The September 2021 Payara Platform release is here! Both Payara Platform Enterprise and Payara Platform Community Editions include a security fix that requires you to take action to ensure the security of your environment. (Explained below).
Payara Platform Enterprise 5.31.0 and Payara Platform Community 5.2021.7 releases each contain 10 bug fixes, 1 component upgrade, 1 security fix and 1 new feature.
Read more below to learn more about the highlights of this release.
Path Traversal Security Issue Fix
We recently discovered and fixed an important security vulnerability within the Payara Server and Payara Micro products. A path Traversal security issue was found under certain conditions which allowed a hacker to read from the file system of the server running the application.
The September 2021 release helps you mitigate the risk associated with this problem so you should update your environment to the latest Payara Enterprise or Payara Community release as soon as possible.
Client Certificate Validation Checks
The July and September 2021 releases implemented two new features to improve the usage of the custom SSL certificates:
We have introduced an additional System Property so multiple TrustStores can be defined. This way, your configuration is separated from the Payara Server one, which helps when you install and configure an upgrade.
The TrustStore is also used when you configure your application for Client Certificate Authentication. With the September 2021 Payara Server release, we have implemented an SPI so developers can perform additional checks on the Client Certificate. When the Certificate issuer supports revocation of the certificates, the status can be retrieved through the Online Certificate Status Protocol (OCSP). This SPI allows you to implement any kind of additional check you like.
Watch the blog for all the details about these client certificate authentication improvements in Payara Server in an upcoming article.
Multiple KeyStores and TrustStores Improvements
In the August release, the first version of the functionality to support multiple KeyStores and TrustStores was introduced. This month, a fix is applied so that two or more stores can be defined within the configuration values on Windows Platform. (separator is now the JVM platform separator). Also, when the change-master-password asadmin command is performed, a message is shown that the additional KeyStores and TrustStores need to be re-encrypted manually.
MicroProfile Rest Client Proxy Support
MicroProfile 4.0 added support for proxies within the MicroProfile Rest Client. The proxy information can be added when the Rest Client is created programmatically, and the host and authentication information is specified.
Exclude Payara Platform Version Number from Logging
The Payara Platform version number was always included in the log entries but it wasn't useful as it doesn't change. With the September release, it can now be excluded through the logging configuration.
See more detailed overview of the fixes and improvements in the Release Notes: