IBM Support

Fix list for IBM WebSphere Application Server Liberty

Product Readmes


Abstract

Fixes for WebSphere Application Server Liberty are delivered in fix packs periodically.  This is a complete listing of all the fixes for Liberty with the latest fixes at the top.

New fix pack numbering was introduced starting 16.0.0.2. Fix pack 16.0.0.2 for WebSphere Application Server Liberty is the first of a series of common Liberty levels that apply to both Version 8.5 and Version 9.0 of WebSphere Application Server on all supported platforms.

Content

Release Date
Total number of APARs
Total number of Security APARs
Total number of Open Liberty Release Fixes
16 July 2024
1
0
9
18 June 2024
3
1
14
21 May 2024
3
3
6
23 April 2024
5
3
10
26 March 2024
4
1
12
27 February 2024
1
0
8
30 January 2024
1
0
14
12 December 2023
3
2
10
14 November 2023
3
0
10
17 October 2023
5
0
15
19 September 2023
1
0
13
22 August 2023
4
1
8
25 July 2023
3
0
9
27 June 2023
4
1
11
30 May 2023
4
0
16
2 May 2023
3
0
15
4 April 2023
2
0
11
7 March 2023
6
2
15
7 February 2023
1
0
15
20 December 2022
4
1
9
22 November 2022
4
1
15
25 October 2022
5
1
8
27 September 2022
3
1
8
30 August 2022
3
0
12
2 August 2022
4
2
14
5 July 2022
1
0
4
7 June 2022
3
2
12
10 May 2022
4
0
14
12 April 2022
5
0
13
15 March 2022
4
2
20
15 February 2022
7
2
16
18 January 2022
6
2
18
3 December 2021
1
0
13
5 November 2021
2
0
17
8 October 2021
5
2
14
10 September 2021
3
0
11
13 August 2021
1
0
7
15 July 2021
4
1
14
18 June 2021
2
0
11
21 May 2021
4
0
19
23 April 2021
3
2
12
26 March 2021
2
0
18
26 February 2021
3
0
12
29 January 2021
2
0
24
27 November 2020
6
0
16
30 October 2020
2
1
12
2 October 2020
6
1
11
4 September 2020
4
0
10
7 August 2020
2
0
10
9 July 2020
2
0
14
12 June 2020
4
0
15
15 May 2020
3
2
14
17 April 2020
6
1
19
20 March 2020
6
1
18
21 February 2020
11
2
29
24 January 2020
2
1
23
13 December 2019 1 1 13
15 November 2019 8 2 19
18 October 2019 8 2 18
20 September 2019 6 1 9
23 August 2019 6 0 19
25 July 2019 4 1 14
28 June 2019 5 0 8
31 May 2019 3 0 8
3 May 2019
4
1
15
5 April 2019
10
1
25
8 March 2019
9
0
18
8 February 2019 11 1 24
14 December 2018
29
3
51
21 September 2018
31
5
38
29 June 2018
45
1
29
16 March 2018
32
3
84
21 December 2017
54
2
17 October 2017
109
3
13 June 2017
115
1
14 March 2017
90
0
13 December 2016
103
1
16 September 2016
107
7
24 June 2016
121
5
18 March 2016
141
2
11 December 2015
78
2
11 September 2015
26 June 2015
13 March 2015
8 December 2014
18 August 2014
28 April 2014
11 November 2013
14 June 2013
Fix pack 24.0.0.7
Fix release date: 16 July 2024
Last modified: 16 July 2024
Status: Recommended

Download Fix pack 24.0.0.7
Fixes:
APAR Security APAR Description
PH61509 OLGH28877 Memory leak in JAXRSClientConfigHolder
Open Liberty fixes:
28155 Deliver Oracle 23 support
28855 OpenTelemetry does not filter out arquillian-liberty-support
28521 XML Binding 4.0 Remove RI from TCCL and add new feature tests
28515 Warning "Validation not enabled for module" when persistenceContainer-3.1 + beanValidation-3.0
28615 Regression with jaxb / WADL2java
28652 FFDC for index out of bounds in web container, WebApp.handleRequest()
28716 Admin Center Server Config tool does not work to save changes using source view
28814 In an edge case OpenTelemetry does not honour the priority of mpConfig ConfigSources
28877 Memory leak in JAXRSClientConfigHolder
  Back to top
Fix pack 24.0.0.6
Fix release date: 18 June 2024
Last modified: 18 June 2024
Status: Superseded

Download Fix pack 24.0.0.6
Serviceability Enhancements:
Title
Updates have been made to better handle the scenario where an exception occurs when the server is stopped while asynchronous tasks are running and also to avoid the NullPointerException. A more meaningful message will now be logged in this scenario.
Fixes:
APAR Security APAR Description
PH59682 IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354 CVSS 7.0)
PH61042 PH59682 regressed the tag in pages-3.0 and productInfo -validate fails
PH61110 APIDiscovery delay processing if aggregator not yet active
Open Liberty fixes:
28414 Classloading issue involving JAXBContext and JAXBContextFactory with webProfile-10.0
27858 JspOption jdkSourceLevel Disabled Unintentionally
28118 Port MYFACES-4658
28235 Enabling openidConnectClient feature causes the body request not to be forwarded to the application's servlet (starting from WLP 24.0.0.3)
28280 If an application fails to start when doing a checkpoint the checkpoint still succeeds
28350 J2CA0081E Method destroy failed occurs during server shutdown
28421 Bump netty dependencies to 4.1.109.Final
28431 Generate Set-Cookie from the SessionCookieConfig may not include additional attributes
28459 GRPC connections hang with security enabled
28475 Environment variables not available during service startup within Kubernetes/OpenShift
28479 Invalid JASPIC warning CWWKS1652A in log when AuthResult.SEND_SUCCESS is received from the JASPIC provider
28493 restfulWS-3.1 Headers with multiple values in a multipart (EntityPart) object held are held in a List of size 1
28552 NoClassDefFoundError org/apache/commons/io/input/NullInputStream when using collectives file transfer
28521 XML Binding 4.0: Remove RI from TCCL
Fix pack 24.0.0.5
Fix release date: 21 May 2024
Last modified: 21 May 2024
Status: Superseded

Download Fix pack 24.0.0.5
Serviceability Enhancements:
Title
The JPA Container has been updated to improve handling of syntax errors parsing JPQL during server start by implementing a retry mechanism and logging additional diagnostics.
Fixes:
APAR Security APAR Description
PH59146 IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2024-22353 CVSS 5.9)
PH59781 IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service (CVE-2024-25026 CVSS 5.9)
PH60146 IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2024-27268 CVSS 5.9)
Open Liberty fixes:
Issue/PR Description
28101 FeatureUtility prints warning when user repositories doesn't have authentication
28125 Incompatibility reported between sipServlet-1.1 and WebSockets
28152 FeatureUtility custom repository connection issue
28160 CWWKE0701E bundle com.ibm.ws.ssl ... The activate method has thrown an exception java.lang.ExceptionInInitializerError
28285 JPQLException Syntax error parsing
28344 SSO should not use application/json on request to JWK
Fix pack 24.0.0.4
Fix release date: 23 April 2024
Last modified: 23 April 2024
Status: Superseded

Download Fix pack 24.0.0.4
Fixes:
APAR Security APAR Description
PH59117 IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to server-side request forgery (CVE-2024-22329 CVSS 4.3)
PH60149 IBM WebSphere Application Server Liberty is vulnerable to cross-site scripting (CVE-2024-27270 CVSS 4.7)
PH60199 IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to jose4j (CVE-2023-51775 CVSS 7.5)
PH60642 Updates to API Discovery Swagger UI
PH60659 OLGH27886: NullPointerException can occur in Kernel ClassLoader
Open Liberty fixes:
Issue/PR Description
28083 Server does not start with space in file path
24925 UUID not working as GeneratedValue Id in some cases
26771 Websocket Out of Memory Leak caused by Expired Sessions
27620 Invalid encoded request URI should return 400 instead of 500
27778 The server start command resolves symbolic links incorrectly on z/OS 3.1
27779 StackOverFlow in JSP Caused by Recurisve JspContextWrapper#include call
27833 JAX-RS and RestfulWS monitor bundles' filters are still creating objects when REST is filtered out of monitor-1.0
27886 NullPointerException can occur in Kernel ClassLoader
27900 NullPointerException may occur for HTTPs requests to WebContainer
27971 WLP_INSTALL_DIR set incorrectly when wlp/bin is a symbolic link
Fix pack 24.0.0.3
Fix release date: 26 March 2024
Last modified: 26 March 2024
Status: Superseded

Download Fix pack 24.0.0.3
Enhancements:
Fixes:
APAR Security APAR Description
PH59660 BBOA1CNG RC:12, RSN:256 when starting more than 58 Liberty servers using WOLA
PH59903 Modify command to list ANGEL processes get ABEND0C4
PH60113 IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2023-50312 CVSS 5.3)
PH60182 Liberty 23.0.0.6 connect via WOLA failing if IMS DBCTL enabled
Open Liberty fixes:
Issue/PR Description
18105 Implement OpenID Connect Back-Channel Logout 1.0
23607 Enable verbose garbage collection by default on IBM Java/Semeru
26195 mpHealth-2.2 responds with a status UP briefly during startup
26590 Latest gRPC code levels and the IBM gRPC Servlet code are no longer an exact fit for flushes
27077 FeatureUtility returns 403 if repo pwd is encoded
27218 cfw performance update
27652 Windows server command doesn't handle space in path unless JAVA_HOME set
27659 CWWKS9590W warning message shows up with some newer ciphers are configured
27667 Fix for CWWKS9590W Warning
27135 SessionCache does not work after upgrading to 23.0.0.10
27715 Job can not be purged when using the Java batch In-Memory Persistence
27716 runAsServer before signing/verifying jws and encrypting/decrypting jwe
27777 Parameters are not replaced in error message CWMMH0050E in french language
  Back to top
Fix pack 24.0.0.2
Fix release date: 27 February 2024
Last modified: 27 February 2024
Status: Superseded

Download Fix pack 24.0.0.2
Fixes:
APAR Security APAR Description
PH59680 Liberty server using ZOSLOCALADAPTERS-1.0 does not shut down after outofmemory error with ZOSAIO disabled
Open Liberty fixes:
Issue/PR Description
26680 io.openliberty.cdi.4.0.internal.services.fragment bundle cannot resolve dynamically against the host bundle
26939 Delete lease when peer recovery is unnecessary
27290 [JPA 2.2] EclipseLink Deliver Issue #1981
27294 Memory leak in CXF caused by large number of PidInfo objects
27396 Handling of locked Transaction Log Lease Table needs improvment
27398 Server start fails on OS/400
27421 Resource adapter install fails due to ArrayIndexOutOfBoundsException
27588 EclipseLink for JPA 3.1 may encounter IllegalArgumentException Unsupported api 0
 Back to top
Fix pack 24.0.0.1
Fix release date: 30 January 2024
Last modified: 30 January 2024
Status: Superseded

Download Fix pack 24.0.0.1
Fixes:
APAR Security APAR Description
PH55398 OLGH26221 Port MYFACES-4606 (Issuing Element Not Found in Request Parameter Map for Ajax Requests) to Liberty
Open Liberty fixes:
Issue/PR Description
25135 jakarta.el.ELException The class [...] must be public, in an exported package, non-abstract and not an interface
26342 ReactiveMessaging "CDI container is not available"
26831 Bad value in ApplicationManager config cause ApplicationManager service to fail
26832 Server should be able to reclaim its recovery logs on startup
26844 Deadlock reported in sipcontainer when proxybranch times out
27008 [PH55398] [OLGH26221] Port MYFACES-4606 (updated fix)
27062 CWWKC1101E IllegalStateException CWWKC1013E Unable to start task null because the component in application WEB that submitted it is unavailable
27080 Liberty SAML SP fails to generate response to the IdP initiated logout request
27093 mpMetrics-5.0 Feature Returns Response in ISO-8859-1 Instead of UTF-8 when Accessing /metrics Endpoint
27159 Upgrade Jackson 1.6.2 Dependency
27191 On z/OS server start from the bin directory fails
27204 Slow performance in DirectoryRepositoryClient
27208 Date format in log files includes an extra trailing space character with Java versions 20 or later
27249 PasswordUtil throws NullPointerException on certain input
 Back to top
Fix pack 23.0.0.12
Fix release date: 12 December 2023
Last modified: 12 December 2023
Status: Superseded

Download Fix pack 23.0.0.12
Fixes:
APAR Security APAR Description
PH57336 zosConnect failure in its XML or JSON parser
PH57878 IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-44487 CVSS 7.5)
PH57933 IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache Santuario (CVE-2023-44483 CVSS 6.5)
Open Liberty fixes:
Issue/PR Description
25467 A better error for the NullPointer we get if WithSpan is on the class level
26655 OpenAPI UI required fields have an extra character
26722 Microprofile Rest Client (CDI) mpConfig property "proxyAddress" not respected
26809 Lease timestamp not updated for home server when recoveryGroups and tran logs in a database is configured and database outage > couple of seconds occurs
26818 Processing dir files alphabetically does not match configDropins behavior
26846 JAX-WS After upgrade to WLP 23.0.0.9 SOAP client generates a SOAP header part in the SOAP body
26893 Space in value of -D option in jvm.options breaks server package command
26911 Registered RestClientBuilderListeners are not called for injected rest client instances for MP Rest Client 1.x and 2.x
26942 Liberty startup script does not resolve symbolic link to bin directory
26943 NO_USER_REGISTRY message is not output properly
Fix pack 23.0.0.11
Fix release date: 14 November 2023
Last modified: 14 November 2023
Status: Superseded

Download Fix pack 23.0.0.11
Fixes:
APAR Security APAR Description
PH57110 Remove products with pid value of UNKNOWN
PH57261 [OLGH26375] Update the shared class cache URL used for non jar / zip files
PH57579 IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2023-46158 CVSS 4.9)
Open Liberty fixes:
Issue/PR Description
25786 Update to latest Expression Language 5.0 - 10.1.11
25962 Deadlock reported in sipcontainer when cancelling session in proxy mode
26332 Websocket Null Argument to OnMessage After DecodeException
26375 Stale class content used after updating application archives
26390 Port MYFACES-4628
26419 StackOverflowError when tracing jaxrs-2.0
26596 Memory Leak in com.ibm.ws.request.interrupt.internal.InterruptibleThreadInfrastructureImpl
26609 CDI will not create an EJBDescriptor for archive containing bean-discovery-mode=none
26636 JAX-WS: @WebFault annotated Exceptions are not properly serialized as SOAPFaults on 22.0.0.8 and above
26683 Component metadata is not present during CDI Startup events
Fix pack 23.0.0.10
Fix release date: 17 October 2023
Last modified: 17 October 2023
Status: Superseded

Download Fix pack 23.0.0.10
Fixes:
APAR Security APAR Description
PH55995 [OLGH26267] Login or Authentication may fail on Z/os when using the IBMJCEHYBRID provider
PH56266 [OLGH25997] Correction fix to PH42468 to remove delay in closing connection in Websocket application
PH56959 Null Pointer Exception when defining empty routing rule
PH57076 [OLGH26341] Failure at server startup of bundle COM.IBM.WS.SECURITY.TOKEN.LTPA
PH57263 [OLGH26357] Springboot 3 thin utility may cause NOCLASSDEFFOUND error
Open Liberty fixes:
Issue/PR Description
11453 Potential leak caused by JSTL tags
25759 Enable user to set CXF's useHttpsURLConnectionDefaultSslSocketFactory property for outbound JAX-RS Client Requests
25640 WithSpanInterceptor doesn't call instrumentation.end()
25781 Liberty cannot be immediately restarted after stopping with localConnector-1.0 feature on Windows with hotspot
25855 When two apps are configured with the same context root, neither is reachable
25997 Websocket close delay
26023 Liberty 23.0.0.9 - 6% Performance Throughput Regression on MicroProfile 6 OpenAPI scenario
26054 CDI can throw NullPointerException if application startup fails
26076 Thread safety issues in com.ibm.ws.jaxrs20.cdi.component.ThreadBasedHashMap may cause problems under load
26158 Telemetry-1.0 Disabled warning message
26171 @Transactional may throw a checked exception which is not allowed according to the interceptor specification
26216 Port MYFACES-4606
26221 Port MYFACES-4606 (Issuing Element Not Found in Request Parameter Map for Ajax Requests) to Liberty
26306 Fix Documentation for Supported Java versions
26341 23.0.0.9 CWWKE0701E bundle com.ibm.ws.security.token.ltpa failure at server startup
26437 Packaging Springboot 3 application embedded with Open Liberty does not work
  Back to top
Fix pack 23.0.0.9
Fix release date: 19 September 2023
Last modified: 19 September 2023
Status: Superseded

Download Fix pack 23.0.0.9
Fixes:
APAR Security APAR Description
PH56334 Collective replica communication issue when using OpenJDK
Open Liberty fixes:
Issue/PR Description
22358 Update Social Login redirection processing
23732 startWinService & stopWinService default timeouts in server.bat script too short
25291 Return 400 status for invalid URI
25743 The shutdown order between CDI and EJB is not enforced
25759 Enable user to set CXF's useHttpsURLConnectionDefaultSslSocketFactory property for outbound JAX-RS Client Requests
25782 Calling stop on an already stopped server hangs for 30 seconds and then reports an error on WSL
25834 OpenLiberty 23.0.0.7 with webProfile-8.0 logs messages saying it requires annotations in the jakarta.annotation namespace
25866 Unexpected end of file from server
25927 CWWKS1706E + CWWKS1739E errors occurs when minimal jwks data is provided by Identity Provider
25932 Absolute file paths fail with the file transfer API when running under servlet 6
25958 sed command in server script returning incorrect value on Solaris
25978 The SPI for registering CDI extensions and Beans will scan the entire archive without an extension
  Back to top
Fix pack 23.0.0.8
Fix release date: 22 August 2023
Last modified: 22 August 2023
Status: Superseded

Download Fix pack 23.0.0.8
Enhancements:
Title
Use OIDC Connect with the strongest flow for web applications using the Authcode with PKCE
Fixes:
APAR Security APAR Description
PH55940 Correction fix to PH53171
PH56004 IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-38737 CVSS 5.9)
PH56052 A bundle in an OSGi application with the following manifest header will fail to start
PH56063 OSGi applications compiled to Java 17 may fail to start
Open Liberty fixes:
Issue/PR Description
25193 Two inaccurate descriptions and one formatting problem in openidConnectProvider
25580 Non-daemon Liberty Timer threads preventing JVM shutdown in CICS (Java 17)
25632 MYFACES-4512
25646 Semicolon inside text parameter in Reason header will result in the sipcontainer dropping the request
25693 MYFACES-4611
25700 Potential memory leak in Liberty version of org.jboss.resteasy.plugins.server.servlet.ServletUtil
25712 NullPointerException when using app-defined javamodule data source for JPA
25804 Unable to make field private final int sun.nio.ch.SocketChannelImpl.fdVal accessible when using Java 17
Fix pack 23.0.0.7
Fix release date: 25 July 2023
Last modified: 25 July 2023
Status: Recommended

Download Fix pack 23.0.0.7
Fixes:
APAR Security APAR Description
PH55130 Collective replica set is not able to communicate each other on AIX and IBM JDK8
PH55181 z/OS data is incorrectly collected for products with an UNKNOWN product ID
PH55442 Update REST API Discovery UI dependencies
Open Liberty fixes:
Issue/PR Description
19861 Concurrency errors when using same JWT access token for inbound propagation
21501 Update the jsf-2.3 feature to MyFaces 2.3.10
21502 Update the faces-3.0 feature to MyFaces 3.0.2
25111 MYFACES-4469 IllegalArgumentException occurs in occurs in FacesConfigurator.purgeConfiguration
25354 Update faces-4.0 to MyFaces 4.0.1
25368 GlobalOpenTelemetry is missing public methods
25429 WithSpan anotation does not work when name or kind is set
25457 Local host/port and remote host/port are reversed in message CWWKO0801
25479 Unable to make field long java.nio.Buffer.address accessible when using Java 17
   Back to top
Fix pack 23.0.0.6
Fix release date: 27 June 2023
Last modified: 27 June 2023
Status: Superseded

Download Fix pack 23.0.0.6
Fixes:
APAR Security APAR Description
PH53192 The /api/explorer URL from openapi-3.0 does not return the Content-Security-Policy header
PH54214 WOLA does not recognize IMS regions they are invoked with LOCKMAX=## specified
PH54373 IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867 CVSS 7.5)
PH54810 Liberty on z/OS ECSA storage used by server resmgr are not being released when server stops
PH55317

wmqMessagingClient-3.0 feature throws java.lang.ClassNotFoundException
Open Liberty fixes:
Issue/PR Description
23838 Invalidating a transaction user can lead to deadlocks in sipcontainer
23938 ExpirationTimer can cause deadlocks in proxy mode
23950 [JPA 2.2] EclipseLink Deliver Issue #1779
24752 Update Expression Language 5.0 to latest 10.1.8 version
24981 server version command ignores JAVA_HOME set in server's server.env
25017 Posting Form-Data with the new Jakarta EE 10 Multipart Support fails
25046 Liberty accesses readonly subject
25168 transport close timing issue when streams are closing and a close/goaway frame comes in
25210 DnsContextFactory not accessible in java 17
25212 Transaction Manager configuration options shutdownOnLogFailure, logRetryInterval and logRetryLimit should be published
25283 JSF Container's Application.getWrapped returns null
25316 Exception when doing trace statement bubbles up to the application
25351 OIDC check_session_iframe does not parse origin correctly when path is included in referer
25352 org.omg.CORBA.DATA_CONVERSION illegal char value for string
25402 Messaging secure CommsOutboundChain may be started with wrong sslOptions
Fix pack 23.0.0.5
Fix release date: 30 May 2023
Last modified: 30 May 2023
Status: Superseded

