This section describes how to deal with known or unknown security issues and common vulnerabilities and exploits (CVEs) related to the Payara Platform.
|In the context of this page, for a Payara Enterprise customer to make a formal request, they will have to raise a new ticket in the Payara Enterprise Customer Support Portal.|
Download Security Fixes
Reported security vulnerabilities will get patched as soon as possible and delivered in a future release. If needed, Payara Enterprise customers can make a request for specific fixes to be backported to the specific releases they use on their environments.
Locating Security Vulnerabilities
To locate the release a security update has been included for a specific vulnerability, search in the security fixes summary page for the specific vulnerability using its CVE identifier.
For each of these security vulnerabilities, a reference to all *Pull Requests* that were implemented to the main repository to fix each one of them is given for auditing purposes. Since the Payara Enterprise repository is private and is not accessible by customers, they may request a copy of the details of any specific pull request implemented in the repository for auditing purposes.
Reporting Security Issues
Payara Services Limited is very active at identifying and fixing any detected security vulnerabilities, either internally or externally reported. Enterprise customers are encouraged to immediately report any vulnerabilities and flaws that they encounter.
To make a report, make an official request through the Customer Support Portal. Please make sure to describe the vulnerability encountered in great detail, along with the steps to reproduce the issue and environment details like the Payara Platform distribution and release version in use, the Operating System where it was detected and its version and the provider and release of the JDK is involved in the reproducer.
|If the issue relates to an existing documented CVE vulnerability, you can simply link it in your report and save yourself the trouble of providing a reproducer scenario and a detailed description.|