Release notes - Payara Platform Community 5.2022.4
Supported APIs and Applications
- Jakarta EE 8
- Jakarta EE 8 Applications
- Jakarta EE 9
- MicroProfile 4.1
Security Vulnerability
We have been made aware of a 0-day vulnerability. This vulnerability exploit opens up to attackers a way to explore the contents of the WEB-INF and META-INF folders if an application is deployed to the root context. This vulnerability is similar to another 0-day vulnerability (CVE-2022-37422) we recently had. We would like to thank Michael Baer, Luc Créti and Jean-Michel Lenotte, all working for Atos, for alerting us to this vulnerability. You must upgrade to this latest version of Payara 5 Community to avoid the security issue.
Improvements
- [FISH-6434] Support OpenID Connect token issuer field in ADFS
- [FISH-5828] Connection Pool Metrics Exposed as MicroProfile Metrics
- [FISH-5827] Stuck Thread count as MicroProfile Metric Gauge
- [FISH-372] Provide option to disable clustering functionality of Hazelcast on Payara Micro
Security Fixes
- [FISH-6603] 0-Day Vulnerability Exploit Using ROOT Context Deployments
- [FISH-6522] FIX CVE-2021-31684/Gihub Advisory - GHSA-fg2v-w576-w4v3 in Payara Platform
- [FISH-6391] Fix sonatype-2014-0173 commons-fileupload : commons-fileupload : 1.3.3
Bug Fixes
- [FISH-5980] Add Option to use ForkJoinPool for Managed Executor Services
- [FISH-6566] Unable to Restart Instance with Application containing JSON File
- [FISH-6506] Environment Variable Replacement in Payara Micro Logging Properties File Does Not Work
- [FISH-6501] Commands in Postboot File Fail
- [FISH-6500]
hazelcast-configuration-fileDomain Property Ignored - [FISH-6481] CORBA Incorrectly opening an additional TCP socket on Windows systems
- [FISH-6477] [Community Contribution - Piotrek Żygieło] Wrong License in Payara Zip Distribution
- [FISH-6470] GCM Cipher Suites Not Being Recognized
- [FISH-6435] Dynamic Proxy is not Used when Injecting Context Types into Singleton EJB
- [FISH-6430] TransactionScopedCDIEventHelperImpl Injection Error
- [FISH-6415] Unexpected error when starting instance hosted in remote SSH nodes on Windows OS system via Cygwin
- [FISH-6238] Microprofile Interceptors
@Fallback@CircuitBreakerare not getting invoked if the EJB is a@StatelessBean - [FISH-5806] Remove JobManager from Payara Server
- [FISH-5723] WebAppClassloader instances are memory leaked
Component Upgrade
- [FISH-6285] Upgrade Jersey to 2.36