Release notes - Payara Platform Community 5.2022.4

Supported APIs and Applications

  • Jakarta EE 8

  • Jakarta EE 8 Applications

  • Jakarta EE 9

  • MicroProfile 4.1

Security Vulnerability

We have been made aware of a 0-day vulnerability. This vulnerability exploit opens up to attackers a way to explore the contents of the WEB-INF and META-INF folders if an application is deployed to the root context. This vulnerability is similar to another 0-day vulnerability (CVE-2022-37422) we recently had. We would like to thank Michael Baer, Luc Créti and Jean-Michel Lenotte, all working for Atos, for alerting us to this vulnerability. You must upgrade to this latest version of Payara 5 Community to avoid the security issue.


  • [FISH-6434] Support OpenID Connect token issuer field in ADFS

  • [FISH-5828] Connection Pool Metrics Exposed as MicroProfile Metrics

  • [FISH-5827] Stuck Thread count as MicroProfile Metric Gauge

  • [FISH-372] Provide option to disable clustering functionality of Hazelcast on Payara Micro

Security Fixes

  • [FISH-6603] 0-Day Vulnerability Exploit Using ROOT Context Deployments

  • [FISH-6522] FIX CVE-2021-31684/Gihub Advisory - GHSA-fg2v-w576-w4v3 in Payara Platform

  • [FISH-6391] Fix sonatype-2014-0173 commons-fileupload : commons-fileupload : 1.3.3

Bug Fixes

  • [FISH-5980] Add Option to use ForkJoinPool for Managed Executor Services

  • [FISH-6566] Unable to Restart Instance with Application containing JSON File

  • [FISH-6506] Environment Variable Replacement in Payara Micro Logging Properties File Does Not Work

  • [FISH-6501] Commands in Postboot File Fail

  • [FISH-6500] hazelcast-configuration-file Domain Property Ignored

  • [FISH-6481] CORBA Incorrectly opening an additional TCP socket on Windows systems

  • [FISH-6477] [Community Contribution - Piotrek Żygieło] Wrong License in Payara Zip Distribution

  • [FISH-6470] GCM Cipher Suites Not Being Recognized

  • [FISH-6435] Dynamic Proxy is not Used when Injecting Context Types into Singleton EJB

  • [FISH-6430] TransactionScopedCDIEventHelperImpl Injection Error

  • [FISH-6415] Unexpected error when starting instance hosted in remote SSH nodes on Windows OS system via Cygwin

  • [FISH-6238] Microprofile Interceptors @Fallback @CircuitBreaker are not getting invoked if the EJB is a @Stateless Bean

  • [FISH-5806] Remove JobManager from Payara Server

  • [FISH-5723] WebAppClassloader instances are memory leaked

Component Upgrade