This section describes how to deal with known or unknown security issues and common vulnerabilities and exploits (CVEs) related to the Payara Platform.

Security Fixes

Reported security vulnerabilities will get patched as soon as possible and delivered in a future release. For this reason, it is recommended to always stay up to date with the current release.

Locating Security Vulnerabilities

To locate the release a security update has been included for a specific vulnerability, search in the security fixes summary page for the specific vulnerability using its CVE identifier.

For each of these security vulnerabilities, a reference to all *Pull Requests* that were implemented to the main repository to fix each one of them is given for auditing purposes. If a security vulnerability has been reported but is not related or doesn’t affect the Payara Platform in any way, a proper justification will be detailed in its observations. This is also done for auditing purposes, so don’t feel deterred to make a vulnerability report if you are unsure that a flaw affects the Payara Platform completely.

Reporting Security Issues

Payara Services Limited is very active at identifying and fixing any detected security vulnerabilities, either internally or externally reported. Community users are encouraged to immediately report any vulnerabilities and flaws that they encounter.

To make a report, please send an email with the described flaws and vulnerabilities to security@payara.fish. Please make sure to describe the vulnerability encountered in great detail, along with the steps to reproduce the issue and environment details like Payara Platform distribution in use (Server, Micro, Embedded, etc.), the Operating System where it was detected and what version, provider and release of the JDK is involved in the reproducer.

INFO: If the issue relates to an existing documented CVE vulnerability, you can simply link it in your report and save yourself the trouble of providing a reproducer scenario and a detailed description.

To report any critical non-security bugs, raise a new issue in the official Community Edition repository issue tracker instead. Any conventional bug reports made through this email address will be ignored.

Keep in mind that most, if not all public networked servers are subject to denial of service (DoS) attacks, and thus, we will not provide fixes to generic problems (such as client applications streaming lots of data to your server, or re-requesting the same URL repeatedly). Focus on security issues that can be targeted at specific platform components like web session hacking, XSS injection, CSRF attacks and so forth.

See Also