Download Fix pack 23.0.0.5
Fixes:
APAR Security APAR Description
PH53475 [OLGH24864] FRAME_SIZE_ERROR is generated when both http/2 and compression are used
PH54050 [OLGH25097] UI ADMINCENTER correction
PH54100 Use unauth service if auth service product registration fails
PH54173 Add Java 11 check to cacheDirPerm supported check
Open Liberty fixes:
Issue/PR Description
24577 Static fields leaked on application restarts
24599 [JPA 3.0] EclipseLink Deliver Issue #1823
24751 Update Expression Language 4.0 to the latest 10.0.27 version
24864 HTTP/2 max frame size exceeded when compression is used
24939 `requestTiming-1.0` causes elevated (or spiking) CPU performance due to the `SlowRequestManager`
24948 OIDC RP-initiated logout end_session should verify the id_token_hint issuer
24986 SSLHandshakeException occurs while closing HTTPConduit
25008 NullPointerExcetion or ArrayIndexOutOfBoundsException in SearchBridge when using custom input/output configuration
25010 EntryNotFoundException thrown in federated registries when using custom input/output configuration
25097 Update adminCenter
25152 Request Timing metrics not showing up with `mpMetrics-5.0` (when used with `requestTiming-1.0` feature
25169 295651: Concurrent persistent failover timers - server not releasing claim on scheduled task when unable to run it
Fix pack 23.0.0.4
Fix release date: 2 May 2023
Last modified: 2 May 2023
Status: Superseded

Download Fix pack 23.0.0.4
Fixes:
APAR Security APAR Description
PH50863 IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998 CVSS 7.5)
PH52912 CWWKO1100E: The ScheduledExecutorService OSGi service is not available
PH53883 IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482 CVSS 5.3)
Open Liberty fixes:
Issue/PR Description
24585 Insufficient Infinispan cache creation for Liberty httpSessionCache
24004 Allow more output to response following exception in forward based on wc parm
24323 SIPcontainer should stop parsing non-utf8 characters when acceptNonUtf8Bytes is set to false
24469 Java 11 NoSuchAlgorithmException SHA1PRNG when FIPS enabled TS012071744
24565 RegistryHelper.getUserRegistry throws an IllegalStateException if no user registries are present
24578 Application can't recover from exceptions thrown during startup
24598 [JPA 2.1] EclipseLink Deliver Issue #1823
24683 Port MYFACES-4594
24730 Cleanup non-daemon threads at the server shutdown
24793 JSP Options to pick up web-ext jsp-attribute values on start up (honor disableTldSearch to improve app start up time)
24804 Encrypted value for internalClientSecret within oauthProvider does not work
24915 Server hangs at startup when enabling trace specification com.ibm.ws.*=all
24938 SOAP 1.1 Web service request to SOAP 1. Provider acting as gateway fails when wsAtomicTransaction feature is enabled
24955 PH53918 UnsupportedOperationException is thrown after upgrading to 22.0.0.10 or later
24958 Configurable option for FileUpload
Fix pack 23.0.0.3
Fix release date: 4 April 2023
Last modified: 4 April 2023
Status: Superseded

Download Fix pack 23.0.0.3
Fixes:
APAR Security APAR Description
PH52888 NullPointerException in Singleton EJBs as JAX-RS sub resources
PH53171 Fix Collection replica communication problem on AIX and IBM Semeru
Open Liberty fixes:
Issue/PR Description
24092 Aborted managed connections invoking endRequest and end are causing problems in JDBC driver code
24223 Monitor-1.0 returns strange values for standard deviation
24444 JAX-RS NPE in Singleton EJB Sub Resource
24462 Cleanup any asyncServlet non-daemon threads at the server shutdown
24465 JDBC DB2 values for queryDataSize need to be updated
24543 OIDC client issue in cluster environment, starting 22.0.0.10 version
24566 AcmeCA feature with revocation enabled can fail to initialize on certain OS and JDK combinations
24584 pluginUtility merge action generates incorrect output for some inputs
24585 Insufficient Infinispan cache creation for Liberty httpSessionCache
24631 Fix ClassCastException during the de-serialization of CDI Injected Event
24651 Liberty Server hangs randomly
 Back to top
Fix pack 23.0.0.2
Fix release date: 7 March 2023
Last modified: 7 March 2023
Status: Superseded

Download Fix pack 23.0.0.2
 Enhancements:
Idea Description
LIBERTY-I-40 Add timeout option to server stop command
TWAS-I-43 Admin Center support for datasource configuration validation
Fixes:
APAR Security APAR Description
PH52074 [OLGH24157] Validate header names
PH52079 IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787 CVSS 5.5)
PH52095 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364 CVSS 9.8)
PH52167 [OLGH24077] DoNotAllowDuplicateSetCookie property not working
PH52364 Check file existence before delete
PH52713 Feature resolver may pick multiple versions of the same singleton feature
Open Liberty fixes:
Issue/PR Description
16007 Runtime injection of detailed method trace fails for a CDI bean
23410 UnrecoverableKeyException occurs when using WS-Security Callback handler on Liberty 22.0.0.9
23676 Transaction manager unavailable when stopping resource adapters during server shutdown
23954 The authCache->cacheRef and webAppSecurity->loggedOutCookieCacheRef server configuration elements are not included in the documentation
23976 Add option to support old format of start-info in multipart/related SOAP messages
24001 Fix configuration attribute name used in CWWKS1738E message
24007 server dump command fails in WL on IBM i
24047 Memory in com.ibm.ws.wsat.service.WebClient when creating thread context class loaders
24048 Possible performance issue in com.ibm.ws.wsat.service.impl.WebClientImpl
24056 Batch-2.1 feature content is active even when configuring batch-1.0 or 2.0
24077 DoNotAllowDuplicateSetCookies http channel config option is not working
24155 Memory leak in JaxRsFactoryImplicitBeanCDICustomizer
24157 Validate HTTP header names
24293 Scheduled Futures leak resources from Managed Executor Services on application stop
24371 Server fails to start due to conflict on servlet feature
 Back to top 
Fix pack 23.0.0.1
Fix release date: 7 February 2023
Last modified: 7 February 2023
Status: Superseded

Download Fix pack 23.0.0.1
Fixes:
APAR Security APAR Description
PH49341 A race condition of transaction timeout could leave an indoubt transaction at RM side
Open Liberty fixes:
Issue/PR Description
22434 Race condition of transaction timeout could leave an indout transaction at RM side
23273 Scripts do not respect the enable_variable_expansion indicator in server.env
22786 PKCE parameters not copied by oauthForm.js
23392 Stopping liberty Windows service immediately after starting results in hang condition
23425 A syntax error in JSP compile should consistantly output error JSPG0077E
23567 decode url query string before final redirection of the originial request
23582 Messaging client hangs during shutdown
23583 [22.0.0.9] Unmarshaller error when Unmarshaller obtained [from pool]
23613 Intermittent NPE at com.ibm.ws.security.javaeesec.cdi.extensions.HttpAuthenticationMechanismsTracker.getAuthMechs(HttpAuthenticationMechanismsTracker.java202)
23690 JTOpen Toolbox driver 11.1 JDBC connections fail from Open Liberty to IBM i
23748 CDI Shared Library bean visibility problems
23771 IndexOutOfBoundsException can occur during a resource outage.
23782 JDBCDriverService; issue with Boolean parameters
23883 Default keystore file not getting detected on file monitoring
23885 Use mininum jdkSourceLevel of 1.8 for JDK 20+
Fix pack 22.0.0.13
Fix release date: 20 December 2022
Last modified: 20 December 2022
Status: Superseded

Download Fix pack 22.0.0.13
APAR Security APAR Description
PH49482 HttpSession options issue
PH50057 Connecting a member to a Controller Replica fails
PH50342 IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google protobuf-java (CVE-2022-3171, CVE-2022-3509)
PH50815 Check for webenab products before removing product marker
Open Liberty Release fixes 
Issue/PR Description
22405 OidcClientImpl does not properly declare a dependency on SecurityService
22738 SSLContext defined in ClientBuilder.newBuilder().sslContext(sslcontext) not preserved with restfulWS-3.0
23146 JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion() return incorrect version
23273 Scripts do not respect the enable_variable_expansion indicator in server.env
23310 Additional fixes for JSR375 (javasec) Decorator and Alternative
23326 Liberty default HttpAuthenticationMechanisms do not call HttpMessageContext.responseUnauthorized
23403 HTTP/2 Intermittent server quiesce failure when stream is closed with an exception
23462 NullPointerException in com.ibm.ws.rsadapter.impl.DB2Helper.isAuthException
23478 NullPointerException in InstallFeatureAction for .esa files
Fix pack 22.0.0.12
Fix release date: 22 November 2022
Last modified: 22 November 2022
Status: Superseded

Download Fix pack 22.0.0.12
APAR Security APAR Description
PH49719 IBM WebSphere Application Server Liberty is vulnerable to denial of service due to GraphQL Java (CVE-2022-37734 CVSS 7.5)
PH49876 zosConnect failure in XML or JSON parsing
PH50062 MDB class leak on application stop
PH50353 Updates to usage metering to set protocols and ciphers for the connection
Open Liberty Release fixes 
Issue/PR Description
21808 Provide a way for Custom User Registries to use the uniqueId instead of the securityName
22771 In SIP headers, need to handle encoded values (%xx) while not causing error on valid Tag formats ending with %
22865 Datasource changes are not propagating to JPA during dynamic config update
22909 MDB class Java heap leak on application stop
22918 Intermittent NPE at com.ibm.ws.security.javaeesec.cdi.extensions.HttpAuthenticationMechanismsTracker.getAuthMechs(HttpAuthenticationMechanismsTracker.java:186)
22933 MP JWT 1.2 and 2.0 TCKs won't run at 22.0.0.11
22963 com.ibm.ws.jpa.container.v21.cdi lacks a package-info.java file
22965 Generating ssl key for FilterServer, when running FilterConfigTest takes too long
23017 MP Reactive Messaging: NullPointerException during Kafka partition rebalance
23031 Failed to parse Created TimeStamp in UsernameTokenValidator
23059 Uses constraint violation for org.joda.time packages
23183 EJB Handle deserialization fails with org.omg.CORBA.TRANSIENT: attempt to establish connection failed
23186 IdentityStore validate method not getting called for BasicAuthentication request
23225 IllegalStateException in dynacache when app server is stopping
23252 AmbiguousResolutionException when same class is present twice and certain features are used
  Back to top
Fix pack 22.0.0.11
Fix release date: 25 October 2022
Last modified: 25 October 2022
Status: Superseded

Download Fix pack 22.0.0.11
APAR Security APAR Description
PH48467 java.lang.ArrayIndexOutOfBoundsException is thrown when purging data while shutting down a connection
PH48810 IBM WebSphere Application Server Liberty is vulnerable to a Denial of Service due to Neko HTML (CVE-2022-24839 CVSS 7.5)
PH49305 Multiple values in request header "X-Forwarded-For" not logged
PH49341 A race condition of transaction timeout could leave an indout transaction at RM side
PH49933 Servers using Intelligent Management intermittently fail to pulbish application endpoints
Open Liberty Release fixes 
Issue/PR Description
22303 On z/OS running Java 11 a FFDC with caused by AttachNotSupportedException occurs when feature localConnector-1.0 is specified.
22361 Cannot start Jenkins 2.346.3 with Java 17 when using AD authentication
22397 MYFACES-4450: tabindex not rendered for outputLabel
22434 A race condition of transaction timeout could leave an indout transaction at RM side
22584 com.ibm.websphere.appserver.api.kernel.service_1.1-javadoc.zip is missing in the Liberty images
22660 java.lang.ArrayIndexOutOfBoundsException when PurgeDataDuringClose=true
22688 HTTP Access logging need to log multiple X-Forwarded-For headers
22721 Update nekohtml version used in openid-2.0
Fix pack 22.0.0.10
Fix release date: 27 September 2022
Last modified: 27 September 2022
Status: Superseded

Download Fix pack 22.0.0.10
Component Security APAR APAR Description
Channel Framework PH46816 IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to HTTP header injection (CVE-2022-34165 CVSS 5.4)
Intelligent Management Component PH47454 Error 503 returned from ODR after an application update with the war name changed while the ear file name stays the sam
Liberty z/OS PH49234 Attach fails on z/OS running with Java 11 when a started task is used to start a server specifying the localConnector-1.0 feature
Open Liberty Release fixes 
Issue/PR Description
20599 JDBC connection not validated when numConnectionsPerThreadLocal is used
21340 [JPA 2.2] EclipseLink: Deliver Issue #1245
21805 Removed hideMessage logging attribute not dynamically picked
21914 JobOperator.getRunningExecutions output includes job executions that aren't running
22189 Missing NLS strings for allowAuthenticationFailOverToAuthMethod options
22221 Session timing issue during server shutdown
22227 Yoko marshals null fields incorrectly when the field is declared as a non-serializable class
22347 FFDCIgnore not honored on or after 22.0.0.4
Fix pack 22.0.0.9
Fix release date: 30 August 2022
Last modified: 30 August 2022
Status: Superseded

Download Fix pack 22.0.0.9
Component Security APAR APAR Description
General PH48187 LTPAToken validation failure for users with space characters in the user name caused by PH47867
Intelligent Management Component PH48622 DynamicRouting utility fails parsing commandline
Liberty z/OS PH48202 Unpredictable results when cancelling the angel process without registered Liberty Servers first
Open Liberty Release fixes 
Issue/PR Description
21126 Update GSON library dependency to 2.9.0
21666 java.lang.IllegalStateException: Subject is read-only from WebAppFilterManager.invokeFilters
21737 Combine with MicroProfile OpenAPI: Example of date-time in Schema cannot display this format "YYYY-MM-DDTHH:mm:SSZ", will report "OrderedMap" or this "YYYY-MM-DDTHH:mm:SS.MSZ" format
21837 LTPA SSO failure for certain usernames
21845 featureUtility - Not decoding repository passwords when executing
21858 Multiple protocols not always getting honored with the IBMJDK
21880 OpenAPI 2.0+ throws error at startup
21937 MP Fault Tolerance 1.x can log an FFDC when a method times out at the same time as it completes
21955 Liberty does not provide exported packages for java.* packages at runtime in the OSGi framework insteance
21973 Expiration fields are not compared in an LTPA Token
22012 CXF property cxf.ignore.unsupported.policy is not processed correctly in Liberty 22.0.0.8
22040 Invalid character warning for colon in WorkQueueManagerImplMBeanWrapper objectName
Fix pack 22.0.0.8
Fix release date: 2 August 2022
Last modified: 2 August 2022
Status: Superseded

Download Fix pack 22.0.0.8
Component Security APAR APAR Description
General PH45225 CICS link servers do not reconnect to a Liberty profile server after the Liberty profile server is recycled
PH45750 IBM WebSphere Application Server Liberty is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777 CVSS 7.5)
PH46073 Duplicate of PH47867
PH47867 IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476 CVSS 5.0)
Open Liberty Release fixes 
Issue/PR Description
11959 Weld does not mark org.jboss.weld.context.ConversationContext.conversations as dirty when retrieving it from session storage
20939 Classpath visibility unclear -> NoClassDefFoundError: javax.cache.CacheException since 22.0.0.4 (maybe since 22.0.0.3)
20950 Memory Leak with JSF's ViewScopeContextualStorage (MYFACES-4433)
21204 [JPA 2.1] EclipseLink: Deliver Bug #579409
21214 Server start fails when directory has spaces
21398 Add additional details to `exposeWebInfOnDispatch` Server configuration description
21473 ClassCastException FFDC occurs when using audit-1.0 with other features like requestTiming-1.0 or eventLogging-1.0
21526 UI generated by `openapi-3.1` feature doesn't show the link specific endpoints
21601 Port MYFACES-4432 to JSF 2.3 and Faces 3.0 (Resolve request object in facelets)
21615 EJB persistent timers that were deferred during app start do not run when app finishes starting
21651 290399-Fix umask command for IBM i in server script
21664 featureUpdate downloads fail in Windows, due to #20945
21735 PausableComponentException when closing message endpoints on server shutdown
21740 Inactivity timeout value larger than 2147483 seconds causes immediate cache invalidation
Fix pack 22.0.0.7
Fix release date: 5 July 2022
Last modified: 5 July 2022
Status: Superseded

Download Fix pack 22.0.0.7
Component Security APAR APAR Description
Virtual Member Manager (VMM) PH46082 Add warning message when failed login delay is disabled
Open Liberty Release fixes 
Issue/PR Description
19832 OpenIdConnectClient not working with proxy settings given in jvm.options
20933 FeatureUtility only checks one Maven repository
21148 Transactions summary trace is missing
21441 The openapi-3.1 liberty feature generates wrong property name for annotation @Schema
Fix pack 22.0.0.6
Fix release date: 7 June 2022
Last modified: 7 June 2022
Status: Superseded

Download Fix pack 22.0.0.6
Component Security APAR APAR Description
Intelligent Management Component PH43910 Liberty routing rules do not always respect a webserver assignment using the '*' wildcard
Liberty Administrative Center PH45086 IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393 CVSS 3.1)
Security PH46072 IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475 CVSS 7.1)
Open Liberty Release fixes  
Issue/PR Description
14425 EclipseLink: Deliver Bug #567087
18844 The com.ibm.websphere.logging.WsLevel class is not visible as an API
20082 CWWKE0702E: Could not resolve module: com.ibm.ws.ejbcontainer.remote [852] Bundle was not resolved because of a uses constraint violation.
20908 Default session meta cache name failed with RH DataGrid
20981 ArrayOutOfBounds exception on z/OS with either full or JMX audit events enabled on shutdown
21004 featureUtility viewSettings doesn't show repository settings
21043 Bump netty dependencies to 4.1.77.Final
21050 Liberty OIDC error is being returned with incorrect characters
21060 Correct Service Release and Fixpack processing in JavaInfo
21079 Refresh token is not cleaned up when a JWT access_token had been issued
21097 Custom claims not passed to the back end
21108 Admin center enhancement
Fix pack 22.0.0.5
Fix release date: 10 May 2022
Last modified: 10 May 2022
Status: Recommended

Download Fix pack 22.0.0.5
Component Security APAR APAR Description
General PH42822 WebSphere Liberty z/OS 20.0.0.9 java.lang.NullPointerException at com.ibm.ws.jaxrs.JAXRSRuntimeDelegate$ClassloaderReference
Liberty z/OS PH45221 NPE in com.ibm.ws.zos.wlm.internal.UnauthorizedWLMNativeServices.CreateJoinWorkUnit()
PH45329 Liberty server fails to start with JVM gpf after a racroute request=auth call
PH45749 z/OS Product registration message CWWKB0108I does not contain full version
Open Liberty Release fixes
Issue/PR Description
20283 Fix duplicate error messages in RESTful WS (JAXRS)
20306 Bump netty dependencies to 4.1.75.Final
20476 NPE when outputting SimpleTimer close to the end of a full minute.
20509 JSP included jar dependency check incorrect
20522 Update ExpressionLanguage 4.0 API/Impl to 10.0.18
20627 schemaGen improve command line options parsing
20669 Extra text found in description of connectionManager purgePolicy
20676 WEBCONTAINER THREADS HUNG WHILE CLOSING WEBSOCKETS
20693 Springboot application packaged with OL 22.0.0.3 failed to run
20730 Deadlock in memory session and logging handler
20762 Port MYFACES-4431 to JSF (Custom Navigation Handler Thows NPE during Flow Handling)
20782 FeatureUtility isf does not resolve already installed user feature
20818 JaxRS-Client fails performing PATCH-requests with Java17
20858 localConnector problems with some combinations of jdk.attach.allowAttachSelf and com.ibm.tools.attach.enable
Fix pack 22.0.0.4
Fix release date: 12 April 2022
Last modified: 12 April 2022
Status: Superseded

Download Fix pack 22.0.0.4
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH44666 OpenAPI UI is missing CSS
General PH45006 During server shutdown OSGi applications may log null pointer exceptions (FFDCs)
JavaServer Pages (JSP) PH44627 Null Pointer Exception in JSP after 21.0.0.7 when skipMetaInfResourcesProcessing=true
Liberty Archive Install PH44289 Install of z/OS Liberty interim fix fails with CRIMA1076E
Liberty Kernel PH45316 Liberty packaging fixes - Ensure the proper set of features are packaged when several valid versions exist
Open Liberty Release fixes          
Issue/PR Description
18177 Liberty OP configured with SAML IdP, logout at OP is not propagated to the IdP
19627 MP JWT 1.2 fails to load all relevant MP Config properties
19767 Bump gRPC dependencies to 1.43.2
19937 context-root for web-ext is no longer honored with WLP 22.0.0.1
20082 CWWKE0702E: Could not resolve module: com.ibm.ws.ejbcontainer.remote [852] Bundle was not resolved because of a uses constraint violation
20247 webContainer property skipMetaInfResourcesProcessing=true can cause NullPointerException in JSP taglib
20293 Add security headers to OpenAPI UI
20298 Avoid ConcurrentModificationException during dynamic configuration updates for federatedRepository and user repositories
20303 NPE during handshake when CLIENT_AUTH or SERVER_AUTH is missing in the certificate extension
20310 OpenAPI UI is broken (missing CSS)
20353 NullPointerException in EJBWARRuntimeImpl when dynamically updating server configuration
20403 LibertyRestClientBuilderImpl nonProxyHosts PatternSyntaxException
20441 Timing window where cancellation of scheduled task is ignored
Fix pack 22.0.0.3
Fix release date: 15 March 2022
Last modified: 15 March 2022
Status: Superseded

