Overview

This section describes Payara’s official policy for managing Payara Platform’s security vulnerabilities.

The CVE Program

Payara, a leading provider of Jakarta EE and MicroProfile runtimes, is authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Payara will publish authoritative cybersecurity vulnerability information about its products via the CVE Program. Vulnerabilities will be given a unique, alphanumeric identifier, building the CVE List that feeds into the U.S. National Vulnerability Database (NVD), and playing a role in the CVE Program’s mission to identify, define and catalogue cybersecurity vulnerabilities.

The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS).

Developers using Payara Platform products will benefit from the collaboration, as vulnerabilities will be part of the standardized and publicly disclosed CVE List. This will result in time and cost savings for those using Payara products, as security issues can be discussed, dealt with and prevented through the use of a trusted, standardized catalogue.

General Guidelines

  • Payara is committed to fixing any vulnerabilities and exploits identified in any Payara Platform products and distributions.

  • Any reported vulnerabilities will be fixed with celerity as soon as they are reported and confirmed.

  • Security vulnerabilities will have to be verified to affect a corresponding supported Payara Platform product before getting a CVE assigned.

  • Vulnerabilities not related to the Payara Platform will be ignored and not disclosed as formal CVEs. These include:

    • Operating system vulnerabilities

    • JVM vulnerabilities

    • Issues caused by not following recommended security practices

  • Payara Enterprise customers can request security fixes to be back-ported to any supported releases used on their environments.

Vulnerabilities on Third-party Components

As the Payara Platform depends on third-party components of other software packages like Apache Guava, Jackson, Smack, etc. vulnerabilities on specific versions of these components may be reported as well. Payara is committed to analysing any reported vulnerabilities and upgrading them to a patched version whether applicable.

In cases like this, reports may already reference an existing CVE record that details the vulnerability in question.

Reporting Security Vulnerabilities

To report a vulnerability, make an official request through the Customer Support Portal. Please make sure to describe the vulnerability encountered in great detail, along with the steps to reproduce the issue and environmental details like:

  • Payara Platform distribution (i.e, Server, Micro, Embedded, Docker Image) and version

  • Operating System

  • JDK Version

If the report is related to an existing documented CVE record (like in the case of a third-party component), please provide its ID on your report.

Once the vulnerability is received, it will get assigned a CVE ID and an investigation to verify the report and the security scoring will be done to implement a fix on a future release. Customers may use the CVE ID to track the details of the vulnerability

Credits

If you are interested in being credited as the finder and/or reporter of the vulnerability, please let us know explicitly on your report and provide the following details:

  • Your name or an alias.

  • (Optional) The name of an organisation you belong to and wants to be credited.

CVE Record Rejection

In some cases, the investigation of a security report may yield a result where the vulnerability in question does not warrant a fix (it cannot be reproduced, it doesn’t affect the Payara Platform, or it doesn’t represent a security vulnerability at all).

In cases like this, the CVE record will be rejected along with a reason explaining why the vulnerability didn’t require a fix.

Disclosing Security Fixes

Once a security vulnerability is fixed and published in an official release of Payara Enterprise, the following will occur:

  • The details of the vulnerability will be published in the release notes.

  • The CVE record will be published in the CVE index as per the CVE record workflow.

  • Customers may be notified of any necessary mitigation measures to be considered if they are affected by the vulnerability.

Security Advisories

All security reports, that correspond to either fixes to vulnerabilities that affect the Payara Platform directly or vulnerabilities to its third-party dependencies are catalogued under the Security Advisories page.

Each vulnerability entry will contain:

  • Its CVE ID

  • The CVE record’s CVSS Score

  • The status of the vulnerability

  • The summary of the exploit

  • The release where a fix was published (if applicable)

  • Additional observations on the resolution of the vulnerability.

See Also