, 8, 9, 10]
Approved w/Constraints
[1, 4, 8, 9, 10]
Unapproved
Unapproved
Unapproved
Unapproved
17.0.0.x
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
17.0.1.x
Divest
[2, 4, 5]
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
17.0.2.x
Approved w/Constraints
[2, 4, 5]
Divest
[2, 4, 5]
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
17.0.3.x
Approved w/Constraints
[1, 2, 4, 5]
Approved w/Constraints
[2, 4, 5]
Divest
[2, 4, 5]
Unapproved
Unapproved
Unapproved
Unapproved
Prohibited
Prohibited
Prohibited
Prohibited
Prohibited
17.0.4.x
Unapproved
Approved w/Constraints
[1, 2, 4, 5]
Approved w/Constraints
[2, 4, 5]
Divest
[4, 5, 6, 7]
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
17.0.5.x
Unapproved
Unapproved
Unapproved
Approved w/Constraints
[4, 5, 6, 7]
Divest
[4, 8, 9, 10]
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
17.0.6.x
Unapproved
Unapproved
Unapproved
Approved w/Constraints
[1, 4, 5, 6, 7]
Approved w/Constraints
[4, 8, 9, 10]
Divest
[4, 8, 9, 10]
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
17.0.7.x
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Approved w/Constraints
[1, 4, 8, 9, 10]
Approved w/Constraints
[1, 4, 8, 9, 10]
Approved w/Constraints
[1, 4, 8, 9, 10]
Unapproved
Unapproved
Unapproved
Unapproved
19.0.x (non-LTS)
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Unapproved
Decision Constraints[1]This Technology is currently being evaluated, reviewed, and tested in controlled environments. Use of this technology is strictly controlled and not available for use within the general population.
[2]Due to major security vulnerabilities associated with JDK, only the current supported patch sets, which are released every 3 months, are approved for use and the prior patch set will be divested for one quarter to allow time for transition.
Note: It is the system owner`s responsibility to ensure proper licensing is obtained and in place for Java patches that are installed on machines they own. Care should be taken to test and minimize product interaction where this technology is used on the same machine with other vendor`s JDK implementations.
Security Engineering (SE) conducted a pre-assessment and security requirements verification of Amazon Corretto. It is advised that if this product is used within the VA the following constraints be applied:
1. If VA sensitive information is involved, ensure that the underlying infrastructure and application are configured to provide FIPS 140-2 encryption for web access supporting Amazon Corretto to provide the VA required FIPS 140-2 compliant cryptographic modules for encryption of data at rest and in transit.
2. Due to frequent changes to the lifecycle, system administrators must ensure that the supported version is being used.
3. VA already has an AWS Support Plan, it must be verified that Corretto is covered on the plan the VA currently has; otherwise, it is recommended that the VA purchase a plan to receive assistance with Corretto.
4. Corretto should be administered only by the Desktop and Device Engineering team with access to this product restricted and limited to privileges that are needed to perform specific duties. Also audit logs should be reviewed in accordance with VA Handbook 6500, Continuous Monitoring standards.
5. It is strongly recommended that these patches are prioritized, tested, and installed as soon as they become available. The product must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines.
[3]Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500.
[4]Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities.
[5]Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500.
[6]Due to major security vulnerabilities associated with JDK, only the current supported patch sets, which are released every 3 months, are approved for use and the prior patch set will be divested for one quarter to allow time for transition.
Note: It is the system owner`s responsibility to ensure proper licensing is obtained and in place for Java patches that are installed on machines they own. Care should be taken to test and minimize product interaction where this technology is used on the same machine with other vendor`s JDK implementations.
Security Engineering (SE) conducted a pre-assessment and security requirements verification of Amazon Corretto. It is advised that if this product is used within the VA the following constraints be applied:
1.Amazon Corretto will require a 3rd party FIPS 140-2 certified solution for any
data containing PHI/PII or VA sensitive information.
2. VA already has an AWS Support Plan, it must be verified that Corretto is
covered on the plan the VA currently has; otherwise, it is recommended that
the VA purchase a plan to receive assistance with Corretto.
3.Corretto should be administered only by the Desktop and Device Engineering
team with access to this product restricted and limited to privileges that are
needed to perform specific duties. Also audit logs should be reviewed in
accordance with VA Handbook 6500, Continuous Monitoring standards.
4. It is strongly recommended that these patches are prioritized, tested, and
installed as soon as they become available.
[7]Users should check with their supervisor, Information Security Office (ISO) or local OIT representative for permission to download and use this software. Downloaded software must always be scanned for viruses prior to installation to prevent adware or malware. Freeware may only be downloaded directly from the primary site that the creator of the software has advertised for public download and user or development community engagement. Users should note, any attempt by the installation process to install any additional, unrelated software is not approved and the user should take the proper steps to decline those installations.
[8]Due to major security vulnerabilities associated with JDK, only the current supported patch sets, which are released every 3 months, are approved for use and the prior patch set will be divested for one quarter to allow time for transition.
Note: It is the system owner`s responsibility to ensure proper licensing is obtained and in place for Java patches that are installed on machines they own. Care should be taken to test and minimize product interaction where this technology is used on the same machine with other vendor`s JDK implementations.
Per the Initial Product Review, users must abide by the following constraints:
- Amazon Corretto will require a 3rd party FIPS 140-2 certified solution for any data containing PHI/PII or VA sensitive information.
- VA already has an AWS Support Plan, it must be verified that Corretto is covered on the plan the VA currently has; otherwise, it is recommended that the VA purchase a plan to receive assistance with Corretto.
- Corretto should be administered only by the Desktop and Device Engineering team with access to this product restricted and limited to privileges that are needed to perform specific duties. Also audit logs should be reviewed in accordance with VA Handbook 6500, Continuous Monitoring standards.
- It is strongly recommended that these patches are prioritized, tested, and installed as soon as they become available.
[9]Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with VA Handbook 6500.
[10]Users should check with their supervisor, Information System Security Officer (ISSO) or local OIT representative for permission to download and use this software. Downloaded software must always be scanned for viruses prior to installation to prevent adware or malware. Freeware may only be downloaded directly from the primary site that the creator of the software has advertised for public download and user or development community engagement. Users should note, any attempt by the installation process to install any additional, unrelated software is not approved and the user should take the proper steps to decline those installations.
Note:
NOTE: Versions undergoing evaluation may not be released for production at time of TRM review. Information was included to anticipate/capture future releases for planning and migration. SCCM, BigFix or similar scans may show extra digits in the version number such as 1.8.0.332 vs 8.332.x. This anomaly should be noted and considered when matching up approved versions. Due to major security vulnerabilities associated with this technology, only the current supported patch sets, which are released every 3 months, are approved for use and the prior patch set will be divested for one quarter to allow time for transition.