Download Fix pack 22.0.0.3
Component Security APAR APAR Description
JavaServer MyFaces (JSF) Apache MyFaces implementation PH43113 ClassNotFoundException for SecureSerializedViewCollection during Session Persistence
Liberty Administrative Center PH43817 IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)
Liberty Kernel PH44064 Liberty server command not working on IBM i platform after installing fix pack 22.0.0.2
Liberty System Management PH43223  IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038 CVSS 4.4)
Open Liberty Release fixes
Issue/PR Description
12050 @RolesAllowed rejects unauthenticated users when they mapped to an allowed (EVERYONE) role
19316 Duplicate message key in com.ibm.ws.ui.tool.explore
19519 LibertySSLSocketFactory cannot be loaded inside a custom feature
19613 Bump netty dependencies to 4.1.72.Final
19659 Update ExpressionLanguage 4.0 API/Impl to 10.0.14
19673 JWT access token inbound propagation fails when a JWT sent as segments starts with "Bearer"
19780 Adding Monitor Filter increases Startup Time.
19937 Context-root for web-ext is no longer honored with WLP 22.0.0.1
19960 OpenID Connect: Double URL Encoded State Parameter in Redirect location
19981 ConcurrentModificationException in com.ibm.ws.security.openidconnect.clients.common.JtiNonceCache
19991 featureUtility does not pass all features from server.xml to repository resolver
19999 [JPA 2.2] EclipseLink: Deliver Bug #578262
20003 Update Webcontainer ServletVersion Handling to Avoid SRVE8501E errors
20020 AccessControlException thrown from Yoko calls to Class::getClassLoader
20063 Server commands not working on IBM i after checkpoint changes
20064 Fix server command on IBM i
20070 503 response returned when request contained a 100-continue header
20165 jsonpContainer-2.0 and jsonbContainer-2.0 features incorrectly use default providers.
20206 Servers stop can fail in products that embed Liberty
20277 False artifact io.openliberty.jaxrs30 in mvn repository
           
Fix pack 22.0.0.2
Fix release date: 15 February 2022
Last modified: 15 February 2022
Status: Superseded

Download Fix pack 22.0.0.2
                                       
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH44762 IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031 CVSS 5.4, CVE-2021-46708 CVSS 4.3)
General PH41660 After 21.0.0.9 upgrade "DefaultHostname" definition in bootstrap.properties does not overwrite Liberty default
PH43194 Add support for CICS 5.6 to WOLA
PH43281 API Discovery UI will not load
PH43530 NullPointerException in JSP after 21.0.0.7
Intelligent Management Component PH41615 Intelligent management WebServer plug-in is sometimes unable to route one HTTP session requests to the same member server
Virtual Member Manager (VMM) PH42489
IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031 CVSS 7.5)
 Open Liberty Release fixes
Issue/PR Description
18299 NullPointerException if used with mpMetrics 3.0
18941 NullpointerException in JSP after upgrade
19177 [JPA 2.2] EclipseLink: Deliver Bug #412391
19545 OpenIdConnectClient cookies not getting deleted after logout
19608 Oracle database helper logging `DSRA8207I` too frequently
19688 Empty com.ibm.ws.logging.hideMessage hides all messages and does not create messages.log
19702 Support for outbound channel selectors to start immediately
19707 Runnable jar hangs after Ctrl + C
19780 Adding Monitor Filter increases Startup Time
19781 Calling `UserRegistry.isValidGroup` or `UserRegistry.isValidUser` when using `federatedRegistry-1.0` can return `true` when `false` should be returned
19785 Federated SAF registries can incorrectly claim a SAF user or group is not in the realm when calling `UserRegistry.isValidGroup`
19826 MP Fault Tolerance annotations at the class level of a Rest Client interface are ignored
19831 The output of ./wlp/bin/productInfo featureInfo missing new lines
19841 defautHostName does not get picked up from bootstrap.properties for cfw
19860 Updating MicroProfile versions on server.xml causes issues with install manager
19897 "ERROR: Input redirection is not supported, exiting the process immediately" reported with Open Liberty as a service on Windows
                       
Fix pack 22.0.0.1
Fix release date: 18 January 2022
Last modified: 18 January 2022
Status: Superseded

Download Fix pack 22.0.0.1
Component Security APAR APAR Description
General PH42908 HTTP/2 streams still accepted after server shutdown despite OLGH19193
Liberty Archive Install PH41986 Product validation fails by feature manager when PH39418 is installed
Runtime and Classloader PH42759 Block class loads for vulnerable classes
Web Container PH42435 SRVE0250I and SRVE0164E no longer emitted due to OLGH18992
Web Services (JAX-WS) PH42074  IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310 CVSS 4.8)
WebSphere MQ messaging providers PH42762 Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server Liberty (CVE-2021-4104 CVSS 8.1)
 Open Liberty Release fixes
Issue/PR Description
16320 OAuth provider Multiple Connections are disallowed in current pre-existing attachment environment error TS003794701
17562 Multiple duplicate element IDs cause excess memory allocations and looping.
18695 Avoid inferring caller in LogRecord.getSourceClassName and LogRecord.getSourceMethodName in Liberty HPEL
19334 Policy attachments file: policy-attachments-server.xml is not processed
19342 [JPA 2.1] EclipseLink: Deliver Bug #463042
19348 gRPC server property "httpEndpoints" is invalid
19366 JMX file transfer errors should not expose resolved file paths
19413 JAX-RS fails with 400 Bad Request when query string contains _type param
19433 JNDI lookup to CORBA URL can hang
19505 SRVE0250I and SRVE0164E messages not emitted unless trace is enabled
19514 Test Failure: AutonomicalPolling1ServerTest.testAddPersistentExecs gets intermittent NullPointerException when transaction timeout aborts the connection
19522 Unresolved gRPC bundles in feature
19547 New HTTP/2 streams still accepted while server is closing
19567 Memory Leak with mpJWT
19585 Classes are still indexed by mpOpenAPI when mp.openapi.scan.disable=true
19589 ArrayIndexOutOfBoundsException during startup with mpOpenApi
19630 Application class loader to ignore designated classes
19631 featureUtility installServerFeature fails when user feature is listed
           
           
Fix pack 21.0.0.12
Fix release date: 3 December 2021
Last modified: 3 December 2021
Status: Superseded

Download Fix pack 21.0.0.12
Component Security APAR APAR Description
Liberty z/OS PH41840 Cannot get a WOLA connection for a client after configuration update
Open Liberty Release fixes
Issue/PR Description
7735 Backport close stream weld properties overlay
17428 OpenAPI 2.0 includes non-public fields in the generated documentation
17599 wsoc connection causes quiesce error
18896 OSGiBeanValidationImpl DS component needs to wait for all config to load.
18992 Application fails to restart in server.xml update scenario
19051 Server script depends on the `which` command
19057 Port bind skipped at server startup
19087 Throughput performance degradation in eclipselink due to Thread.getStackTrace calls
19127 AccessControlException in WebAppSecurityCollaboratorImpl performDelegation(...)
19193 Stop allowing creation of H2 streams if server is closing
19197 ClassCastException in JSP relating to JDT internal classes
19227 Bug Fix: Ensure ServletRequestListener#requestDestroyed is always called
19233 Incorrect PostgreSQL session table query
           
           
Fix pack 21.0.0.11
           
Fix release date: 5 November 2021
Last modified: 5 November 2021
Status: Superseded

Download Fix pack 21.0.0.11
Component Security APAR APAR Description
IBM i PH39665 WebSphere Liberty server fails to start on IBM i running with Java 11
System Management Functions PH40204 Deadlock found in SingletonServiceManagerImpl registerService
Open Liberty Release fixes
Issue/PR Description
13990 SAML JSP gets unexpected 500 error due to ClassCastException
16598 ServletContainerInitializer is passed invalid @HandlesTypes classes
16811 Response output may not close at end of dispatch forward
17155 Multiple entries may be added to the Authentication Cache for a custom cache key hashtable login
17972 `@Schema(multipleOf = )` can throw `NumberFormatException` in `mpOpenAPI-2.0` feature
18262 server startWinService & stopWinService commands give incorrect/misleading return codes
18411 Liberty message.log has repeating servlet lifecycle messages
18419 ExpressionFactory#getClassNameServices fails if META-INF/services/javax.el.ExpressionFactory contains comments
18492 gRPC service registration broken for EAR deployments
18663 NullPointerException in JaxRsFactoryImplicitBeanCDICustomizer
18674 HTTP/2 streams closed due to client window update delay
18751 Bump netty dependencies to 4.1.68.Final
18813 Test Failure: testJTATransactionUsedSeriallyWithOverlapAndCommitWithinLastStage NullPointerException
18836 NPE when creating an HttpAuthenticationMechanism with the default package
18866 Fix PasswordUtil.passwordEncode() with "hash" option
18925 Cloudant NLS messages are not used
18973 Investigate weld-osgi-bundle versions in feature files
Fix pack 21.0.0.10
Fix release date: 8 October 2021
Last modified: 8 October 2021
Status: Superseded

Download Fix pack 21.0.0.10
Component Security APAR APAR Description
Liberty Kernel PH39418 Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517 CVSS 5.5, CVE-2021-36090 CVSS 7.5)
PH40489 SPNEGO fails with 403 error on Java 11 at 21.0.0.9
Liberty System Management PH39935 CWWKE0701E at Liberty startup reports a ConcurrentModificationException in the APIProviderAggregator class
Web Container PH40879 Server start hangs caused by plugin-cfg.xml generation
Virtual Member Manager (VMM) PH38929 WebSphere Application Server is vulnerable to Information Disclosure (CVE-2021-29842 CVSS 3.7)
Open Liberty Release fixes
Issue/PR Description
17155 Multiple entries may be added to the Authentication Cache for a custom cache key hashtable login
17489 IllegalStateException is thrown when Liberty tries to update a readOnly subject
17950 Fix SRVE8501E Warning
18281 Possible Bug with deferServletRequestListenerDestroyOnError
18282 Bug: AdminCenter SRVE0190E: File not found: /images/tools/wasdev_142x142.png
18299 NullPointerException if used with mpMetrics 3.0
18348 ContainerRequestContext.getAcceptableLanguages() - fails with IllegalArgumentException when invalid locales are specified in the Accept-Language header.
18404 Create PluginGenerator Lock to Address FileNotFoundExceptions
18430 Saml web sso sp initiated login flow resulting in buildup of WASSamlReq_xx cookies
18437 JSF throws ClassNotFoundException for o.a.m.el.convert.ValueExpressionToValueBinding
18475 Servlet ReadListener does not receive all HTTP request data
18503 RuntimeCodebase cannot be located on collocated call
18530 Startup hang caused by plugin-cfg generator changes
18552 JAX-RS 2.0 and 2.1 implementation is executing resource method when Content-Type or Accept header contains invalid values
18663 NullPointerException in JaxRsFactoryImplicitBeanCDICustomizer
                                                   
           
Fix pack 21.0.0.9
           
Fix release date: 10 September 2021
Last modified: 10 September 2021
Status: Superseded

Download Fix pack 21.0.0.9
                                                                                                                                                                       
Component Security APAR APAR Description
JavaServer Faces (JSF) Apache MyFaces implementation PH40182 JSF faces-config parser throws NPE when XML namespace missing
JavaServer Pages (JSP) PH38133 Incorrect Expression Language (EL) Method Matching with Varargs
Liberty z/OS PH39946 Liberty logging hideMessage= parameter should also stop messages being written to messageLogDD=MSGLOG
Open Liberty Release fixes
Issue/PR Description
16700 Improve featureUtility performance with remote repository
17444 Pull in BZ 65358 -- Varargs Method Matching (EL Patch)
17591 IdentifyException accidentally externalized as unusable top level config element
17682 Exception stack trace is exposed in error returns from JMX REST apis
17912 Bump netty dependencies to 4.1.66.Final
18002 `@Schema(multipleOf = )` validation check is wrong in `mpOpenAPI-2.0` feature
18009 Wrong char count in ServletOutputStream with non-ASCII characters skips content
18091 Remove system from code
18155 JSF faces-config parser throws NPE when namespace missing
18213 IOException FFDC logged after HTTP/2 stream is closed by client
18237 Unexpectd FFDC from Jackson
           
           
Fix pack 21.0.0.8
Fix release date: 13 August 2021
Last modified: 13 August 2021
Status: Superseded

Download Fix pack 21.0.0.8
           
                                                                                                                                                                                                   
Component Security APAR APAR Description
JavaServer Faces (JSF) Apache MyFaces implementation PH38339 StringIndexOutOfBoundsException Occurs When Creating a Resource
Open Liberty Release fixes
Issue/PR Description
16700 Improve featureUtility performance with remote repository
16994 Dynamic reconfig of discovery endpoint not updating endpoints in all cases
17313 Ubuntu upgrade re-enabled openliberty@defaultServer
17678 Port MYFACES-4065/MYFACES-4187 to JSF 2.2
17757 Passivating remote EJB Stub fails when rmicCompatible=true
17799 gRPC monitoring requires the enablement of both grpc-1.0 and grpcClient-1.0
17828 Update JSP Logic to Avoid Race Condition Regarding trackDependencies
17904 grpcClient-1.0 dynamic enablement unexpected behavior
           
           
Fix pack 21.0.0.7
Fix release date: 15 July 2021
Last modified: 15 July 2021
Status: Superseded

Download Fix pack 21.0.0.7
           
                                                                                                                                                                                                   
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH37788 Use first found ejbDescriptor for MD
General PH35877 Session ActiveCount shows a negative value
PH34906 XML External Entity Injection (XXE) in WebSphere Application Server Java Batch (CVE-2021-20492 CVSS 6.5)
PH38224 Invalid command line optional parameters with "featureUtility help installFeature"
Open Liberty Release fixes
Issue/PR Description
14575 OAuth client registration: Client IDs with GB18030 characters do not work
15726 Re-introduce change reverted from 14248
16282 Nullpointer exception during authorization using OidcLogic
17235 FeatureUtility should return RC=20 when invalid action name is specified
17299 Allow multiple version of singleton feature with featureUtility installFeature command
17344 OIDC RP may fail to login if clientSecret is not configured TS005720300
17437 NPE in com.ibm.tx.jta.util.logging.TxTr.initTrace
17478 Invalid command line optional parameters are shown with "featureUtility help installFeature" and "featureUtility help installServerFeatures"
17482 Unexpected results with JSP trackDependencies in the extended document root
17489 IllegalStateException is thrown when Liberty tries to update a readOnly subject
17576 OIDC Update the description for disableIssChecking
17593 EJB Singleton Lifecycle Deadlock
17635 Bump gRPC dependencies to 1.38.1
17658 ConcurrencyPolicy loses queue slots when managed executor deactivates and erroneously cancels tasks of other executors
17666 JavaMail tries to use a resource file that only exists in the implementation
           
           
Fix pack 21.0.0.6
Fix release date: 18 June 2021
Last modified: 18 June 2021
Status: Superseded

Download Fix pack 21.0.0.6
Component Security APAR APAR Description
JavaServer Pages (JSP) PH36923 java.lang.NullPointerException caused by PH34711
Liberty Kernel PH37460 Setting 'AutoExpand' to true causes the 'UseJandex' setting to be ignored
Open Liberty Release fixes
Issue/PR Description
12778 mpJWT-1.1 configured by using jwksUri results in CWWKS5523E at the first jwt token presented to the server
15023 WASReqURLOidc cookie encodes the request url but does not decoded it upon successful redirection
16598 ServletContainerInitializer is passed invalid @HandlesTypes classes
16743 Pull in MyFaces 2.3.9
17040 Revision to httpOption maxKeepAliveRequest default value
17047 PluginGenerator FFDC: BundleContext is no longer valid
17117 Test Failure: Failover1ServerCoordinatedPollingTest.testMultipleInstancesCompeteToRunManyLateTasksPC
17177 Failed to locate data source, null Resourcefactory
17203 ORB.init() called simultaneously on two threads during server start
17268 APAR PH37460 useJandex is ignored when autoExpand is set
17294 java.io.IOException might be thrown during AsyncContext.complete()
           
Fix pack 21.0.0.5
Fix release date: 21 May 2021
Last modified: 21 May 2021
Status: Superseded

Download Fix pack 21.0.0.5            
Component Security APAR APAR Description
Liberty OSGi Applications PH28781 CWWKZ0404E: An exception was generated when trying to resolve the contents of the application
Liberty z/OS PH35442 Smf120 subtype 11 records sometimes missing values when a servlet request takes an error path
PH35542 Abend 0C4 in ntv_registerserver reported on WebSphere Liberty z/OS 20.0.0.12 (wlp-1.0.47.cl201220201111-0736)
PH36576 CWWKB0086E seen in angel in fix pack 21.0.0.3
Open Liberty Release fixes
Issue/PR Description
13522 Publish the WebContainer property enableMultiReadOfPostData
14174 The WebContainer properties may not be updated accordingly.
14345 ServletContext getContextPath() does not end with forward slash.
15216 JDBC Kerberos problems on IBM JDK 8
16203 IllegalStateException when calling CDI bean with @Transactional(Transactional.TxType.NEVER) from websocketEndpoint
16307 Update Liberty to not block use of Oracle 21c JDBC driver with IBM Java 8 and Kerberos authentication.
16428 Remove Internal From setHtmlContentTypeOnError
16495 Rename plugin-cfg File Using Files#Move
16524 Fix issue with spanning an audit record across audit logs when signing and encrypting of audit logs is enabled
16539 SESSION ACTIVECOUNT SHOWS A NEGATIVE VALUE
16637 Authorization failure occurs when LDAP or basic user attempts login in SAF federated registry
16661 microprofile-config.properties is not loaded in OASFilter
16694 Avoid virtual host missing warning if server is in the process of shutting down
16764 Deploying two applications with mpOpenApi-2.0 enabled can cause IllegalStateException: SROAP00001: Model already initialized.
16772 [JPA 2.1] EclipseLink: Deliver Bug #573094
16774 PostgreSQL session table check missing qualifier name
16793 Include RelayState in the logout response to IdP initiated slo requests
16808 Issue16807 support new Java policy location per open JDK 9
16843 Cleanup request thread data
Fix pack 21.0.0.4
Fix release date: 23 April 2021
Last modified: 23 April 2021
Status: Superseded

Download Fix pack 21.0.0.4
Component Security APAR APAR Description
Administrative Console PH34122
Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258 CVSS Score 7.5)
Java 2 Connectivity (J2C) PH33683 EJB timer service does not adjust for daylight savings time
JavaServer Faces (JSF) Apache MyFaces implementation PH34711
Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296 CVSS 8.8)
Open Liberty Release fixes
Issue/PR Description
15336 Replace DNS lookup with regular expression to get the domain name in SSO Cookie Domain function
15989 MyFaces Update State Saving
16054 HSTS Header not added on responses with 404 status
16113 Shared Class Cache not generated on Windows
16118 Create setHtmlContentTypeOnError Webcontainer Property
16160 HTTP/2 ClassCastException during error handling
16184 EJB timer service does not adjust for daylight savings time during fall adjustment
16301 LDAP and Database Identity Stores fail to reprocess deferred EL expressions
16353 Bump netty dependencies to 4.1.62.Final
16364 Premature response completion in Async servlets
16410 Improve messaging in ldapRegistry-3.0 when userFilter and groupFilter do not contain an AVA with %v
16416 Java 2 Security exception when adding custom principal to the subject for Jaspic
           
Fix pack 21.0.0.3
Fix release date: 26 March 2021
Last modified: 26 March 2021
Status: Superseded

Download Fix pack 21.0.0.3
Component Security APAR APAR Description
Liberty z/OS PH33563
SAFPasswordUtilityFactory.getInstance().passwordChange results ioException: exception in opening zip file after multiple calls
PH34338 ABEND0C4 during Liberty server shutdown
Open Liberty Release fixes
Issue/PR Description
5470 NLS message CWWKE0031E is inaccurate when emitted from server script
11249 JAXRS leaks memory when applications do not close their Client references
12606 server.bat script does not read path of jvm.options correctly as documented
14926 Bean Validation 1.1 NullPointerException from ValidationReleasableFactoryImpl
15646 Issue15644ProperMergingOfJava2Permissions
15744 Pull in MyFaces 2.3.8
15799 Plugin Generator can cause server shutdown delay
15822 LDAP group members may be ignored when the member's RDN starts with cn (and possibly other attribute names).
15853 Bump netty dependencies from 4.1.52.Final to 4.1.59.Final
15857 EJB client intermittently throws BAD_PARAM after server restart
15869 MP Config AppPropertiesTrackingComponent synchronization
15878 JAX-RS requests that do not specify the port fail with SSL
15927 Cannot inject optional list with mpConfig-1.x
15943 Merge multi-homed environment related changes into Liberty
15975 Create a UDP connection using the selected outbound interface
15985 Threads backing up during transaction processing due to use of Dictionary
16037 Separating ciphers with two spaces results in unspecified behaviour
16060 Eclipselink bundles lack javax.mail.internet
           
Fix pack 21.0.0.2
Fix release date: 26 February 2021
Last modified: 26 February 2021
Status: Superseded

Download Fix pack 21.0.0.2
<
                                                                                                                                                                                                   
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH33219
AdminCenter web app is not updating status after an operation concludes
Install PH33517 Issue with <INCLUDE LOCATION> tag on Liberty 20.0.0.9 failed to support the WLP_USER_DIR in already built fixes
Java 2 Connectivity (J2C) PH31875 J2CA0079E: getManagedConnection internal illegal state state = state_inactive mcw
Open Liberty Release fixes
Issue/PR Description
11777 prepareJSPThreadCount is not documented in Open Liberty - Investigate if any issues using it and document
12490 IOExceptions thrown after HTTP/2 stream is closed by client
12694 EclipseLink: Deliver Bug #538296
14109 Update gRPC dependencies to 1.35
14175 Expression Language 3.0 value lookup performance improvement
14248 Update WC property suppressHtmlRecursiveErrorOutput
14934 JAX-RS client creates a new SSLSocketFactory for every request
15040 ClassCastException might happen when serving a static resource
15433 System WABs may come online with the web container after server reports started
15550 NullPointerException in HttpServletRequest or HttpServletResponse context proxies
15698
FeatureUtility not parsing Liberty custom environment variables
           
                                                   
           
Fix pack 21.0.0.1
Fix release date: 29 January 2021
Last modified: 29 January 2021
Status: Superseded

