Release Notes - Payara Platform Community 5.2021.7

Supported APIs and Applications

  • Jakarta EE 8

  • Java EE 8 Applications

  • Jakarta EE 9

  • MicroProfile 4.1


Security Vulnerability

We recently discovered and fixed an important security vulnerability within the Payara Server and Payara Micro products. A path Traversal security issue was found when the application is deployed under the root context which allowed a hacker to read from the file system of the server running the application. We highly recommend that you upgrade to this version to avoid the security issue.

We’d like to thank Thibaud Kehler and Oliver Maicher from SySS GmbH who reported this vulnerability to the Payara team via the email address as instructed in Reporting Security Issues.

New Features

  • [FISH-5646] Add Client Certificate Validation API

Bug Fixes

  • [FISH-5711] Fix Could Not Load Formatter Class Error in Payara Micro

  • [FISH-5701] Application Does not Deploy Anymore on Payara Server Docker Image

  • [FISH-5695] (Community Contribution - Empressia) ArrayIndexOutOfBoundsException When the ConfigProperty Value Ends in a Dollar Sign

  • [FISH-5693] Delimiter for Configuring Multiple KeyStores and TrustStores Must use JVM Platform Delimiter

  • [FISH-5691] Do not Propagate Non-Transactional EM to Managed Tasks

  • [FISH-5690] Remove Duplicate postInvoke Handler Invocation on Failure

  • [FISH-5660] Deployment Failure on Payara Micro

  • [FISH-1058] Payara Micro - Wrong ClassLoader with Multiple Apps

  • [FISH-966] Fix Asadmin stop-domain Help Text

  • [FISH-81] Fix Incorrect Error "No valid EE environment for injection" for CDI Reported for Events

Component Upgrades

  • [FISH-5655] Update Jersey to 2.34.payara-p1

Security Fixes

  • [FISH-5702] Improper Limitation of a Pathname to a Restricted Directory \('Path Traversal'\) When Context Root is /