Release notes - Payara Platform Enterprise 5.45.0

Supported APIs and Applications

  • Jakarta EE 8

  • Jakarta EE 8 Applications

  • Jakarta EE 9

  • MicroProfile 4.1

Security Vulnerability

We have been made aware of a 0-day vulnerability. This vulnerability exploit opens up to attackers a way to explore the contents of the WEB-INF and META-INF folders if an application is deployed to the root context. This vulnerability is similar to another 0-day vulnerability (CVE-2022-37422) we recently had. We would like to thank Michael Baer, Luc Créti and Jean-Michel Lenotte, all working for Atos, for alerting us to this vulnerability. You must upgrade to this latest version of Payara 5 Enterprise to avoid the security issue.


  • [FISH-5827] Stuck Thread count as MicroProfile Metric Gauge

  • [FISH-5828] Connection Pool Metrics Exposed as MicroProfile Metrics

Security Fix

  • [FISH-6603] 0-Day Vulnerability Exploit Using ROOT Context Deployments

Bug Fixes

  • [FISH-745] Sporadic lookup failure for @Singleton @Startup EJB in JDK8

  • [FISH-5806] Remove JobManager from Payara Server

  • [FISH-6430] TransactionScopedCDIEventHelperImpl Injection Error

  • [FISH-6500] hazelcast-configuration-file Domain Property Ignored

  • [FISH-6566] Unable to Restart Instance with Application containing JSON File