Download Fix pack 21.0.0.1
                                                                                                                                                                       
Component Security APAR APAR Description
Install PH32961 InstallUtility and FeatureUtility are working when the variable is a directory, but not part of a file name
Intelligent Management Component PH31732 Restricting IP access in ssh keys in authorized_keys, results in ssh key being appended when collective member is restarted
Open Liberty Release fixes
Issue/PR Description
10000 HttpServletResponse.sendRedirect(String location) builds absolute URL including protocoll and server-name
12095 PluginGenerator: BundleContext is no longer valid
12417 Fix java.lang.IllegalStateException: jstl facade bundle can not be located
13515 Add addstricttransportsecurityheader WebContainer prop to metatype
14532 Plugin Generator can cause server shutdown delay
14815 Recovery race
14925 OAuth user registry lookups may use incorrect custom cache key
14928 EclipseLink: Deliver Bug #514486
14936 Issue when deploying Open Liberty application to Openshift
14950 Pull MyFaces 2.3.7 into Open Liberty
14975 OIDC RP: creating a subject with allowCustomCachKey=false results in a subject that includes a cache key
15174 Include tag on windows not parsing correctly
15216 JDBC Kerberos problems on IBM JDK 8
15220 Add HTTP/2 IOException for misbehaving client error case
15237 Clear federated repository specific information from AuditManager thread
15242 Stop the ACME Certificate Checker Task when the server is stopping
15263 HTTP TRACE method requests are rejected with a 403, and `enableTraceRequests="true"` does not help
15305 Pull in CXF-8278
15315 Enable server shutdown on recovery log failure
15337 Dynacache initialization issue when ID is missing
15342 CONTAINER_NAME env variable is not reflected in logstashCollector-1.0
15388 Include tag file name unable to be parsed for featureUtility
15390 Various thread safety issues in the Liberty scheduled executor
15550 NullPointerException in HttpServletRequest or HttpServletResponse context proxies
           
Fix pack 20.0.0.12
Fix release date: 27 November 2020
Last modified: 27 November 2020
Status: Superseded

Download Fix pack 20.0.0.12
Component Security APAR APAR Description
General PH30714 PortOpenRetries needs to do retries for hostname lookup failures
PH30744 Increased CPU can occur after moving to Liberty version 19.0.0.7 or higher
Install PH32363 InstallUtility and featureUtility ignores included config files on Windows
Intelligent Management Component PH31277 Health policies do not trigger
Java Persistence API (JPA) PH29720 EclipseLink generates SQL for the coalesce function with incorrect whitespace.
Systems Management Functions PH30558 Do not store Leader ID when server is stopping
Open Liberty Release fixes
Issue/PR Description
14425 EclipseLink: Deliver Bug #567087
14426 EclipseLink: Deliver Bug #463350
14457 EclipseLink: ClassCastException for Boolean-Typed JPS-Query
14540 com.ibm.wsspi.cache.getProperties() returns empty map.
14542 Java 15: IllegalAccessError when using MP Rest Client
14555 TCP: add retry logic to hostname loookup when opening ports
14582 Prevent jsonp-1.0 and jsonpContainer-1.1 from both starting.
14597 Increased CPU when moving from Liberty 19.0.0.6 to newer releases.
14650 MP GraphQL does not scan JARs in WEB-INF/lib for GraphQL components
14655 Move participatingBaseEntry check to avoid inaccurate logging of CWIMK0004E message
14657 Fix connection manager deadlock for purgePolicy=FailingConnectionOnly
14735 Fix the Logging metatype description message for hideMessage
14743 Variables in include files not recognized after config update
14781 Wrong FailureScopeController used in peer recovery
14826 Allow Spring Boot app with embedded launcher script to deploy
14828 Server stop hang
Fix pack 20.0.0.11
Fix release date: 30 October 2020
Last modified: 30 October 2020
Status: Superseded

Download Fix pack 20.0.0.11
Component Security APAR APAR Description
General PH30494 NullPointerException is received when using the PasswordChange API with more than one UserRegistry
Java 2 Connectivity (J2C) PH29942 Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693 CVSS 5.3)
Open Liberty Release fixes
Issue/PR Description
7056 HTTP/1.1 and HTTP/2 behave differently when a non-standard HTTP method is used
12312 Update to commons daemon breaks windows servicel
12724 Unable to Override JAX-RS SecurityContext in ContainerRequestFilter
13073 FFDC raised when fallback method or handler throws exception
13830 Federated repositories returns the string "null" instead of the value null for several methods
13861 Getting ManagedThreadFactory from JNDI is failing in 20.0.0.9
13908 Liberty Java security function does not honor JDK's java.policy file.
14003 Test Failure: com.ibm.ws.microprofile.health20.fat.ApplicationStateHealthCheckTest.testPreLoadedApplicationsHealthCheckTest_mpHealth-3.0
14183 Need an option to load a custom JaasLoginModule without going through com.ibm.ws.kernel.boot.security.LoginModuleProxy
14192 Eclipselink: Wrong month is returned if OffsetDateTime is used in JPA 2.2 code
14377 Server.xml config sources do not respect config_ordinal
14421 EJB persistent timer may attempt to run after server stop issued
           
Fix pack 20.0.0.10
Fix release date: 2 October 2020
Last modified: 2 October 2020
Status: Superseded

Download Fix pack 20.0.0.10
Component Security APAR APAR Description
Asynchronous beans PH29578 CWWKE0701E: Frameworkevent error org.osgi.framework.serviceExcception
Liberty Kernel PH27428 NullPointerException because wsJarUrlStreamHandler creates unusable input stream
PH27908 Unconverted adapt to web annotations from com.ibm.ws.openApi.internal.annotationScanner
PH28816 During server startup, the warning "Unconverted adapt to web annotations" appears in server logs
Liberty z/OS PH28141 Out of memory in cell pool using 500 connections
Web Services Security PH29368 WebSphere Liberty running oauth-2.0 or openidConnectServer-1.0 features is vulnerable to a denial of service attack (CVE-2020-4590 CVSS 5.3)
Open Liberty Release fixes
 
Issue/PR Description
11646 Concurent Login Issue
11722 mpHealth - readiness check reports UP when application fails to start
11847 Add support for traditional websphere property: com.ibm.ws.webcontainer.suppresslastzerobytepackage
12613 Enabling openTracing with no tracer class configured impacts performance
12790 Need to limit how many times an OIDC refresh token can be used to get new tokens
13404 Kafka connector can report failure for acknowledgements which eventually succeed
13551 NullPointerException when starting an EJB module during server stop
13569 Federated basicRegistry returns inconsistent results for case insensitive direct user lookups in scim-1.0
13613 Support IIOP transmission of Supplemental Multilingual Plane characters (such as emoji) in (wide) Strings
13681 Getting ManagedThreadFactory from JNDI is failing in 20.0.0.9
13817 PostgreSQL tables are not automatically generated for transaction recovery
           
Fix pack 20.0.0.9
Fix release date: 4 September 2020
Last modified: 4 September 2020
Status: Superseded

Download Fix pack 20.0.0.9
Component Security APAR APAR Description
EJB Container PH27497 CNTR5010E,CNTR0075E Errors after migrating from WebSphere V8.5.5.X TO V9.0.5.X
PH27912 CNTR5104E OR CNTR5102E occurs at EJB start after upgrading WebSphere to V8.5.5.16, V9.0.5.0, V9.0.5.1, OR V9.0.5.2
Install PH30219 <INCLUDE> Tag not being considered when installing server.xml
Java Persistence API (JPA) PH26967 OpenJPA's class transformer needs to respect app classloader concurrency
PH28547 JPA persistence activator retains classloader references, potentially leading to OutOfMemory condition
 Open Liberty Release fixes
Issue/PR
 Description
11504 Occasional ArrayIndexOutOfBoundsException in JaspiServiceImpl.getDescription during Arquillian Tests
11556 Connection leak when XAResource.recover fails
12832 Bean Validation should consider @ValidateOnExecution when CDI is not enabled.
13027 Jaxrs security not getting SSL Socket Factory updates
13036 mpGraphql Exception allowlist not working. NullPointerException is thrown by mpConfig
13138 tag not being considered when installing server.xml
13170 MDB method restricted from being private final for no methods listener
13309 Application with EJB 2.x local interface that extends java.rmi.Remote fails to start
13331 ignore extra ffdc when application fail to start due to vhost already removed by stop app
13447 Http/2 -clean up connection on error
14183 Need an option to load a custom JaasLoginModule without going through com.ibm.ws.kernel.boot.security.LoginModuleProxy
           
Fix pack 20.0.0.8
Fix release date: 7 August 2020
Last modified: 7 August 2020
Status: Superseded

Download Fix pack 20.0.0.8
                                                                                                                                                                       
Component Security APAR APAR Description
Systems Management Functions PH27639 Stopped application may show as started in collective controller.
Security PH34376 RACF RACMAP filter fails to properly match on realm
Open Liberty Release fixes
Issue/PR Description
12074 Webcontainer property decodeUrlPlusSign issue
12312 Update to commons daemon breaeks windows service
12450 Batch: Fixes for remote partition job logs
12523 Failed to parse Created TimeStamp in UsernameTokenValidator
12613 Enabling openTracing with no tracer class configured impacts performance
12695 JAX-RS Application Proxy should override getProperties()
12780 CWMRX1001W seen in messages.log
12865 spring-cloud-starter causes ApplicationStarted event to be fired before the ModuleStarted events for Spring Boot web apps
12967 "peer not authenticated" failures in RP to OP communication on some versions of Java 11
13094 MDB message listener method name restricted from starting with "ejb"
           
                                               
           
Fix pack 20.0.0.7
           
Fix release date: 9 July 2020
Last modified: 9 July 2020
Status: Superseded

Download Fix pack 20.0.0.7
                                                                                                                                                                       
Component Security APAR APAR Description
Liberty System Management PH26177 API Discovery UI fails
z/OS PH23733 Unexpected Transaction CPLT ABEND ASIB when transaction is rolled back
Open Liberty Release fixes
Issue/PR Description
8048 Unable to write multipart data in Jax-Rs
12032 Configuration for sslSessionTimeout is ignored at runtime
12067 PluginUtility currently looks in the workarea for com.ibm.ws.jmx.local.address but should look in the logs/state directory
12352 Correct spelling mistake in com.ibm.ws.jsp.jstl.facade/bnd.bnd
12375 IllegalArgumentException occurs when processing SOAP response containing SOAP Fault
12399 HTTP/2 read window not updated
12516 Changes to SSL Session Timeout
12537 H2 NPE HttpOutputStreamImpl.flushHeaders
12545 syncQueryTimeoutWithTransactionTimeout="true" with totalTranLifetimeTimeout="0" results in SQLTimeoutException
12567 Fault Tolerance 2.1: org.eclipse.microprofile.faulttolerance cannot be resolved
12599 HTTP/2 connection termination performance
12708 Entry and exit trace is missing when using OpenJDK with OpenJ9 version 8.
12715 JAX-RS @Context injection into ContextResolver failing with NPE
Fix pack 20.0.0.6
\
Fix release date: 12 June 2020
Last modified: 12 June 2020
Status: Superseded

Download Fix pack 20.0.0.6       
Component Security APAR APAR Description
Administrative Console PH25475 After logging in to admin center console, in the web browser console role is getting exposed
General PH25479 JAXRS resource not injecting objects via CDI constructor injection
Liberty z/OS PH25650 Message CWWKO0230I is issued even if the Asynchronous I/O support was not activated
Virtual Member Manager (VMM) PH24423 With SCIM-1.0 feature and LDAP registry, SCIM queries for group members do not deliver the display name for group members
Open Liberty Release fixes
Issue/PR Description
9157 Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
10067 Update JPA to fix EclipseLink bug 618
10236 Update JPA to fix EclipseLink bug 558283
10240 Update JPA to fix EclipseLink bug 558414
10812 Update printSessionManagerConfigForDebug method to include cookieHttpOnly
11773 [openidConnectServer-1.0] incorrect http status code for error response invalid_grant
11795 EclipseLink: Deliver Bug #561664
11882 Missing FunctionMapper
11927 Include user name in CWWKS1773E error message TS003412433
11977 May get an NPE in URLEncoder.encode when OAuth provder gets bad clientId TS003459997
11984 JNDI lookup fails with org.osgi.framework.ServiceException
12019 Application MBean status is not updated when application fails to start
12024 The JCA SharedPool can leak MCWrapper objects
12212 Cached configuration not used in some circumstances
12297 Correct JSP 2.3. Feature File
                                                     
           
Fix pack 20.0.0.5
Fix release date: 15 May 2020
Last modified: 15 May 2020
Status: Superseded

Download Fix pack 20.0.0.5
Component Security APAR APAR Description
Liberty z/OS PH24366 Liberty fails to remove the client address space level RESMGRs when cleaning up Liberty's client structures
Web Container PH20847 Information disclosure in WebSphere Application Server (CVE-2020-4329 4.3)
Web Services Security PH24154 Identify spoofing in WebSphere Application Server (CVE-2020-4421 5.0)
Open Liberty Release fixes
Issue/PR Description
11475 CWWKG0090E seen when using include that worked in previous version
11550 SSL Channel: double release of WsByteBuffer race condition
11582 NPE in OpentracingUtils.lookupAppName()
11590 MetricProducer provides a simple timer and concurrent gauge with the wrong MetricType
11595 SAML SP should use 401 instead of 403 when redirects user to IdP
11682 Social login feature cookies may not use dynamically updated web app security config
11696 Exception during UserTransaction thwarts @Fallback on @Asynchronous method
11716 Changes for issue 11646
11746 Unable to create logger error in server startWinService when WLP_OUTPUT_DIR set in server.env
11750 Correct redirect location.
11755 Update Weld3 to 3.1.4
11767 Lock contention acquiring applicationTracersLock in OpentracingTracerManager.ensureTracer()
11785 intermittent h2 timing test failure
11870 H2 NPE check modification
                                                   
           
Fix pack 20.0.0.4
Fix release date: 17 April 2020
Last modified: 17 April 2020
Status: Superseded

Download Fix pack 20.0.0.4
                                                                                                                                                                       
Component Security APAR APAR Description
General PH23757 EJB persistent timer/deserialized context fails with CWWKC1004E (unavailable context) after mpContextpropagation-1.0 disabled
Install V8 and above PH23517 zosConsoleCommandDisplayWork-1.0 as an auto-feature is not installed
Liberty Archive Install PH23233 NullPointerException when installing the required WLP server's features from local repository
Liberty z/OS PH22112 Display work with zosRequestLogging feature does not count servlet requests
PH23817 gpf in liberty server during shutdown
Web Services Security PH22080 Cross-site scripting vulnerability in samlWeb-2.0 (CVE-2020-4303, CVE-2020-4304)
 Open Liberty Release fixes
Issue/PR Description
4040 Make RC consistent for starting liberty as a Windows Service
4873 Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
8933 Authentication cache fails to find existing Subjects, slowing performance.
9692 Non-English characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9986 Application fails to start because of java.lang.IllegalStateException: Configuration pid com.ibm.ws.app.manager_23 was deleted
10707 Thread safety problem in JSON logging field name mapping code
10986 Invalid JSON data passed to @Path resource method(@Valid MyPojo) yields H500 instead of H400
11043 java.security.AccessControlException: Access denied ('java.util.PropertyPermission' 'org.osgi.framework.bootdelegation' 'read')
11044 custom-login-configuration not honored in java:comp/env bindings without binding-name
11108 mpRestClient-1.3 ignoring hostnameVerifier configuration
11199 EJB Persistent Timer/deserialized context fails with unavailable mp.cleared.context.provider after mpContextPropagation-1.0 disabled
11289 ConcurrentModificationException during JSF application startup
11445 The JarFileClassLoader throws an IllegalArgumentException when defining package com.ibm.websphere.ras.annotation
11454 Remove lock contention and other perf improvements for starting multiple applications
11478 Minor code issue in LdapHelper.getRDN in com.ibm.ws.security.wim.adapter.ldap
11510 Timing window where server loses the ability to run a persistent timer if config update to disable execution overlaps a poll
11534 Async implementation of MP rest client returns CompletionStage of Collection of HashMap but expected CompletionStage of Collection of a user defined type
11535 AdapterUtil.createXAException utility method garbles message parameters
11543 PH22080
                                                   
           
Fix pack 20.0.0.3
Fix release date: 20 March 2020
Last modified: 20 March 2020
Status: Superseded

Download Fix pack 20.0.0.3
Component Security APAR APAR Description
Liberty log analytics and monitoring PH22677 Logstash error when parsing json
Liberty z/OS PH21809 Liberty on z/OS message routing to msglog dd stops unexpectedly
PH21956 JVM crash in zosLoggingBundleActivator.ntv_writeFile()
PH22759 Abend on the z/OS Hard failure Cleanup Thread during server stop processing
Virtual Member Manager (VMM) PH21704 SCIM fails to search when quotation marks are included in search filter
Web Services (JAX-WS, JAX-RS) PH22079 Vulnerability in Apache CXF affects WebSphere Application Server Liberty (CVE-2019-17573)
 Open Liberty Release fixes
Issue/PR Description
8547 Oracle connectionProperties being traced
9588 Fix JWKS behavior that returns cached JWK despite the JWK not having right KID
10310 EclipseLink: Deliver Bug #347987
10510 Thread fails to complete during the quiesce period
10552 Webcontainer Bundle Deactivation causes IO Exceptions for the Cached Plugin-cfg File
10697 LDAP registry and URBridge are not un-escaping double quotation and apostrophes from the XPATH search expression
10712 AsyncResponseImpl.initContinuation() throws NPE when Continuation is null
10730 Javadoc of ConnectionManagerMBean.getJndiName is not accurate
10732 Context-root attribute for server.xml web-ext element ignored
10762 Missing warning when a server element is not present
10867 German translation for 'Logout' incorrect for OIDC applications
10961 Request URL mismatch between scheme and port
10981 Yoko ORB shutdown thread hangs
10996 Error parsing JSON when using ELK with logstashCollector-1.0
11052 Basic registry throws PatternSyntaxException when search for users or groups includes braces
11105 HTTP/2 stream initialization race conditions
11123 Enhance NCSA access log 'enabled' attribute documentation
           
           
Fix pack 20.0.0.2
Fix release date: 21 February 2020
Last modified: 21 February 2020
Status: Superseded

Download Fix pack 20.0.0.2
Component Security APAR APAR Description
General PH10461 When using BYO SSH keys, starting a collective controller keeps appending the ssh key to the authorized_keys file
PH11895 PI81056 did not fully resolve the issue resulting in msg CWWKO0224E (hostname resolution error) during server startup
PH19384 Liberty for z/OS server using optimized local adapters abends in method WOLANativeUtils.ntv_getClientService on shutdown
PH19528 Denial of Service in WebSphere Application Server (CVE-2019-4720)
PH19989 Denial of Service in WebSphere Application Server (CVE-2019-12406)
PH20816 Install of common Java SDK for Liberty on z/OS fails with CRIMA1161E
PH20912 Unable to set samesite cookie option with response.addHeader
PH21213 Unable to install WebSphere Application Server Liberty V8.5 version 20.0.0.1 using IBM Installation Manager
PH21281 Warnings showing the text "Unconverted adapt" appears in server logs
PH21564 java.lang.SecurityException possible from messaging component calls to System.getProperty("line.separator")
PI93822 EJB auto-link fails for java:global with beanName provided
Open Liberty Release fixes
 
Issue/PR Description
8015  Delay TCP Port starts until server is initiailized
9085 ServletCacheEngine ignore cache for App using default context root
9157 Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
9512 OIDC RP does not reject requests that match more than one filter
10067 EclipseLink: Deliver Bug #618
10142  Installing mpHealth 1.0 and 2.0 features together causes NullPointerException
10189 Fault Tolerance reports an internal error when an asynchronous method returns null
10196 H2 close with error produces invalid state
10236 EclipseLink: Deliver Bug #558283
10238 Default logging format not being set when using an invalid console/message logging format
10240 EclipseLink: Deliver Bug #558414
10243 Pull in MYFACES-4311 and add a FAT
10248 JsonB provider not found when loaded from library
10293 Test Failure: com.ibm.ws.testing.opentracing.test.FATOpentracing.testImmediate
10310  EclipseLink: Deliver Bug #347987
10337 Java Batch: Error reported when JMS job dispatch message is redelivered
10384 Support for SameSite attribute in Set-Cookie header is needed
10393 PersistentTimerCoreTest.testDisabledLateTimerMessage FFDC indciates missing doPriv on abort
10397 Retry port opening according to configurable number of retries
10426 requestTiming-1.0: servletTiming server configuration does not work with servlet-4.0
10461 Basic registry throws PatternSyntaxException when search filter contains paren
10462 LDAP registry throws InvalidSearchFilterException when principalName search filter contains paren
10508 Avoid using System.getProperty("line.separator") in messaging code
10559 Need to quit warning about strange cookies sent from IBM ID
10578 oidcclient does not expand ID attribute after 19.011
10582 JAX-RS 2.0 ExceptionMapper is ignored when using mpOpenTracing
10587 Yoko ORB shutdown thread hangs
10604 Wrong encoding for special characters (Swedish language)
10702 Decompression Ratio Support
           
Fix pack 20.0.0.1
Fix release date: 24 January 2020
Last modified: 24 January 2020
Status: Superseded

Download Fix pack 20.0.0.1
Component Security APAR APAR Description
Liberty System Management PH20161 OpenAPI Swagger UI vulnerability (CVE-2019-17495)
Web Services (JAX-WS, JAX-RS) PH18762 Add support for gzip encoding
 Open Liberty Release fixes
Issue/PR Description
6956 Liberty depends on the ps command during shutdown
8563 Pull in MyFaces 2.3.6
8773 OIDC Client Requests Tokens with the same auth code
9281 auditUtility command/script file not found in /bin directory.
9307 Error message when MP Open Tracing feature is enabled but not in use
9441 Auto-features which depend on kernel features do not get installed
9943  Map the Spring Boot application's context root to the application's welcome page (index)
9516 Unfriendly user error message displayed and user is blocked from signing in to their application when their liberty session expires
9602 H2 Synchronization problem with tests that are sending duplicate frames
9679 H2 intermittent error when upgrade fails
9708 For a batch job with partitioned step, the PartitionReducer's afterPartitionedStepCompletion gets ROLLBACK on normal completion.
9798 Handling logging out of mp jwt flow introduces an error
9824  Cannot distinguish opaque token that contains two dots from JWT
9848 Resource adapters might fail to start with Bean Validation 1.1 and CDI 1.2 enabled.
9886 Unresolved module com.ibm.ws.rest.handler.validator.jca
9904 javax.servlet.ServletRequest.getParameterValues returns null in Jaxrs applications
10006 service.ranking can be removed from com.ibm.ws.persistence defaultInstances.xml
10030 H2 connection error causes server timeout
10144 Add additional support for range attributes on Active Directory Ldap searches
10165 Fault Tolerance messages not output
10178 Resource leak when installing features through Gradle on Windows
10215 CXF cannot process a gzip encoded SOAP response
10228  Rest Client for MicroProfile loses entity on POST requests with status code 202 response
Fix pack 19.0.0.12
Fix release date: 13 December 2019
Last modified: 13 December 2019
Status: Superseded

