Release notes - Payara Platform Community 6.2022.1
Security Vulnerability
| We have been made aware of a 0-day vulnerability. This vulnerability exploit opens up to attackers a way to explore the contents of the WEB-INF and META-INF folders if an application is deployed to the root context. This vulnerability is similar to another 0-day vulnerability (CVE-2022-37422) we recently had. We would like to thank Michael Baer, Luc Créti and Jean-Michel Lenotte, all working for Atos, for alerting us to this vulnerability. You must upgrade to this latest version of Payara 6 Community to avoid the security issue. |
Improvements
-
[FISH-372] Provide option to disable clustering functionality of Hazelcast on Payara Micro
-
[FISH-1336] Properly Shutdown Payara Micro on Ctrl+C
-
[FISH-5827] Stuck Thread count as MicroProfile Metric Gauge
-
[FISH-5828] Connection Pool Metrics Exposed as MicroProfile Metrics
-
[FISH-6434] Support OpenID Connect token issuer field in ADFS
Security Fix
-
[FISH-6603] 0-Day Vulnerability Exploit Using ROOT Context Deployments
Bug Fixes
-
[FISH-1418] JMX Service doesn’t start on JDK 8u292 and 11.0.11
-
[FISH-5806] Remove JobManager from Payara Server
-
[FISH-6238] Microprofile Interceptors @Fallback @CircuitBreaker are not getting invoked if the EJB is a @Stateless Bean
-
[FISH-6347] Fix Admin Console (Post Mojarra Upgrade)
-
[FISH-6430] TransactionScopedCDIEventHelperImpl Injection Error
-
[FISH-6435] Dynamic Proxy is not Used when Injecting Context Types into Singleton EJB
-
[FISH-6470] GCM Cipher Suites Not Being Recognized
-
[FISH-6481] CORBA Incorrectly opening an additional TCP socket on Windows systems
-
[FISH-6500] `hazelcast-configuration-file\` Domain Property Ignored
-
[FISH-6501] Commands in Postboot File Fail
-
[FISH-6506] Environment Variable Replacement in Payara Micro Logging Properties File Does Not Work
-
[FISH-6566] Unable to Restart Instance with Application containing JSON File
-
[FISH-6576] Jakarta EE 10 DDs schema definition file missing in Payara 6.x