Overview

This section describes Payara’s official policy for managing Payara Platform’s security vulnerabilities.

The CVE Program

Payara, a leading provider of Jakarta EE and MicroProfile runtimes, is authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Payara will publish authoritative cybersecurity vulnerability information about its products via the CVE Program. Vulnerabilities will be given a unique, alphanumeric identifier, building the CVE List that feeds into the U.S. National Vulnerability Database (NVD), and playing a role in the CVE Program’s mission to identify, define and catalogue cybersecurity vulnerabilities.

The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS).

Developers using Payara Platform products will benefit from the collaboration, as vulnerabilities will be part of the standardized and publicly disclosed CVE List. This will result in time and cost savings for those using Payara products, as security issues can be discussed, dealt with and prevented through the use of a trusted, standardized catalogue.

General Guidelines

  • Payara is committed to fixing any vulnerabilities and exploits identified in any Payara Platform products and distributions.

  • Any reported vulnerabilities will be fixed with celerity as soon as they are reported and confirmed.

  • Security reports made to major versions that are no longer supported will be rejected.

    Users will be instructed to upgrade to a supported version.

  • Security vulnerabilities will have to be verified to affect a corresponding supported Payara Platform product before getting a CVE assigned.

  • Vulnerabilities not related to the Payara Platform will be ignored and not disclosed as formal CVEs. These include:

    • Operating system vulnerabilities

    • JVM vulnerabilities

    • Issues caused by not following recommended security practices

  • Keep in mind that most, if not all public networked servers are subject to denial of service (DoS) attacks, and thus, we will not provide fixes to generic problems (such as client applications streaming lots of data to your server, or re-requesting the same URL repeatedly).

Vulnerabilities on Third-party Components

As the Payara Platform depends on third-party components of other software packages like Apache Guava, Jackson, Smack, etc. vulnerabilities on specific versions of these components may be reported as well. Payara is committed to analysing any reported vulnerabilities and upgrading them to a patched version whether applicable.

In cases like this, reports may already reference an existing CVE record that details the vulnerability in question.

Reporting Security Vulnerabilities

To report a vulnerability, send an email with the described flaws and vulnerabilities to security@payara.fish. Please make sure to describe the vulnerability encountered in great detail, along with the steps to reproduce the issue and environmental details like:

  • Payara Platform distribution (i.e, Server, Micro, Embedded, Docker Image) and version

  • Operating System

  • JDK Version

If the report is related to an existing documented CVE record (like in the case of a third-party component), please provide its ID on your report.
To report any critical non-security bugs, raise a new issue in the official Community Edition repository issue tracker instead.

Once the vulnerability is received, it will get assigned a CVE ID and an investigation to verify the report and the security scoring will be done to implement a fix on a future release.

Credits

If you are interested in being credited as the finder and/or reporter of the vulnerability, please let us know explicitly on your report and provide the following details:

  • Your name or an alias.

  • (Optional) The name of an organisation you belong to and wants to be credited.

CVE Record Rejection

In some cases, the investigation of a security report may yield a result where the vulnerability in question does not warrant a fix (it cannot be reproduced, it doesn’t affect the Payara Platform, or it doesn’t represent a security vulnerability at all).

In cases like this, the CVE record will be rejected along with a reason explaining why the vulnerability didn’t require a fix.

Disclosing Security Fixes

Once a security vulnerability is fixed and published in an official release of Payara Community, the following will occur:

  • The details of the vulnerability will be published in the release notes.

  • The CVE record will be published in the CVE index as per the CVE record workflow.

Security Advisories

All security reports, that correspond to either fixes to vulnerabilities that affect the Payara Platform directly or vulnerabilities to its third-party dependencies are catalogued under the Security Advisories page.

Each vulnerability entry will contain:

  • Its CVE ID

  • The CVE record’s CVSS Score

  • The status of the vulnerability

  • The summary of the exploit

  • The release where a fix was published (if applicable)

  • A link to the Pull Requests that were implemented in the source code to remediate the vulnerability so that users may audit them if necessary.

  • Additional observations on the resolution of the vulnerability.

See Also