Download Fix pack 19.0.0.12
Component Security APAR APAR Description
Liberty Administrative Center PH18799 WebSphere Liberty is vulnerable to a Cross-site scripting vulnerability in the Admin Center  (CVE-2019-4663)
 Open Liberty Release fixes
Issue/PR Description
8395 Remove obsolete com.ibm.ws.webcontainer.channelwritetype from Liberty's metadata and web container properties
9228 LDAP registry returns error code 21 when updating boolean values
9293 Opentracing can cause jaxrs exceptions to not be logged
9386 NullPointerException when using dynamic filter to add mapping for servlet name
9455 HTTP/2 malformed requests should cause stream reset
9499 FFDC when Exception thrown by user code proxied using ContextService
9545 Test Failure: junit.framework.TestSuite.com.ibm.ws.cdi12.fat.tests.SessionDestroyTests
9596 Relax criteria for calling out an FFDC when dealing with the Selector logic
9607 NPE in the SIP Container when a Digest challenge does not contain the `algorithm` field
9625 Unable to load LibertySSLSocketFactory during transaction recovery
9676 Class transformers can fail if a class is loaded from the shared classes cache
9692 Non english characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9825 JNDI literals parsing too verbose
           
           
Fix pack 19.0.0.11
Fix release date: 15 November 2019
Last modified: 15 November 2019
Status: Superseded

Download Fix pack 19.0.0.11
           
Component Security APAR APAR Description
General PH11427 Service call by service.Create() does not time out in 30 seconds
PH17678 Man in the middle vulnerability in OpenSAML (CVE-2014-3603)
PH18113 Add Apache HttpClient library
PH18282 SCIM API fails to retrieve a group or user with a forward slash in the DN
JavaServer Pages (JSP) PH13983 Information disclosure in WebSphere Application Server (CVE-2019-4441)
Liberty z/OS PH18715 java.lang.StringIndexOutOfBoundsException exception in com.ibm.ws.zos.registration.internal.ProductManager.start
Security PH18751 Exceptions when using keystore ID="defaultkeystore" after upgrading to fix pack 19.0.0.9 on z/OS
PH29291 NullPointerException might be thrown during EJB invocation on 19.0.0.9
Open Liberty Release fixes
Issue/PR Description
4387 Runnable JAR execution fails when WLP_USER_DIR env var is set to "other" location with CWWKE0005E
7701 Pull in MyFaces 2.3.4
8152 TAI negotiateValidateandEstablishTrust called twice during authentication.
8196 7234-TRACENPE COMMIT1
8404 Confidential for Security Integrity fix CVE-2014-3603
8860 jwkRetriever should not require an sslSocketFactory if using http
8899 federatedRegistry-1.0 group membership may use a repository that does not participate in the realm
9085 ServletCacheEngine ignore cache for App using default context root
9122 Remove additional ; in WebApp.java
9129 Update Commons BeanUtils to 1.9.4
9130 Header Key retrieval fix for case sensitivity
9132 correct certain JSP messages
9143 NullPointerException might be thrown when the security audit is enabled for ejb.
9380 IllegalStateException in JMX Connector RESTHandler from call to getWriter
9416 Add Apache HttpClient v3.1 library
9436 RACF SDBM LDAP registries may encounter OperationNotSupportedException
9437 Test Failure (20180702-1422): com.ibm.ws.jdbc.fat.v41.JDBC41Test.testTransactionTimeoutAbort
9441 Auto-features which depend on kernel features do not get installed
9451 Fix Intermittent NullPointerException on TCP trace during shutdown
9472 H2 Intermittent NPE in HttpOutputStreamImpl.flushHeaders()
           
           
Fix pack 19.0.0.10
Fix release date: 18 October 2019
Last modified: 18 October 2019
Status: Superseded

Download Fix pack 19.0.0.10            
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH05014 Null CDI Bean results in a NullPointerException thrown in Apache WebBeans code
General PH16611 Multiple vulnerabilities in HTTP/2 implementation used by WebSphere Application Server Liberty
Intelligent Management Component PH16337 Liberty OIDC is not working with dynamic routing plug-in
Liberty z/OS PH14100 Out of storage condition caused by a leak in LSCL causing rc12 Reason Code 24 from BBOA1CNG
PH16940 Liberty servers abend with an ABENDSEC3 RSN=20000800 when a Liberty server is shutdown using force or similar
Security PH15518 Multiple vulnerabilities in WebSphere Application Server Liberty (CVE-2019-4304, CVE-2019-4305)
WebSphere Compute Grid PH13367 Job Partitions reported failing due to a deadlock on Java Batch Job Repository tables
WMQ messaging providers PH13286 Provide mechanism to disable 1PC optimization
Open Liberty Release fixes 
Issue/PR Description
7767 Expose JSF MyFaces Implementation classes as third-party
7849 The JWK retriever does not remove stale JWK from cache
8532 Deadlock issue when using persistence batch framework
8597 Federation of a custom UserRegistry (CUR) results in different behavior than when stand-alone
8612 export jsf-2.3 impl classes as third-party
8614 export jsf-2.2 impl classes as third-party
8736 Case TS001514963: requestTiming does not show all SQL queries
8808 OIDC RP does notHTTP Auth header as containing a valid OIDC id_token
8840 CWIML0514W occurs using uppercase group DN on getGroups
8863 Failure to parse multiple comma separated links in an HTTP Link header on a Jaxrs Response object
8886 GA Fault Tolerance - Metrics 2.0 integration
8903 When JACC is enabled, annotated role mapping is not enforced properly.
8951 OperationNotSupportedException: [LDAP: error code 53 - R000128 Filter is not supported (sdbm_search:1413)]
8979 requestTiming-1.0 feature does not work in OpenLiberty
9021 JSF File Descriptor leak in DefaultFaceletFactory
9033 Erroneous CWWKL0058W warning when multiple JARs in library have META-INF/services
9069 Web Admin Security Updates
9079 Terminate misbehaving HTTP/2 connections
Fix pack 19.0.0.9
Fix release date: 20 September 2019
Last modified: 20 September 2019
Status: Superseded

Download Fix pack 19.0.0.9
Component Security APAR APAR Description
Liberty Debug and Tracing PH15280 Leak of RACF ACEE control blocks in Liberty server
Liberty Kernel PH17088  Apache Commons Compress denial of service vulnerability (CVE-2019-12402)
PH17796 ConfigHash value in plugin-config.xml causing parsing issues
Liberty z/OS PH15877 Angel stops without detecting active Liberty servers
Security PH15505 Collectives keystore mismatch
WebSphere Compute Grid PH10566 Issues with remote partition restart if server crashes
 Open Liberty Release fixes 
Issue/PR Description
7600 social login linkedin flow is broken and needs updating
8169 ProfileManager.getImpl call ignores realm allowOpIfRepoDown setting
8219 Support direct HTTP/2
8473 webAppSecurity overrideHttpAuthMethod set to BASIC or FORM does not function
8546 HTTP/2 trailer improvements
8561 CWIML4564I informational message lists wrong LDAP server.
8647 java.lang.IllegalStateException when running Liberty wlp-webProfile7 19.0.0.8
8761 Java Batch: Remote JVM partitions not restartable after executor shutdown
8793 Custom fields not logging when using LogRecordContext and field names contain underscores
           
Fix pack 19.0.0.8
Fix release date: 23 August 2019
Last modified: 23 August 2019
Status: Superseded

Download Fix pack 19.0.0.8
Component Security APAR APAR Description
Database Access, Connection Management, Merant/DataDirect drivers PH15281 Postgres SQL Large Object API blocked
Liberty z/OS PH13341 The --clean action is ignored when WLP_ZOS_JOBNAME is set
Security PH15089 A login might be required for unprotected resources when none of TAIs processed a request
Sessions and Session Management PH13932 "Using collection QEJBASSN for session persistence." is always output with startup of Liberty servers
Virtual Member Manager (VMM) PH14786 Using non ASCII characters (ex. Chinese) in an SCIM filter fails
Web Container PH14619 ServletContext.getRealPath() should not return null for nonexistent files
Open Liberty Release fixes 
Issue/PR Description
5035 Update ServletContext.getRealPath() behavior
7521 Call Class.forName() within doPrivileged block from WASURLObjectFactoryFinder
8085 HttpServletMapping.getPattern is not correct for /* mapping
8128 Clean up URIMatcher40 and ServletWrapper
8141 Adding mpConfig-1.3 feature while the server is running does not install the configuration feature properly
8250 OIDC discovery endpoint does not emit the revocation endpoint
8252 Eclipselink: Fix bug 547173
8274 WSOC: fix a read during close timing window.
8277 login process is carried out for unprotected resources even TAI does not intercepts a request
8304 Loose application with MP Health not picking up changes after recompile - GM 19.0.0.7
8307 Error on edit for OAuth client with no secret
8339 openidconnect emits httpclient spurious log warnings for certain cookies
8346 Liberty 19.0.0.7 Blocks *all* Large Object API functions for Postgres
8401 Add doPrivileged block in WASInitialContextFactoryBuilder for class look up
8449 content-length header should not be required for HTTP/2 requests
8458 Channel framework chains not closing down before timeout
8460 8458 - Loop until cfw chain is closed
8474 PushBuilder should ignore headers with null values
8482 URBridgeEntity uses NLS message key, REQUIRED_IDENTIFIERS_MISSING, which is not defined
           
Fix pack 19.0.0.7
Fix release date: 25 July 2019
Last modified: 25 July 2019
Status: Superseded

Download Fix pack 19.0.0.7
Component Security APAR APAR Description
Liberty Administrative Center PH13994 Clickjacking vulnerability in Liberty Admin Center (CVE-2019-4285)
Security PH13970 After updating to 19.0.0.4, SESN0008E errors started occurring
Systems Management Functions PH13649 Invalid command line optional parameter (--hostName) with "collective help addReplica"
Virtual Member Manager (VMM) PH13757 SCIM 1.0 returns HTTP 404 return code for user search
Open Liberty Release fixes 
Issue/PR Description
5337 NullPointerException in BridgeUtils seperateIDAndRealm(...)
6158 Pull in MyFaces 2.3.3 once it is released
7539 Federated Repositories LoginBridge does not handle output property mappings that are multi-valued
7552 JPAContainer incorrectly sets App Classloader as the CCL
7612 Scrub error response for unwanted characters
7670 IllegalArgumentException in MP Metrics from timing issue
7854 WSLogManager static fields not properly initialized in jdk7
7871 Fix NPE in WebAppSecurityCollaboratorImpl when invoking web resource using custom HTTP method
7888 socialLogin needs to produce choice menu with one provider and localAuth enabled
7920 WASReqURL cookie path is not set when the context root of an application is set to root
7984 When Auditing function is enabled, it is potential that SRVE0777E error is logged
7986 Memory leak when stopping applications
8034 NullPointerException in UniqueNameHelper.getValidDN
8096 After updating to 19.0.0.4, SESN0008E errors started occurring
Fix pack 19.0.0.6
Fix release date: 28 June 2019
Last modified: 28 June 2019
Status: Superseded

Download Fix pack 19.0.0.6
Component Security APAR APAR Description
Channel Framework PH13269 Delay ALPN init until required and free ALPN resources on connection errors to prevent OutOfMemory
Liberty Debug and Tracing PH11759 Performance drops when writing a large amount of log entries to Liberty console log
Liberty z/OS PH12644 Keys are not stored in ICSF with triple-length PCICC format
Security PH07530 A NullPointerException is thrown during SAFKeyRingNotificationMbeanImpl initialization
Web Services Security PH11031 OAuth runtime emits error when adding EXTENDEDFIELDS column many times
Open Liberty Release fixes 
Issue/PR Description
6317 JAX-RS request context modified after client request
7207 EclipseLink: Deliver Bug #421056
7433 Avoid inferring caller in LogRecord.getSourceClassName and getSourceMethodName when processing System.out calls
7440 Investigate possible difference in values between Prometheus and JSON format metrics
7632 EclipseLink: Deliver Bug #421056 pt2
7634 Session time based write option not honor small time interval
7695 java.sql.Connection's network timeout not getting set to the correct value
7831 Timing issue between deleted configuration and configuration store
Fix pack 19.0.0.5
Fix release date: 31 May 2019
Last modified: 31 May 2019
Status: Superseded

Download Fix pack 19.0.0.5
Component Security APAR APAR Description
General PH11801 Liberty 19.0.0.3 cannot start Java health center starting with IBM JDK 8.0.5.31
Security PH08972 Liberty on z/OS message CWWKS2934E issued during initialization is confusing when it does not reflect final status
Systems Management Functions PH11844 Joining a member to a back level controller fails when the collective uses a collective-wide ssh key
Open Liberty Release fixes 
Issue/PR Description
6095 Ability to extend the size of the log buffer beyond 8k on WebSphere Application Server Liberty Profile
6391 Building .tar.gz server package fails on Windows
7307 redirectcontextroot=true and redirected secure page causes null
7332 remoteIp "proxies" Default Regex Adjustment
7407 Better handle private headers during message deserialization
7434 NullPointerException in MethodAttribUtils.getXMLCMCLockAccessTimeout
7441 NullPointerException in AppDefinedResourceFactory
7448 NPE in LTPAConfigurationImpl.loadConfig
Fix pack 19.0.0.4
Fix release date: 3 May 2019
Last modified: 3 May 2019
Status: superseded

Download Fix pack 19.0.0.4
Component Security APAR APAR Description
Liberty z/OS PH10537 SMF 120 subtype 11 and 12 records should report the value of cvtzcbp
PH10538 The RCVTID is not available to Java applications deployed in Liberty
Messaging Providers PH06340 Potential denial of service vulnerability in WebSphere Application Server (CVE-2019-4046)
Security PI91146 Liberty runs unnecessary authentication logic when TAI is configured
Open Liberty Release fixes
Issue/PR Description
1338 invokeForUnprotectedURI triggers unnecessary authentication
5376 LdapConnection getAttributesByUniqueName() throws EntityNotFoundException for existing user
6756 Initial requests with custom method (including PATCH) fail with HTTP/2
6982 JAX-RS 2.1 Performance
6987 Redirect Scheme and Port Mismatch
7044 Externalize ThrowIOEForInboundConnections httpOptions
7052 mpFT 2.0: Circuit Breaker metrics updated incorrectly when non-failure exception thrown
7071 Outbound SSL Connection IOException
7080 FT 2.0: Circuit breaker does not correctly restrict executions when in half-open state
7083 Using Automatic WorkQueue for Async JAX-RS responses
7102 Improve BNF Header Storage
7171 inherited templated transient views raising "unable to create views" exceptions
7184 Test Failure: EEConcurrencySpecTest.testListenerInvokeAnyWithTimeout Future.get interrupted during taskDone with CWWKC1120E
7211 getManagedConnection: illegal state exception. State = STATE_INACTIVE after abort due to transaction timeout
7260 Problems with resolution of environment variables
Fix pack 19.0.0.3
Fix release date: 5 April 2019
Last modified: 5 April 2019
Status: Superseded

Download Fix pack 19.0.0.3
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH09834 java.lang.VerifyError on OpenWebBeans with Java 8 update 11 and 7 update 65
EJB Container PH08828 OutOfMemory in InjectionEngine cache
General PH09657 Usage Metering discards metrics on HTTP 500 response from metering service
PH12825 TransactionScoped observers do not fire
Java Message Service (JMS) PH07036 Potential Spoofing vulnerability in WebSphere Application Server (CVE-2018-1902)
Liberty Administrative Center PH06250 Accessability section 508 compliance for admin center
Liberty z/OS PH09140 Liberty server request failures after the angel process is canceled
Web Container PH08872 The servletRequeset.getContextPath() might return a different context path when using with OIDC client application.
Web Services (JAX-WS, JAX-RS) PH09634 The policy-attachments-server.xml file under WEB-INF is not processed
Web Services Security PH09651 OpenID Connect client authzParameter and tokenParameter values not updated when dynamically removed from server configuration
 Open Liberty Release fixes
Issue/PR Description
4300 DefaultExtensionProcessor file.not.found message does not contain default message that takes a parameter
6019 ApplicationManager startTimeout blocks startup when app is missing
6129 Fix Java 2 Security issues with JSPs
6246 Apply "useAuthenticationDataForUnprotectedResource" to jwtSso cookie
6255 jsonp-1.1 API dependencies incorrect
6295 ClassCastException when using binaryLog with --monitor
6317 JAX-RS request context modified after client request
6360 Filter out embedded server dependencies for Spring Boot 2.1.x
6407 Test Failure (20190101-0221): com.ibm.ws.kernel.boot.ServerStartAsServiceTest.testWinServiceLifeCycle
6521 Generic types are lost in MP Rest Client and JAX-RS clients due to bug in JsonBProvider
6527 Stack overflow scheduling new ManagedScheduledExecutor task from task
6573 Application exceptions should not be wrapped in EJBException
6628 Command line variables are not working on windows
6641 ClassNotFoundException thrown during sessionPostInvoke
6659 ServletRequest.getContextPath() might return wrong value when OIDC app is in used
6668 Externalize maxOpenConnections tcpOptions
6725 Using slash slash comment in JSP expression spanning lines can get JSP error
6727 JSP slash slash comment fix
6761 Custom JAX-RS ParamConverter does not work for collection and array types
6768 Using slash slash comment in JSP expression spanning lines can get JSP error, Java7 compatible
6790 Loading classes from multi-release jars does not work
6812
HTTP request header "If-Modified-Since" parsing fails with IllegalArgumentException if default Locale is not
US
6822 Automatic EJB Timer creation skipped if database tables do not exist
6868 WebContainer: make code more service deactivate aware
6951 ClassNotFoundException during JSF initialization
6953 Tolerate missing ps
Fix pack 19.0.0.2
Fix release date: 8 March 2019
Last modified: 8 March 2019
Status: Superseded

Download Fix pack 19.0.0.2            
Component Security APAR APAR Description
General PH07896 Liberty server start hangs on "CWWKZ0018I: Starting application" when thread pool max size is set
Liberty z/OS PH08209 Add support for CICS 5.5 for WebSphere Optimized Local Adapters
PH08497 Message ICH408I is not generated when user lacks access to profile prefix in appl class
PH08753 Ship assembler DSECT that maps SMF 120 subtype 11 z/OS connect user data
Security PH08030 Changes needed in the SAFAuthorizationService API
Virtual Member Manager (VMM) PH08428 NullPointerException is thrown when creating a SCIM user with missing name
Web Services Security PH06141 Multipart/related SOAP part Content-Type issue
PH08466 OAuth introspect endpoint does not return correct issuer if OpenID Connect provider configures issuerIdentifier
PH09706 Liberty OIDC message numbers CWWKS1754 through CWWKS1759 are duplicated
Open Liberty Release fixes
 
Issue/PR Description
4975 Destroy of aborted connections and removal from the pool
5094 Fix NPE in servlet cleanup for WebSocket request
5833 The federatedRepositry-->primaryRealm-->defaultParents element should support multiple occurences in the server.xml
6017 Auto plugin generation is inconsistent with OSGI applications
6183 Incomplete SRVE0279E message
6273 JAX-RS clearing RuntimeContext for server side message when resource invokes a client
6287 Add default value to the remoteIp "proxies" attribute in the metatype.xml of the HTTP Channel
6298 Update WebContainer.getCacheManager() to avoid NullPointerException
6323 Invalid archive files no longer prevent apps from starting
6348 Fix 500 error when servletPath is NULL
6371 Handle exception on call to connection.abort
6381 WLP 18.0.0.4 fails to rotate trace log on Windows
6408 Fix for connection wait timeout message not being translated.
6427 Connection wait time does not dynamically change to 0
6452 showPoolContents waiting connection requests value is incorrect
6490 Test Failure (20190203-0423): PolicyExecutorTest.testConcurrentUpdateMaxWaitForEnqueue
6518 Redundant log file in workarea after sever start with errror: java.lang.IllegalArgumentException: The property 'osgi.configuration.area' ... is being overriden ...
6524 SSL Channel throws NullPointerException during stress
Fix pack 19.0.0.1
Fix release date: 8 February 2019
Last modified: 8 February 2019
Status: Superseded

Download Fix pack 19.0.0.1
Component Security APAR APAR Description
General PH02684 Add an openIDConnectClient configuration option to allow token reuse
PH07247 Unnecessary HttpHostConnectException FFDC logged for usage metering
JavaServer MyFaces (JSF) Apache MyFaces implementation PH06135 JSF 2.0 throws a NullPointerException during server shutdown
PH06389 JSF can leak JarFiles causing problems with application removal
Liberty z/OS PH05262 Calling request.login() from a servlet does not sync the ID to the thread
PH07190 It is difficult to debug problems when the Liberty server connects to a earlier angel process
PH07213 Ship assembler dsects for smf120 subtype 11 and subtype 12 records
PH07486 Liberty generic MODIFY HELP output is too verbose
Web Container PI80786 Http 500 is returned from a request with too many parent directories (forward slashes) in the url
PH05787 ConcurrentModificationException
Web Services Security PH07297 Denial of Service vulnerability in Guava (CVE-2018-10237)
Open Liberty Release fixes
Issue/PR
Description
3553 Set 400 status code for invalid URI
3645 User ID is not synced to the thread during HttpServletRequest.login()
4809 Remove internal designation/updates for servletPathForDefaultMapping/make servlet-4.0 default / tests
5077 3645 sync user during login
5341 Modify default ldapRegistry-3.0 read timeout to be 1 minute
5772 AppClassLoader does not correctly handle null response from ClassFileTransformers
5785 CWWKS9582E: The [defaultSSLConfig] sslRef attributes required by the orb element with the defaultOrb ID have not been resolved within 10 seconds.
5798 H2: Separate Continuation Frame Checking Between Read And Write
5862 ConcurrentModificationException happens when a web application receives a large number of requests immediately after it starts.
5963 DataSourceDefinition, ConnectionFactoryDefinition, and AdministeredObject properties should not be path normalized
5970 trackLoggedOutSSOCookies setting causing multiple login failure
5976 ConcurrentModificationException from ReferenceContext starting web application
5983 5785-orbssltimeout2-commit1
5992 JarFiles never released by JSF
6020 Fix Open Liberty Windows Service name in server.bat
6036 PollingDynamicConfig tasks can be leaked
6042 Hot update broken in 18.0.0.4
6058 Invalid connection pool Prometheus metric format (monitor, mpMetrics)
6073 OL 18.0.0.4 server package does not package loose application as war
6113 Pull MYFACES-4251 to JSF 2.3
6123 Trace Specification logging level "off" does not work
6152 NamingException masked when listing entries in a JNDI context
           
                                             
           
Fix pack 18.0.0.4
           
Fix release date: 14 December 2018
Last modified: 14 December 2018
Status: Superseded

Download Fix pack 18.0.0.4            
           
                                                                                                                                                                                                   
Component Security APAR APAR Description
DynaCache PH02049 Cross-site scripting vulnerability in cache monitor (CVE-2018-1767)
General PH02212 Application with CDI 1.2 in Liberty 18.0.0.2 fail to start
PH02361 WebSphere Liberty OIDC client implementation is proxy-unaware
PH02742 NPE when doing direct forward operation
PH02750 java.lang.classCastException occurs in OidcClientImpl.logout
PH03409 Seemingly erratic thread pool growth during low or no-load situations after upgrading to 18.0.0.1
PH04652 WebSphere Application Server Liberty for z/OS provides no metrics for usageMetering-1.0
PH04653 Updated CPU limit (--cpus) not recognized by usage metering feature
PH05071 JVM hang when calling GarbageCollectorMXBean.getLastGcInfo for usageMetering-1.0
PH06256 CWWKS1739E: A signing key required by signature algorithm [RS256] was not available when upgrading to 18.0.0.3
PI97786 eclipselink throws "argument type mismatch" for jpql case expression
PI99263 ServletContext.getRealPath() returns null for resource in extended document root
Install V8 and above PH03040 Fixpack 18.0.0.3 cannot be installed on IBM i
PH04137 Updating WebSphere Liberty for z/OS to fix pack 18.0.0.3 fails with NullPointerException
JavaServer Pages (JSP) PH02063 Potential security bypass in WebSphere Application Server with Expression Language library (CVE-2014-7810)
Liberty z/OS PH02955 Unable to use SAF Keyring for collective SSH communication
PH03549 When the zosWlm-1.0 feature is enabled. the health indicator of the server is only ever set to 2 percent
PH03768 EntryNotFoundException SAFGRP is not a valid group
PH04243 EC3 abend reason code 20F00600 occurs after a 422 abend
PH04282 Error authenticating when Liberty server tries to connect to a back-level angel process
PH05100 OutOfMemory failure in Liberty under CICS when connected to an angel process
Messaging Providers PH00027 After migrating to WebSphere Application Server V9, the CWSID0046E error is seen in the logs
Systems Management Functions PH03232 Incorrect server state reported in a multicontroller collective
Virtual Member Manager (VMM) PH02811 Privilege escalation vulnerability in WebSphere Application Server (CVE-2018-1901)
PH04136 Attempt to create user in SCIM returns 500 HTTP status code with DefaultParentNotFoundException message
PH04147 Attempt to update user ID in SCIM returns 500 HTTP status code with IllegalArgumentException message
Web Services (JAX-WS, JAX-RS) PH02234 Issue when processing the caller token for UsernameToken
PH03014 A property is set in the RequestContext but the interceptor does not read this property resulting in a NullPointerException
Web Services Security PH03004 CWWKS1721E: The resource server received an error it was attempting to validate the access token z/OS Connect EE
PH05414 OpenIdConnect client subject might not contain Id Token
WebSphere Compute Grid PI87244 Firewall prevents the Liberty Java batch tool from displaying job logs

 Open Liberty Release fixes

Issue/PR
Description
1438 JAAS login module shared library is missing protection domain
2663 PH00738 Session scoped beans are not updated in the database when liberty is configured to only persist updated session attributes
3113 ArrayIndexOutOfBounds in LdapConfigManager.setFilters()
3919 Future does not return immediately when timeout fires when using timeout with Async
4132 full tmp dir prevents server from reading server.env during startup
4135 Pull in MyFaces 2.3.2 once released
4202 Migration of JMS delivery delay.
4332 Need to fix first line of output from Liberty JSON log format to actually be JSON
4535 LogRecordContext API is missing from /wlp/dev/api/ibm jars
4760 Expose a couple of packages to the thread-context in jsf-2.3
4792 Fix BundleContext is no longer valid error on server shutdown
4853 Provision compatible javax.annotations API for SpringBoot applications
4873 Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
4898 H2: fix some HTTP/2 code and test issues uncovered by further parallel stream stress testing
4912 Fix missing doPriv in unwrap
4913 JSR375: When JASPIC is enabled, a login panel pops up even EVERYONE role is assigned
4955 Externalize multiple httpOptions
4960 Faces servlet mappings defined in web-fragment.xml do not work - jsf-2.2
5045 Add a recursion counter for messagehandlers into BaseTraceService
5076 NullPointerException in ClassLoadingServiceImpl
5088 SpringBoot applications fail to start when a non jar file is in the library directory
5094

Fix NPE in servlet service which may happen when WebSocket is used
5114 Test Failure (Liberty - Mac EBC - 20180915-0112): PolicyExecutorTest.testStartTimeout
5126 HTTP/2 engine must tolerate priority frames received in any state and better handle flow control problems
5149 update openidconnect client way of sending credentials to userinfo endpoint
5154 Flush queued actions when an app is removed
5164 /metrics output got truncated on Japanese locale
5244 MYFACES-4252 Classpath._searchDir can throw NullPointerException
5277 Fix Java 2 Security access issue in kernel DefaultFileStreamFactory
5293 Deadlock in ZipFileArtifactNotifierImpl
5339 H2: Fix race condition in multi-stream writing logic
5345 Improve our serviceability around page search and chasing referrals for Ldap
5363 MP Rest Client does not honor MP Config-specified providers
5383 Occasional HTTP/2 MessageSentException: Message already sent
5395 SSL config not used by RestClient
5425 JAX-RS Client does not pool HTTPS connections
5428 Fix bug in server package server-root command
5441 JMSContextInjectionBean uses deprecated CDI method
5453 Microprofile appProperties element not showing up in schema
5465 Pull MYFACES-4260 to both jsf-2.2 and jsf-2.3 features
5483 release bug: implement PH02361 in development stream
5498 When using advanced connection manager property numConnectionsPerThreadLocal and connection fail during cleanup, the connection managers connection pool may fail to remove failing connections resulting in no connections being available.
5510 Deliver fix for CVE-2014-7810
5557 OpenId Connect clients might exhibit a thread leak
5560 MessageSentException intermittently during flushBuffers
5585 EJB timer ScheduleExpression serialization incompatibility
5590 Failed to createMinimumEscapeHandler for unknown jaxb class
5637 Expose jsf 2.3 org.apache.myfaces.push.cdi to thread context class loader
5647 Fix --include default to have /usr for server and shared folder
5779 Too many threads during low-load operation
6002 CWWKS1739E error may occur when using OpenID Connect in 18.0.0.3
                       
                                                   
           
Fix pack 18.0.0.3
           
Fix release date: 21 September 2018
Last modified: 21 September 2018
Status: Superseded

Download Fix pack 18.0.0.3            
           
                                                                                                                                                                                                   
Component Security APAR APAR Description
General PH00304 The maximum connections setting of a data source's connection pool is not  always honored
PH01447 Improvement to SSL Closing Handshake
PH01499 APAR for OLGH4402
PH01610 Application fails to start due to JAXBEXCEPTION after upgrading to 18.0.0.2
PI99176 Information disclosure in WebSphere Application Server Liberty (CVE-2018-1683)
PI99600 AccessControlException thrown when connecting to Health Center with Java 2 Security enabled
PI99672 Remove the first_rows hint from Oracle V10+ pagination queries
Intelligent Management Component PH00735 Null Pointer Exception when HTTP or HTTPS ports blank in server.xml
Java Persistence API (JPA) PH01681 Then and else expressions should be case result instead of case operand type
Liberty z/OS PH01179 Duplicate entries of the BBGZSCFM module are listed in the output of IPCS LPAMAP
PI96910 ICH error messages are not issued during Liberty startup when checking for access to BBG.SECPFX.* and APPLl profiles
PI97659 Display memlimit value and source as well as region information in Liberty log at startup
PI98758 Setting enablefailover to false for the safregistry can produce misleading messages if authorized services are not available
PI99411 The Liberty message log DD is not configurable
Security
PH01295 Information disclosure in WebSphere Application Server Liberty (CVE-2018-1755)
PI97676 Message CWWKS1100A may be misleading
PI99285 User login fails when configuring zOS mapDistributedIdentities
Systems Management Functions PH00435 Collective controller logs NoSuchElementException from LivenessMontiorV2
PH00566 Member should fail over after continuous 2 minutes sendHeartBeat failure
PH00730 The unnecessary information should not be generated in repository dump file
PH00926 Collective repository dump should include non-sensitive host and jmx auth information to help diagnose issues
Virtual Member Manager (VMM) PH00881 SCIM does not return paged results for requests that do not include the 'count' parameter
PH01668 SCIM incorrectly returns 500 on MaxSearchResultsExceeded
PH01863 SCIM updates to users can result in attributes being marked for deletion that were not designated for deletion by the request
PI99257 Requests to SCIM to retrieve a resource by ID that do not include an ID result in an 500 HTTP status code
PI99317 Request to SCIM "groups/{ID}" endpoint specifying "members" attribute does not return the group members
Web Container PH00448 A CWWKE0702E message is printed when the webCache-1.0 feature is enabled
Web Services (JAX-WS, JAX-RS)
PH00401 Potential man-in-the-middle attack in WebSphere Application Server Liberty for JAXWS(CVE-2018-8039)
PH01221 Potential man-in-the-middle attack in WebSphere Application Server for JAXRS (CVE-2018-8039)
Web Services Security PH12959
OAuth provider does not update settings in the consent cache
PH03418 Code execution vulnerability with OpenID connect in WebSphere Application Server Liberty (CVE-2018-1851)
PI95405 Liberty may not find key in JWK by x5t
WebSphere Compute Grid PH02256 File access exceptions when running a Java Batch application with syncToOSThread enabled

Open Liberty Release fixes

Issue/PR
Description
2489 Global error when there are no registries available (Ldap,etc) for VMMService
2659 Capture security context from Java Batch thread when syncToOSThread is enabled
3422 Check for override of default configuration and ignore
3489 MP Rest Client does not use Liberty SSL config when making outbound requests
3522 Update Xalan library
3853 basicRegistry-1.0's 'ignoreCaseForAuthentication' attribute does not apply to getUsers(...) method
3952 Add global error when user registry is not found
4002 Incorrect CWWKZ0022W messages printed with VirtualHost Usage
4016 Quiesce should not be blocked by application start
4028 Liberty 18.0.0.1 startup issues with Arabic locale
4040 Make RC consistent for starting liberty as a Windows Service
4044 Server failure before framework startup can leave JVM running
4158 Need to squelch "Could not obtain lock" errors appropriately
4186 Need to improve config dropins processing
4203 In 18.0.0.2 an IllegalArgumentException can occur when "maxParamPerRequest="-1"
4211 Java 2 security issue in org.apache.cxf.transport.https.HttpsURLConnectionFactory
4244 Add global error when user registry is not found
4272 When a thread is interrupted waiting for a connection from the connection manager, maximum connections will be decremented.
4275 NPE in JAXRS client when OpenTracing is included
4310 Spring boot application deployment in Liberty throwing Class cast exception
4341 PageControl's 'startIndex' is not honored when 'size' is greater than results
4345 Add doPrivileged code for InetAddress related activity in messaging
4346 Add doPrivileged code for InetAddress related activity in IIOP
4368 ConcurrentModificationException when a JAXRS API has multiple consume and/or produce MediaTypes
4392 Fix server hang issue when bootstrap.properties variable is incorrectly specified
4402 Format problem with logs when traceFilename=stdout and traceFormat=ENHANCED / BASIC
4462 NonPersistent EJB timer dying if timeout throws exception on last retry
4465 RejectedExecutionException: Trigger.getNextRunTime: null creating EJB timer
4505 SSL Closing handshake improvement
4521 Install kernel does not throw exception if already installed features are specified again with a different capitalization
4530 Install kernel map installs features without wlp/bin and wlp/dev contents
4531 ManagedScheduledExecutor tries to run tasks during server shutdown
4550 Injection race condition in JAX-RS during startup
4609 Maven features should provide transitive dependencies for stable API, third-party API
4619 PersonAccount's and Group's get(String), isSet(String), and unset(String) methods may throw NullPointerExceptions
4666 Correct getServletPath for default mapping
4712 release bug: mpjwt JsonWebToken.getAudience() return type noncompliant with spec when no audiences present.
4717 Update Yoko to favour CSI endpoints
                       
                                                   
           
Fix pack 18.0.0.2
           
Fix release date: 29 June 2018
Last modified: 29 June 2018
Status: Superseded

Download Fix pack 18.0.0.2            
           
                                                                                                                                                                                                   
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PI92477 WELD-2447 ClientProxy serialization support should be container agnostic
PI95074 WELD-2466 null pointer exception in webservice calls
DynaCache PI94514 NullPointerException occurs using a MetaDataGenerator
EJB Container PI95215 MessageEndpoints are notProperly released
General PI95821 StabilizeProduct Insights Enablement
PI96187 Update bluemixUtility command for data sovereignty regulations
PI96735 Access log "maxfiles" attribute not working as intended with value of 0
PI97234 APAR for OLGH2631
PI99031 Garbage collection events not captured by logstashCollector-1.0 for IBM Java 8 SR 5 FP 6 and above
Intelligent Management Component PI92330 CWWKS2910 error when using dynamic routing in Liberty on z/OS with SAF security
Java Persistence API (JPA) PI92847 JPQL with trim is not handledProperly and it results in DatabaseException
PI93064 EclipseLink throws ORA-00932 for CLOB fields in an ElementCollection
PI94027 EclipseLink JPQL generation for nested arrays with 'in' expression
PI95283 EclipseLink InsertObjectQuery concurrency failure
PI95766 db representation of boolean values withPostgres is incorrect
PI97483 Eclipselink re-sorts insert and removes statements within a transaction
PI97786 Eclipselink throws "argument type mismatch" for JPQL case expression
JavaServer MyFaces (JSF) Apache MyFaces implementation PI93972 Classloader issues in JSFExtensionFactory can cause NPE
PI94947 Update of composite component within ui:repeat does not work
Liberty Administrative Center PI98574 If Liberty Admin Center was accessed via reverseProxy,the Liberty server made an unnecessary request back to theProxy server
Liberty z/OS PI82554 WebSphere Liberty AngelProcess does not identify its version and fix pack level during start-up
PI90719 Command line script to detect if commandPort is enabled, for use duringPause/resume request
PI93922 SMF120-11 timeused and starttime is only set for a forwarded servlet
PI95864 Specifying an angel name of "" for the server does not register server to default angelProcess
PI96813 It is difficult to automate WebSphere Liberty from messages on the z/OS console
PI96954 Liberty on z/OS memory leak in 64bitPrivate due to native DirectByteBuffer support
PI97611 ABEND0C1 in ntv_getAngelVersion with WebSphere Liberty version 18.0.0.1
Security PI89624 CWWKS4106E: LTPA configuration error in Liberty
PI95717 suppressUncoveredHttpMethodWarning configuration does not work
PI96014 Authfilter in Liberty not matching when multiplePaths are defined
PI96597 There is an issue with the cache
Systems Management Functions PI95994 Deploying docker container as liberty collective member failed with error "already appears to be a member."
PI97924 Improve the error handling of a Collective join command using sshPrivateKey option
Virtual Member Manager (VMM) PI96814 SCIM returns HTTP status code 500 whenPassed an invalid filter
Web Container PI93226 SRVE0266E : Error occured while initializing servlets:java.util.ConcurrentModificationException
Web Services (JAX-WS, JAX-RS) PI97288 Attachments behavior change in Liberty after migrating from tWAS
Web Services Security PI94599 Intermittent NPE in SocialLogin feature when a running server is reconfigured
PI96012 Client authentication JWTS require "sub" claim
PI96884 Information disclosure in WebSphere Application Server Liberty (CVE-2018-1553)
WebSphere Compute Grid PI90716 Liberty z/OS CWWKY0035I: An exception occurred while trying toPersist job java.lang.IllegalStateException: no match found
PI90961 Liberty on z/OS: Batch JMS dispatcher change to lazy access of connection factory
PI93514 JobPurge request deletes the batch db records even when the executor JVM is stopped
PI98247 After batch events config change,atchManagerZos hangs waiting for job completion; batch job log events notPublished correctly
PI98295 The dispatch (JMS) message for a stopped job can, if later consumed, cause a later restart execution of that job to fail.
PI99138 Repeated delivery of Batch job dispatch JMS message resulting in ClassCastException each time


Open Liberty Release fixes

Issue/PR
Description
1261 LDAP registry with global class mapping in groupMemberIdMap adds "objectclass=*" to Group searches
2792 On restart of a Java Batch job, deserialization fails when checkpoint objects contain array type fields
2877 JSP engine unable to find tag files within loose JAR file
3045 Send and receive Strings in SIB messages using strict UTF8
3102 In 18.0.0.1, the minify option is not making the runnable JAR package any smaller
3103 Access Log "maxFiles" attribute not working as intended with value of 0
3106 Kernel Service MBeans not properly exposed
3127 Federated repositories does not restrict the names of extended properties
3132 Package `com.ibm.websphere.kernel.server` is not exposed as IBM-API
3140 Default app classloader ProtectionDomain set by common libraries
3160 AsyncIO native direct ByteBuffer leak
3198 Avoid full deserialization within ObjectMessage.toString()
3226 NullPointerException from EJSContainer.postInvoke() method
3233 Close streams for repositories represented by a single JSON file
3248 Add mapping of all JSP files in web module into the generated_web.xml
3280 Test Failure (20180420-0319): LoadTest.testCommitAndRollback RuntimePermission denied for WSJdbcTracer invoking newProxyInstance
3383 ldapRegistry-3.0 does not configure a read timeout for JNDI connections
3490 PI96086 - Nested EJB Async method calls not honoring nested get(timeout, unit) timeouts
3520 suppressUncoveredHttpMethodWarning does not work
3533 Redeploying WABs leads to OutOfMemoryError
3577 JAXRSClientImpl.target(UriBuilder) fails with IllegalArgumentException when client built with input containing a template variable
3578 Batch runtime should only transition to InstanceState.JMS_CONSUMED from JMS_QUEUED state.
3700 java.sql.SQLFeatureNotSupportedException: Method org.postgresql.jdbc.PgPreparedStatement.getLargeUpdateCount is not yet implemented.
3739 Failure to load JPA PersistenceServiceUnit used by Batch feature using V2 version of JobInstance entity.
3752 Connection leak if failure occurs while managed connection is being constructed
3779 Update EclipseLink binaries from 2.6.6.WAS-3e5c71a to 2.6.6.WAS-0ab4033
3785 Security exceptions thrown when trying to use IIOP with Java 2 security
3851 JAX-RS Client APIs fail when attempting PATCH method over HTTPS on IBM JDK
3889 Validate paths within WAR files
                       

Back to top                                                  

           
Fix pack 18.0.0.1
           
Fix release date: 16 March 2018
Last modified: 16 March 2018
Status: Superseded

Download Fix pack 18.0.0.1            
           
                                                                                                                                                                                                   
Component Security APAR APAR Description
General PI93106 Product insights attempts to send usage after failed registration
Java Persistence API (JPA) PI92398 Under certain conditions OpenJPA can insert an embeddable into the Datacache map
PI95871 Wrong context Classloader in org.apache.openjpa.enhance.pc
JavaServer MyFaces (JSF) Apache MyFaces implementation PI87954 Hung thread issue in MyFaces _getMetaDataTarget
PI90391 Fix bug MyFaces-4045 in IBM myfaces implementation
Liberty Administrative Center PI93411 Saving changes to member's configuration files via Admin Center's Server Config tool get applied to the controller instead
Liberty Kernel PI94763 Fileupload causes NullPointerException on getHeader() call
PI94116 Open Liberty rollup for 18.0.0.1
Liberty OSGi Application PI88291 Slow start of the web services and error during the startup of the services
Liberty System Management PI92311 Memory leak in liberty swagger library during application stop/start
Liberty z/OS PI91275 Add an informational message to WebSphere Application Server Liberty on z/OS logs to indicate which angel process is used
PI91511 SMF 120-11 UserData added from a filter does not show up in the final SMF record
PI92070 WebSphere Application Server Liberty on z/OS WOLA CICS link server fixes for RTXSYS and RTX parameters
PI92171 An intermittent performance degradation is observed with CICS v5.4 and Liberty 17.0.0.3 compared to Liberty 17.0.0.1
PI92868 WebSphere Application Server Liberty on z/OS crash in CICS BBOATRUE during shutdown when embedded Liberty servers are at a mix of 16.0.0.3 and 17.0.0.3
Security PI86784 Enable the function of enforcing URL hostname verification as an attribute on the ssl element of server.xml
PI90980 Potential spoofing vulnerability in WebSphere Application Server (CVE-2017-1788)
PI91500 GetUserPrincipal().getName() returns garbled user ID on 17.0.0.3
PI92764 Message CWWKS3005E issued when a Federated repository is configured
PI94094 SAF API doc missing from Javadoc package in Liberty
Sessions PI93474 Remove SessionManager instance when application is stopped
Systems Management Functions PI92781 A Liberty collective controller sometimes logs a NullPointerException
PI92828 Liberty collective intelligent management features may fail to function correctly intermittently
Web Container
PI90804 Security vulnerability in Apache Commons FileUpload used by WebSphere Application Server (CVE-2016-1000031)
PI92334 Application class loader is not set correctly in a thread during an async operation
Web Services (JAX-WS, JAX-RS)
PI92494 Potential denial of Service in WebSphere Application Server Liberty for JAXWS(CVE-2017-12624)
PI92886 Policy attachments not working as expected
Web Services Engine PI92386 High CPU usage on Liberty when using IBM JDK
Web Services Security PI88321 Liberty always honors RelayState during IdP-initiated SAMLWeb SSO
PI93303 CICS_REGION_BUT_API_DISALLOWED surfaces using OAuth-2.0 feature
PI93579 exp' is earlier than the 'iat' in OIDC token
PI96273 Some 404 and 500 errors in OAuth or OpenID Connect might expose configuration information


Open Liberty Release fixes

Issue/PR Description
Add stop command to readme file
Informative error message for collision with reserved resource adapter ids
Challenge when using request.authenticate with BasicAuthenticationMechanismDefinition
LDAP paging failure recovery reuses cookie when switching failover servers
Improve CDI performance by not loading too many classes
Readd ability for hot replace for trace injection for IBM Java 8.0.0.6+
MyFaces-4045 JSF 2.2 flow reentrancy fix
RememberMe cookieName needs to support EL expressions
Corrections to AnnotationTargetsImpl_Targets.isInstanceOf
Fix Java 2 Security problems with Bean Validation 2.0 code
Pull in MyFaces-4177 to JSF 2.3
Fix for resetting autocommit for non transactional datasources
Grant Hibernate validator accessPrivateMembers permission by default
Channel.ssl FFDCs thrown during server shutdown
Description of runIfQueueFull should refer to relation with maxPolicy
Pull in MyFaces-4066 to JSF 2.3
Fix and test issue where a connection error occurs on a free connection
Fix JPA 2.2 Bindings Files
Bean Validation CDI extension fixes
Pull in MyFaces-4176 - Search expression fails to resolve component outside of form
PI91306: UriInfo.getMatchedResources() does not return resource class information
Update EL handling in database and LDAP identity stores
PI87504: JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
Release JACC policy context in post invoke
Try to remove an existing SAF map before adding one
Update Bean Validation 2.0 descriptions to mention providers used
Thread context propagation for managed completable future
In beans.xml, element causes ProcessAnnotatedType<> events to not fire
Cannot register a second (synchronized) handler with an already active logging source
ConcurrentModificationException when both Console and Message JSON handlers are configured
If the command port is disabled when issuing a pause or resume request from the server script, issue a message saying so
Fix Java 2 Security errors in LogUtils by ensuring getClassLoader calls are in doPriv
Improve synchronization mechanism between BaseTraceService and MessageLogHandler
Property com.ibm.ws.jaxrs.client.disableCNCheck not honored
Fix NPE that may occur when multiple CDI-injected servlets are specified in the web.xml for a JAXRS application with load-on-startup specified
Fix IOException not closing socket
Fix JSF _ComponentAttributesMap performance issue
Address CVE-2017-1000208 vulnerability in Swagger Parser for MicroProfile OpenApi
Improve performance when JAX-RS applications are updated
Web binding overrides are not properly recognized with autoExpand apps is enabled
Fix exception when parsing faces-config-extension element
Cannot use app-defined for Bean Validation
SQLServer JDBC driver not recognized when defining a dataSource on
Fix for JDBC getClass().getInterfaces() method calls
Fix NPE in EJBAsyncRuntimeImpl.modified when updating asynchronous config
Fix BundleException Cannot connect region 'system.bundle' to itself
ServerEndpointControlMbean returns true when isPaused is called with an empty target
Resource.getRequestPath returns incorrect path in JSF 2.3
JDBC pool manager must avoid caching values obtained from the managed connection factory
Fixed JASPIC error and exception messages
Fix Java 2 Security errors related to JAX-RS getServiceReferences() and getService() methods
Fix context class loader in servlet async dispatch or runnable
Make consoleLogLevel default to an env variable setting first
Fix NPE that could occur during MyFaces validation
AccessControlException from JAX-RS 2.0 when servlet filter is used
No longer WARN on 404 Not Found
Fix writing of single-file-repositories
PushBuilder.push error conditions updated
AccessControlException from the EL API when using JSF 2.3
Java 2 Security issues in batch-1.0 feature
WebSockets for non-secure BASIC_AUTH adhere to session invalidation
Avoid overwriting updates made to the session cache by another thread
Implement HttpServletResponse.getTrailerFields()
PI93226: ConcurrentModificationException during application startup
Fix Java 2 Security issue with package minify
Remove SessionManager instance when app is stopped
Update HttpServletResponse setTrailerFields error conditions
Ensure header names are non empty and accept empty header values
Retrieve all values on multi-valued LDAP properties
Return the correct HttpServletMapping during include, async and when using a named dispatcher
Fix org.apache.myfaces.flow.cdi.FlowScopeBeanHolder incompatible across versions
Handle null/empty contracts in JAX-RS Client.register(...) calls
Fix CWWKS4106E: LTPA CONFIGURATION ERROR IN LIBERTY when using PKCS11Impl provider 
Fix for garbled User Principal when binary data is retrieved from registry
Throw IllegalStateException in SseEventSink.send when SseEventSink is closed 
Fix batch runtime table version determination
Close JAX-RS sink on exception
Fix ConcurrentModificationException during app startup
Product information for replaced products should not be displayed
Issue warning message when it is determined security not present
Fix ConcurrentModificationException during app startup
Fix JSON output of JSON console (remove duplicate basic messages and abide by consoleloglevel)
Fix java.lang.NullPointerException in AccessLogger
Fix NPE that can occur with certain logging configurations
                       

Back to top

Fix pack 17.0.0.4
Fix release date: 21 December 2017
Last modified: 21 December 2017
Status: Superseded

Download Fix pack 17.0.0.4
 
Component
Security APAR
APAR
Description
EJB Container
PI89936 Vulnerability in Apache Commons affects EJB Embeddable Container and JPA Client (CVE-2015-7450)
General PI80333 Support CPU constraints in ProductInsights
PI82233 Non-daemon threads are created with remote EJB using the IIOP transport
PI82510 Liberty appserver automatically decompresses the bodies of incoming http-soap messages
PI82557 TCP Channel access lists not documented
PI84016 OpenJPA orm.xml default schema used over 'openjpa.jdbc.Schema' property
PI84349 Liberty Oauth 2.0 may encounter a SQL syntax error for the option "LIMIT" during cleanup
PI84428 ArrayIndexOutOfBoundsException from OpenJPA for query on EmbeddedId
PI85402 EclipseLink does not recognize Java 9 platform
PI86208 Cannot decode IOR due to ClassCastException
PI86321 Liberty OpenID Connect Relying Party does not handle large id_tokens in implicit logins
PI86840 Eclipselink generates sequence IDs incorrectly for @EmbeddedId classes that are shared across multiple entities
PI86914 Correct mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
PI87557 Null pointer exception when TAI returns NULL TAIResult
PI87565 OutOfMemory issues from webcontainer component WebComponentMetaDataImpl
PI88051 Application reload when a JSP file under WEB-INF is updated
PI88485 The groupProperties membershipAttribute does not work when filters exist
PI88618 CWPMI0010W was found in the messages.log
PI88620 Performance degredation when federating SAF registry
PI89003 Help tet for the BatchManager listJobs command is unclear
PI89041 FFDC java.lang.IllegalStateException: Module has been uninstalled. occurs when dynamically configuring Liberty
PI89278 Incorrect value of FreeConnectionCount
PI89446 Product Insights throws NullPointerException
PI89584 Certain early startup and product script messages are not properly translated into non-English languages
PI89672 OutOfMemoryError in ArrayList containing objects of type com.ibm.ws.logging.internal.impl.IntrospectionLevelMember
PI90013 30 second delays for remote EJB when running as a collective member
PI90154 BluemixUtility fails to create/delete instances of Watson Discovery service
PI90282 CWWKB015E IWMEJOIN return code 2,135 during servlet read listener
PI90699 ProductInsights errors after resuming from 'sleep' state
Java Persistence API (JPA) PI80863 Issue with the way OpenJPA caches and reuses query parameters for BETWEEN expressions when OpenJPA's QueryCache property enabled
PI81260 OpenJPA does not pass-through SSL connection properties that set using openjpa.ConnectionProperties when creating Db2 connection
JavaServer MyFaces (JSF) Apache MyFaces implementation PI88288 jsf-2.0 MyFaces error handling cannot be enabled in production project stage
PI88850 High CPU issues from org/apache/myfaces/
PI89168 Protected-view not working in Liberty 16.0.0.4
PI89363 ProtectedViewException for a protectedview access while checking the OriginJeader for appContextpath
PI90507 Instances of action listener in a FaceLet are not being removed until app shutdown
PI90509 Fix for MYFACES-3752
Liberty Application Services PI69483 Removing IBM-App-ForceRestart header causes applications not restarted
Liberty Kernel PI90930 Open Liberty Rollup for 17.0.0.4
Liberty z/OS PI86596 Removal of possibly misleading FFDC z/OS liberty Async Servlet support
PI90060 Messages occurring very early at startup are not printed to the MVS console when requested in the zosLogging configuration
PI90429 When starting a Liberty server as a started task on z/OS from the server script there is no option to specify a job name
Performance Monitoring Tools PI81367 java.lang.ClassNotFoundException dumped in the FFCD log file when PMI monitor feature is enabled
PI87599 ConnectionPoolStats MBean was not available if enabled the trace with com.ibm.websphere.monitor.*=all
Security PI88769 Liberty 17.0.0.2 is throwing ClassCastException when calling ibm_security_logout with Extreme Scale feature enabled
Session Initiation Protocol (SIP) Container PI78794 The SIP Container fails to parse a message when the size exceeds 2048 bytes and double CRLF is sent before the message
PI79119 With number.of.parse.errors.allowed set to -1 WebSphere drops well formed requests
Systems Management Functions PI81552 Application state becomes stale at the Liberty collective controller
PI83274 Incorrect collective member status shown in Admin Center
PI88296 Password protected ssh keys cannot be used for remote host authentication
Web Services Security PI84359 OIDC WASReqURLOidcp cookie constantly grow when LTPA token expired
PI89103 OpenSAML used by WebSphere Liberty contains XML external entity (XXE) vulnerability (CVE-2013-6440)
PI89575 LTPA cookie is not created in certain single sign-on scenarios
WebSphere Compute Grid PI88583 In WebSphere Liberty 17.0.0.x Java batch executor fails with CWWKS0800E error

Back to top

Fix pack 17.0.0.3
Fix release date: 17 October 2017
Last modified: 17 October 2017
Status: Superseded

Download Fix pack 17.0.0.3
 
Component
Security APAR
APAR
Description
Dynamic Cache PI78148 SRVE0014E from servlet caching
PI78552 DYNA1064E is logged on some dynacache APIs when the underlying cacheprovider does not support disk caching
EJB Container PI87472 EJB remote injection fails with NPE if ORB not yet available
Federated Repositories PI05723 Handle long data type from VMM for extended properties
PI79440 NullPointerException in URBridgeXPathHelper.getExpression()
PI79452 NPE in LdapConfigManager.getSupportedProperties()
PI81497 When one base DN is the subset of another in a federated repository, LDAP failures occur
PM95697 LDAP contexts getting leaked after first connection exception
General PI77400 BBOA1INV Fails with RC = 8 RSN = 44, FFDC invalid group name returned
PI80363 Allow configurable maxFieldLength in the logstashCollector
PI80397 Remote EJB call with the same object in multiple arguments fails
PI80932 WSCredTokenCallbackImpl class is not visible to applications
PI81056 Liberty server needs to retry starting the TCP channel after error CWWKO0224E due to hostname resolution error
PI81124 Closing websocket session throws NullPointerException
PI82101 Task retry not immediate after XAResource rollback
PI82109 Provide support for CICS 5.4 in WebSphere Optimized local Adapters
PI82218 JAX-RSResponses contain unnecessary Cxf-Content-Language header
PI82296 AsyncContext.comple() fails when called from a readListener
PI82327 java.lang.RuntimePermission error when destroying an upgradeHandler
PI82364 For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
PI82556 AppSecurity-2.0 does not include trustAssociation in Liberty
PI82672 productInsights does not register embedded WebSphere
PI82684 During server shutdown, if ProductInsights is trying to complete its first registration it may not cancel all of its tasks
PI82994 filenotificationmbean may not notify the listener
PI83111 Monitor function of AdminCenter does not display the correct value of "used connections"
PI83159 JAX-RS resource methods report as not found when using scientific notation as path parameters
PI83439 ClassCastException thrown when using remote EJBs in servlet with parent-last classloading
PI83516 Using reference-listener along with service factory causes TransactionManager errors
PI83682 ProductInsights not reporting used JVM memory correctly
PI83713 Path template variables in JAXRS 2.0 do not support scientific notation
PI83901 The context ClassLoader is not getting set properly when loading CDI extensions at app startup
PI84036 JAX-RS Client must access endpoints via authenticating proxy
PI84083 Usage data is not queued if connection to Bluemix Product Insights host fails
PI84327 WebSphere Application Server Product Insights does not send in group name translations
PI84487 Certificate login does not work with custom user registry on Liberty
PI84842 The application's classloader is leaked when restarting the app
PI85373 Open Liberty Rollup for 17.0.0.3
PI85490 Deadlock caused by WsLogManager and SIB trace code
PI85492 Commit of HTTP response in render_response(6)
PI85683 Register Windows service and start/stop service for Liberty fails if it is installed in directories names with a space
PI85783 Accumulation of org.apache.cxf.transport.http.osgi.HTTPTransportActivator objects
PI85910 OIDC does not recognize x5c tag in JWK
PI86198 Inconsistent aliasing between --jobParameterFile and --jobPropertiesFile in the batchManager and batchManagerZos CLI
PI86443 Use of the JAX-RS multipart media type results in a java.lang.ClassNotFoundException: javax.ws.rs.core.MediaType
PI87119 NullPointerException caused by external port component configuration
PI87467 CDI injection into JAX-RS classes is broken when using multiple apps and one app is not CDI-enabled
PI87504 JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
Install V8 and above PI88170 Block installUtility/featureManager install userFeature '--to=core'
Java 2 Connectivity (J2C) PI82859 Incorrect value of connectionPoolstats
PI86100 Intermittent sharing scope for data sources being created at the same time on two different threads
PI87470 Unable to install resource adapter using loose configuration file
Java Message Service (JMS) PI81329 NCSA access logs %B option output displays "-" instead of the size of the response in bytes
PI81864 ConcurrentLinkedList tailsequencenumberlock garbage collected
Java Persistence API (JPA) PI77555 Eclipselink scrollable cursor results in a ClassCastException
PI80863 OpenJPA caches and reuses the query parameters for BETWEEN expressions when OpenJPA's query cache is enabled
PI81260 OpenJPA does not honor SSL connection properties for DB2
Java SDK PI85250 Hung thread issue in myfaces _getMetadataTarget
PI86494 Messages returned from JSF APIS are in the incorrect order
JavaServer MyFaces (JSF) Apache MyFaces implementation PI82893 JAVAX.FACES.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL value affects display behaviour for required fields
PI87299 Information disclosure in Apache MyFaces affects WebSphere Application Server (CVE-2011-4343)
PI87300 Information Disclosure in WebSphere Application Server in JSF (CVE-2017-1583)
JavaServer Pages (JSP) PI82529 HTTP transport encoding CP943C is used for JSTL params
PI83486 StackOverflowError generated due to the JSP TabLibraryCache recurses into loadWebInfMap with the value "/WEB-INF"
Liberty Application Services PI87139 Configuration updates blocked by application restart
PI87468 Schema lists invalid attributes for resource adapters and EJB applications
Liberty Debug and Tracing PI83872 NullPointerException in MultipleCriteriaFilter when retrieving logs from Liberty binary log
Liberty Kernel PI87138 Synchronization in ConcurrentServiceReferenceElement creates a performance bottleneck
PI87471 Potential NullPointerException ServerXMLConfiguration.parseDirectoryFiles
PI87480 AccessControlExceptions in Liberty kernel code
Liberty System Management PI85828 Correcting algorithm for collective deployment using a local file
Liberty z/OS PI78510 .pid directory created with wrong permission settings
PI78787 WOLA ACEE copied from CICS invalid for TSS
PI79017 z/OS connect cannot read request that came in with transfer-encoding=chunked
PI79034 For products that embed Liberty, some bootstrap.properties do not take effect at server startup
PI82088 Prevent Error loop when TDQ is unavailable for write
PI83503 WebSphere Liberty servers with zOS connect failing to start with abend 0c4 in wolanativeutils.ntv_activatewolaregistration
PI85520 Message CWWKO0229I is not issued when asynchronous I/O is configured
Messaging Providers PI83027 Default threadpoolstats data cannot be retrieved due to InstanceNotFoundException
Performance Monitoring Tools PI80861 The Japanese translated message for TRAS0115W is incorrect
Security PI73345 Distributed identity mapping not working in Liberty z/OS
PI84335 PasswordUtil API classes are not packaged in a separate PasswordUtil.jar file
PI84597 Liberty z/OS trace includes unnecessary information
Servlet Engine/Web Container PI81052 JSF portlets may not be able to obtain a session ID
PI88642 Information disclosure in WebSphere Application Server (CVE-2017-1681)
Virtual Member Manager (VMM) PI79223 In Liberty VMM user registry cannot get groups for user from LDAP
PI81923 LDAPRegistry contextPool defaults do not match documentation
PI81954 LDAPRegistry attributesCache and searchResultsCache default timeout set too low
PI85208 LDAP registry cache is not used in some cases to retrieve cached attributes
PI85213 Federated repository may not use UniqueGroupIdMapping outputProperty when calling userRegistry.getUniqueGroupID
PI85214 Federated repository passes internal properties to customRepository implementations
PI86719 The LDAPRegistry contextPool timeout setting does not timeout after the configured time
PI87461 Federated Repositories is returning principal name instead of unique name for getUserSecurityName
PI87466 ArrayIndexOutOfBoundsException is thrown when groupMemberIdMap inside ldapRegistry is empty
Web Container PI83141 WebContainer performance issue when under high load
Web Services (JAX-WS, JAX-RS) PI64462 NullPointerException in org.apache.cxf.jaxrs.impl.tl.ThreadLocalProviders.getContextResolver()
PI86914 Correct Mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
Web Services Security PI62735 The groupId(s) get lost in id_token and introspection
PI68809 WebSphere Application Server XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
PI78760 OIDC IDToken updates to the "sub" field do not take effect
PI80166 OIDC provider does not recognize custom realmname from token
PI80689 Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
PI80741 OpenID Connect (OIDC) cookie not fully removed
PI80963 Refresh tokens are issued unconditionally even for clients that do not require them
PI94351 Secure flag is not set on the Liberty WASOidcCode cookie
WebSphere Compute Grid PI72923 CDI injection of Java batch jobcontext fails with npe in the absence of an active job on the current thread
PI81200 StepListner.afterStep cannot catch an exception thrown by ItemProcessor.processItem
PI84639 batchManagerZos not available after minified server is extracted
PI86175 Prevent job start and restart of the same job from occurring simultaneously
PI86193 Support message delay/priority for Liberty Java Batch

Back to top

Fix pack 17.0.0.2
Fix release date: 13 June 2017
Last modified: 13 June 2017
Status: Superseded

Download Fix pack 17.0.0.2
 
Component
Security APAR
APAR
Description
Channel Framework PI85709 Add watchdog timer to write waits on closing
Contexts and Dependency Injection (CDI) PI72811 Allow excluded alternatives
PI77286 Vetoed EJBs throw NullPointerException
PI77514 CDI observer for @initialized(applicationscoped.class) is not called inside jar
PI79787 Prevent WebSphere internal packages from being exposed to applications
PI80901 Version numbers in symbolic names are too fine grained and can cause failover to fail between different versions of Liberty.
PI82020 WeldTerminalListener is not registered
Database Access, Connection Management, Merant/DataDirect drivers PI80335 DSRA8020E Error is thrown when using IBM i Toolbox JDBC driver with WebSphere Liberty
EJB Container PI77856 EJB 3.x Stub class throws RemoteException for communication failure
PI79261 Deadlock with persistent EJB timers for Singleton beans
General PI71956 CWWKE0108I is written to stdout
PI74918 The umask values is not shown in the server logs
PI75258 The CICS Link server abends when unable to write to a TS Queue
PI75280 Attributes missing from the element httpOptions and throws warning message
PI75512 Cleanup up websocket connection when outbound connection attempt fails at the app server
PI75590 Corrections are needed to the documentation in the Knowledge Center
PI77605 JAXRS Client APIs do not use configured SSL settings
PI77615 JAXRS application start fails with ClassNotFoundException when JSPs are specified in web.xml
PI77976 ConstraintViolationException when using @Valid annotation
PI78177 When a websocket connection is closed while reading data an object leak might occur
PI78260 Liberty jaxb-2.2 feature does not expose some xlxp2 packages
PI78738 Loop while closing an SSL connection
PI79260 ProductInsights reports incorrect product version and host name
PI79275 JAX-RS 2.0 Client calls fail when ssl-1.0 feature is enabled without any SSL configuration.
PI79391 ContainerRequestContext.hasEntity() returns true for a GET request.
PI79987 Endpoint MBean information does not update when server.xml <httpEndpoint> is modified
PI80082 JAX-RS 2.0 OPTIONS methods are not invoked when used in sub-resource locator classes
PI80256 AccessControlException thrown when finding resources if Java 2 security is enabled
PI80285 For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
PI80314 Support for product insights in embedded server
PI80315 The productInsights-1.0 does not support BASE ILAN edition
PI80514 A jndiEntry config element with a value of "0" is parsed as a java.lang.String but should be a java.lang.Integer
PI80631 Access Log file and ELK time stamps are not the same
PI80632 Messages with digits in prefix of message ID have a blank messageId field in logstashCollector
PI80719 Websocket race condition on writing data while closing can hang a thread
PI81082 java.lang.ClassFormatError: JVMCFRE074 no Code attribute specified; is thrown
PI81086 NullPointerException thrown when using a JAX-RS provider class without a public constructor
PI81396 Unable to register a liberty server with product insights though an authentication required proxy
Intelligent Management Component PI80237 Null return codes for health actions cause NullPointerException
Java 2 Connectivity (J2C) PI78463 After configuring a connection factory for CICS RAR, the server issues J2CA8501E
PI80357 JMS connection factories defined through annotations can fail to allocate connections
PI81549 When using SQLJ context caching, auto commit and/or transaction isolation level become inconsistent
PI81717 The WaitTime provided by the ConnectionPoolStats MBean is in nanoseconds when it should be (and is documented) in milliseconds
PI81840 Bean Validation 1.1 @DecimalMin and @DecimalMax constraints inclusive property not working
Java Persistence API (JPA) PI76834 Unable to use DB2 XML data type with EclipseLink JPA; Null pointer produced
PI76902 NoSuchMethodException when a program is using CONCAT function
PI78643 Eclipselink JPA/Auditing capablity in EE Environment fails with JNDI name parameter type
PI79397 org.omg.CORBA.BAD_OPERATION when running a select SQL statement
PI81076 ServerSession numberOfNonPooledConnectionsUsed can become invalid when Exception is thrown connecting
JavaServer MyFaces (JSF) Apache MyFaces implementation PI79562 Leading '/' in JSF context param-value throws StringIndexOutOfBoundsException
PI80535 ClassNotFoundException due to classes not being exported to the thread context
JavaServer Pages (JSP) PI79800 The JSP Engine is not processing EL expressions correctly when they are in large blocks of character data
PI80319 Failure to parse tag library when the taglib is defined in the application
Liberty Application Services PI66702 Multi-address corbaname URLs do not fail over to the second address when the first address server is down
PI81297 Application fails to initialize at startup with error CWWKZ0021E
Liberty Debug and Tracing PI80225 JUL Traces do not show up in logstash collector / bluemix log collector when binary logging is enabled
PI80844 Failure if running binaryLog view serverName from wlp/usr/servers directory
Liberty Kernel PI78072 A server start may receive a java.util.MissingResourceException if started with a disabled command port
PI78444 The server schema incorrectly includes some internal configuration attributes
PI79123 ConfigUtility command line tool loosing equals sign on parameters ending with equals sign
PI79878 Server create command (using Java 8) overwrites server.env file
PI80744 SPI class, PathUtils is not normalizing leading double slashes
Liberty Log Analytics and Monitoring PI80363 Allow configurable maxFieldLength in the logstashCollector
Liberty z/OS PI77988 Update needed in module BBGZAFSM
PI78510 .pid directory created with wrong permission settings
PI78787 WOLA ACEE copied from CICS invalid for TSS
PI78970 When the z/OS connect EE server is stopped and restarted, CICS issues an abend at the time of the WOLA rebind
PI80072 Message CWWKB0392W is issued when the OTMA client name is specified in the zosLocalAdapters connection factory properties
PI80252 The size of the Java heap grows over time when using the MSGLOG DD
PI80650 Memory leak in SP132 KEY8 causes OUTOFMEMORY in Liberty
PI80988 WebSphere OLA(WOLA) service request issues return code=8, reason code=96 when called from an IMS CCTL region
PI82088 Prevent error loop when TDQ is unavailable for write
Performance Monitoring Tools PI79203 The monitor-1.0 feature may not be able to monitor user runtime components
PI80861 The Japanese translated message for TRAS0115W is incorrect
Security PI72472 WSCredTokenCallbackImpl returns null even when token exists
PI75111 Admin center does not work with AccessControlException after enabling Java2 security
PI77129 MYFACES-3415 - [UI:REPEAT] Field value disappears if validation error exists on current site
PI77770 Potential cross-site request forgery with WebSphere Application Server enabled with OAuth (CVE-2017-1194)
PI78245 An authData element without an ID causes a NullPointerException in the logs
PI78445 CWWKS9580E message might be logged after modifying the CSIv2 configuration
PI78730 Intermittent CWWKS9520E message issued when CSIv2 is enabled
PI79444 AccessControlException when using the servlet log method
PI95544 NPE thrown in method authorizeEJB()
Sessions and Session Management PI73188 Session activeCount shows a negative value
PI81007 Incorrect messages were thrown at System output console when using JMX connector
Systems Management Functions PI66988 Running collective command in z/OS results in FSUM7332 syntax error
PI78497 When trace is enabled extra information is being included in the controller's trace file
PI80320 apiDiscovery urls may not update properly on Liberty Admin Center
Virtual Member Manager (VMM) PI78192 UserRegistry methods that throw RuntimeExceptions can cause federated repository failures
PI79888 An sslRef on an LDAPRegistry without matching ssl config causes security init failure
PI80547 Federated Repository's participatingBaseEntry element does not allow name attribute to be empty string
PI81519 In WebSphere Liberty, the context pool timeout value is not honored on the LDAP Registry
PI81555 The ldapRegistry feature does not properly process LDAP entities with RDN values that contain characters that need escaping
PM76997 VMM certificate authentication fails when DN contains non-default X509Certificate attributes
Web Container PI75166 TAI cannot obtain the SSL endpoint information using direct connection
PI76699 Provide an option to override the default values for the ESI properties in the plugin-cfg.xml
PI76891 Exception from com.ibm.ws.webcontainer.osgi.mbeans.PluginGenerator during server stop
PI77629 NullPointerException if login is required to access a servlet which uses a ReadListener.
PI78193 Returned default html error page has extra closing tags
PI78633 Access control exception due to read permission of a property from Cookie class
PI79334 Unexpected error when an application is initializing during server stop
PI80313 Enable Post Data to be read multiple times.
PI80668 ServletException when creating a servlet, filter or listener from a ServletContextListener with Java2Security enabled
PI81688 Plugin config file generation fails after a configuration update is made to a Liberty server when it is running
Web Services (JAX-WS, JAX-RS) PI77438 JAXB context creation is very slow in Liberty during Web service load test
Web Services Security PI76629 Add authentication option to JWK endpoint invocation
PI78760 OIDC IDToken updates to the "sub" field do not take effect
PI80166 OIDC provider does not recognize custom realmname from token
PI80689 Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
PI80741 OpenID Connect (OIDC) cookie not fully removed
PI81403 An error may occur if the string representation of a subject includes an ID token that contains a claim with a non-string list
WebSphere Compute Grid PI78436 Using batch injection in joblistener results in NullPointerException
PI79686 Slow response when using batchpersistence in Liberty
PI80634 When trying to stop an already completed job the error message does not return with the correct jobInstanceId
PI80635 CDI implementation does not support batch artifact loading via batch.xml

Back to top

Fix pack 17.0.0.1
Fix release date: 14 March 2017
Last modified: 14 March 2017
Status: Superseded

Download Fix pack 17.0.0.1
 
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI35470 Message bean instances injected with the CDI @New annotations are not @PostConstruct'ed
PI55406 IllegalAccessException is emitted from InvocationContextImpl
PI62583 IllegalArgumentException in CreationalContextImpl only when trace is enabled
PI73139 CDI would not inject classes from a war file into an ear lib in single classloader mode
PI75915 CDI failover does not work if bundles have different OSGI qualifiers
Database Access, Connection Management, Merant/DataDirect drivers PI73351 DSRA0080E refers to original exception message {0} instead of actual message
PI76168 After global transaction ends, the reported auto commit value can be inconsistent with the Oracle JDBC driver
General PI68233 SSLSessionTimeout is not recognized as a valid attribute for sslOptions element
PI71616 configUtility find or install throws a NoClassDefFoundError when using local repository
PI73277 EclipseLink 2.6.3 does not support JPA-convertor for primitive data types
PI74721 Errant timeout can occur with async sends in WebSockets
PI75015 Memory leak in JAX-RS client.
PI75022 Failure to parse a java.util.Date object when creating a new javax.ws.rs.ServiceUnavailableException.
PI76688 Private lifecycle methods in JAX-RS resources are not invoked
Java 2 Connectivity (J2C) PI60146 Connection sharing cannot be controlled in Liberty when using direct lookup
PI71092 java.lang.UnsupportedOperationException when accessing a tested data source
PI73350 Connection manager settings not honored
PI74533 Setting an agedTimeout value of 0 on a connection manager results in J2CA8011E
PI75426 Connection manager configuration intermittently ignored for application defined data source
Java Persistence API (JPA) PI74104 EclipseLink might add unused table in generated query
PI74284 The JPA Container calls EntityManager.clear() instead of EntityManager.close() on cleanup
JavaServer Pages (JSP) PI72709 Asynchronous dispatch to a JSP file under the WEB-INF directory fails.
PI73022 JSP comments containing "%>" might throw a StringIndexOutOfBoundsException.
Liberty Application Services PI74321 After upgrade to 16.0.0.4. NamingException and ClassCastException occur on JNDI lookup on IBM i
PI75284 Intermittent NullPointerException from ApplicationStateMachineImpl when trace enabled or logging information in response to a failure
PI75389 OSGi Applications can take significantly longer to startup after upgrading Liberty
PI76368 A class that is both Remote and Serializable is mis-categorized during marshalling
Liberty Debug and Tracing PI62350 Some server startup and early messages are not collected by logstachCollector-1.0 feature.
PI74051 Transaction trace lacks PropertyPermission to read system property "com.ibm.tx.tracer"
PI74318 Incorrect message IDs appearing on dashboard when using the Bluemix log collector
PI76200 Stack trace is not included in the message field of liberty_message type
PI76620 Filter tags in logstashCollector & bluemixLogCollector to avoid tags with special characters displaying oddly on dashboard
PI76621 New message IDs need to be assigned to a few existing TRAS messages.
Liberty Kernel PI72686 Removing and adding a feature can result in a warning message about duplicate metatype definitions
PI73807 Some Liberty message IDs conflict with traditional WebSphere Application Server
PI74527 Error CWWKZ0404E can occur when starting an application on Liberty
PI74586 Liberty server does not start if jvm.options file contains spaces, after upgrade to 16.0.0.4
PI74792 java.lang.NullPointerException when starting an .ear application with autoExpand="true" in server.xml
PI76013 Resolution error for optional server config include should not create an exception
PI76432 Exception could be thrown and logged during a server shutdown if listeners timeout during quiesce
PI76607 Features that cannot be loaded because of Java version dependencies may still be reported as being loaded
PI76755 Liberty metatype registry problem - metatype extension duration changed from LONG to STRING in 16.0.0.4
Liberty z/OS PI50828 WLM support is ignored when running z/OS Connect in async mode
PI66375 SPI for MVS MODIFY command support is documented to be externally available, but in fact is not available
PI72065 Loop in Liberty z/OS server when AsyncIO is enabled
PI72566 ABEND0C4 at BBGZSCFM+377E occurs during client bind
PI72776 When WLP_ZOS_PROCEDURE is set the foreground JVM uses the full set of JVM options
PI73559 WOLA service BBOA1URG fails with RC=12 RSN=240.
PI73752 Suppress FFDC for com.ibm.io.async.AsyncSocketChannel 453
PI74564 WebSocket-1.1 feature does not work in Liberty imbedded in CICS TS 5.3
PI74875 Liberty Server hang in termination after a hard failure on z/OS
PI74878 WOLA feature not started for 16.0.0.4 server using a version 4 Angel
PI76238 Message CWWKB0392W contains no message text in messages.log.
Performance Monitoring Tools PI75368 Slow memory leak might lead to OutOfMemory in Liberty
PI76212 Monitor capability breaks when different thread pool name is speicified other than "Dafault Executor".
Security PI72135 An AccessControlException is issued when restoring the security context using the ContextService APIs
PI72653 Web filters need to receive the AuthModule wrapped request or response when using JASPIC
PI73266 AccessControlException issued even when permission was granted in the permissions.xml file
PI76359 Process default SSL Setting not getting reset on a file update
PI76408 The method signature for java.security.SecureRandom.nextBytes() is no longer synchronized.
Session Initiation Protocol (SIP) Container PI76614 SIP Router is initialized more than once.
PI76615 Order of OSGI bundle could cause a class not found exception.
Systems Management Functions PI74526 A collective name sporadically changes between its given name and the default name
PI75433 Liberty collective member status becomes stale at the controller.
Web Container PI71999 XML transformer factory changed during server start
PI72223 The pluginUtility displays an untranslated message when using the merge action to merge plugin-cfg.xml files in a directory.
PI72514 Application start fails to add context root in Virtual Host map
PI72710 Response committed on return from Forward even when async is started.
PI74499 Server quiesce not cleaned properly when write during close of upgraded connection goes asynchronous.
PI75475 The WebContainer 'enableMultiReadOfPostData' config property was visible but not implemented.
PI75528 The maxRequestSize optional attribute for MultipartConfig is ignored.
PI76195 When the plugin configuration is generated it may not have one of the ports
PI76271 CORS does not handle requests with PATCH methods correctly
PI76351 ServletRequest.getRequestURI() returns inconsistent results after AsyncContext.start().
PI76364 isFinished() could incorrectly return false in some scenarios
Web Services (JAX-WS, JAX-RS) PI70234 Custom HTTP header blocks SOAPAction header
PI76616 HTTP servlet requests could be matched to incorrect cross-origin resource sharing (CORS) configuration
Web Services Security PI72558 OIDC client cookie is not removed after it is used
WebSphere Compute Grid PI73040 Batch job log REST URLs are incorrect for a failed job execution
PI73249 The ddlGen script may produce an empty file when run against a server with the Java Batch feature configured
PI74813 When using the batchManagerZos 'status' and 'listJobs' commands, the usage of --instanceId and --jobInstanceId are not universal.
PI74924 Job with Java batch COMPLETED status moves to STOPPING status after shutdown in executor.
PI76622 Provide V2 and V3 versions of existing Batch REST APIs
PI76632 Job executions REST API syntax is misleading
PI76701 Java Batch purge command fails after a job execution did not initialize correctly
PI76702 Java Batch jobs store JES job name and JES job ID with trailing spaces
WMQ messaging providers PI61885 postCallWithException throws java.lang.IllegalStateException
PI71691 BundleException happens when adding a feature to a running server causing a bundle to be reinstalled
PI72136 Server startup fails with CWRLS0009E error due to failure in the transaction manager's recovery log service
z/OS PI61450 Apache Wink does not remove quotes from the boundary value Content-type: multipart/mixed; boundary="simple boundary"

Back to top

Fix release date: 13 December 2016
Last modified: 13 December 2016
Status: Superseded

Download Fix pack 16.0.0.4
 

Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI69193 ContextNotActiveException in SessionScoped bean preDestroy()
PI70614 Clean up all resources on an application startup failure on cdi-1.0 feature
PI71104 @Inject Principal does not work in mutli-threaded environment.
PI71667 Application fails with WELD-001408: Unsatisfied dependencies for type Validator with qualifiers @Default
PI71734 Failover does not work with CDI 1.2
Database Access, Connection Management, Merant/DataDirect drivers PI68418 Purge policy ValidateAllConnections does not properly validate connections
PI71587 Data source is not autodetecting MariaDB.
DynaCache PI68741 HTTP status code 200 is returned to a client when the servlet or JSP throws an exception
PI71752 Plugging in an external cache provider does not work with the distributedMap-1.0 feature.
EJB Container PI66621 ReferenceContextImpl caching empty list of targets for JSP classes
PI67942 javax.servlet.HttpServletRequest.getRequestURI() might return a decoded value after dispatching
PI69642 NullPointerException deleting stateful EJB
General PI42673 Extra information in logs with Datasource custom properties
PI67034 Access was denied for property org.apache.jasper.constants.jsp_servlet_base.
PI67099 Provide option to add STS response header for HTTPs request
PI68432 When user applications are using Websocket Decoders a slow memory leak can occur.
PI69737 Errors are not logged when tasks submitted to managed executors fail
PI70332 System property to enable SSL Channel timeoutValueInSSLClosingHandshake property
PI71359 FFDC is produced for a NullPointerException in com.ibm.ws.tcpchannel.internal.SocketRWChannelSelector.updateSelector
Install V8 and above PI68915 Default server.xml is incorrect
PI69133 Disk space validator returns NullPointerException.
Java 2 Connectivity (J2C) PI68163 MQJCA1011: Failed to allocate a JMS connection
PI68257 Connection manager might remain active after transaction manager has been disabled.
PI69122 J2C pretest being used despite FailingConnectionOnly option
PI69887 FFDC logged for resource adapter config property with getter that is named with "is" rather than "get"
PI69957 Destination ID erroneously used for JCA 1.7 destinationLookup instead of JNDI name.
PI70224 The value of ConnectionHandleCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
PI71193 Illegal State Exception when transaction timeout occurs and abort is used
Java Persistence API (JPA) PI65593 The database schema name cannot be configured with openjpa.jdbc.SchemaFactory
PI66770 JPA returns incorrect results when using a native query and @SqlResultSetMapping
PI67234 ServerPlatformException Server platform class is not valid: null occurs with JPA 2.1
PI67790 java.lang.ClassCastException using JPA
PI68028 EclipseLink throws ValidationException when using nested embeddables with the same attribute name
PI68805 Potential leak of org.apache.bval.cdi.BValExtension$Releasable objects when using JAX-RS, CDI 1.2, and Bean Validation 1.1.
PI70680 Deployment of persistence unit fails with DescriptorException
PI70841 OpenJPA's ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException
PI75607 javax.persistence.PessimisticLockException when javax.persistence.lock.timeout set to 0
PI75608 Add EclipseLink support for Java 2 Security
JavaServer MyFaces (JSF) Apache MyFaces implementation PI67525 inputFile tag is not working properly on Liberty
PI70441 FlowBuilderFactoryBean Concurrency Issue
JavaServer Pages (JSP) PI67257 An escaped EL expression is being run if an escaped dollar sign precedes the former expression
PI69028 Null CodeSource location for classes loaded by JSPExtensionClassLoader
PI69942 JSP property useJDKCompiler does not work in Liberty
PI71436 A debugger does not stop at a breakpoint in a JavaSever Page (JSP).
Liberty Application Services PI70600 Auto extracted web app files have incorrect timestamp.
PI70848 When application autoExpand is enabled changes to an ear file are not detected by the Liberty server
PI70870 ConcurrentModificationException in AppClassLoader when using the global library
PI71116 When certain features are enabled the application property autoStart has no effect
Liberty Kernel PI68170 Users of Liberty's OSGI EventAdmin service cannot change the topics of interest for a registered EventHandler
PI70104 Starting a Web Application Bundle (WAB) can result in a deadlock sometimes when the WAB is installed and started dynamically
PI70637 RuntimeException: Invalid call to WsByteBuffer occurs during shutdown
PI71457 NullPointerException after a failure to bind an IIOP transport port
PI71607 Schema for resource adapters contains an unused attribute.
Liberty System Management PI69561 REST API Discovery missing APIs in web applications with multiple JAX-RS application classes
Liberty z/OS PI67718 z/OS Connect is unresponsive to the STOP command from the z/OS Console
PI69625 Liberty server at 16.0.0.3 may fail to start when using AsyncIO
PI69886 When using the zosLocalAdapters-1.0 feature to talk to CICS, the CICS container LinkTaskRspContID already exists.
PI70090 WebSphere Liberty "server" and native launcher handle a # in the middle of a JVM property inconsistently
PI70896 Liberty Server hang in termination after a hard failure on z/OS
PI71417 Startup time for Liberty for z/OS is unnecessarily slow.
Messaging Providers PI62816 Allow more than one address to be specified in the remoteServerAddress field
PI70961 Corrections to messages in JMS Messaging
Performance Monitoring Tools PI70900 Events get lost when the logstashCollector config gets updated
Security PI62070 Full chain created in PKCS12 but not for JKS key store
PI62375 Potential code execution vulnerablity in WebSphere Application Server (CVE-2016-5983)
PI69141 Make sure HTTPS URL connection default is set at the same time SSLContext is set.
PI69161 Constrained delegation works only when Liberty trace is enabled
PI69277 Java 2 Security permissions are not granted to a shared library when using the file element instead of a fileset
PI69629 CWWKX8136W: Cannot validate the server identity
PI69840 A NoClassDefFoundError or NoSuchMethodError may be thrown when accessing Swagger annotations.
PI69870 IllegalAccessException on EL expression that processes isLast() of object referencing varStatus in JSTL for-each tag
PI71525 NullPointerException when registering a Custom User Registry that returns a null realm name
PI71585 NullPointerException when null password is passed into WSCallBackHandlerFactory
PI71751 Provide better message when bad SSL configuration is used by CSIv2.
PI71789 .InvalidNameException: Validation of the Collective DN failed. 0th element type was not dc
Systems Management Functions PI69286 Non-ASCII names used in remote operations from a collective controller may become corrupted.
PI69741 Remove extra information from trace file
PI71792 New files added to a controller's configDropins/defaults directory are not replicated to other controllers in the collective.
Virtual Member Manager (VMM) PI71825 CWWKS3006E error message seen during server shutdown.
Web Container PI64898 AsyncListener onError not being called correctly
PI65762 DestroyJavaVM() method call hangs and JVM fails to shut down when asynch servlet work has been performed
PI67393 Polish the ReadListener
PI68061 Option to display customized text for some server errors
PI69220 A plugin-cfg.xml is generated with missing applications and future auto-generation fails.
PI69803 A java.lang.NoClassDefFoundError error can occur when using the pluginUtility merge action.
PI70063 A decrease in throughput can occur when many concurrent requests for JSP pages that make use of tag libraries.
PI70184 WebSocket not working if application flushes without obtaining any outputStream or writer
PI70873 java.lang.NullPointerException might occur during a request's cleanup.
PI71851 Missing apostrophes in French and Italian pluginUtility text
Web Services (JAX-WS, JAX-RS) PI70196 PI70196: ibm rest servlet cannot be mapped to two different urls:
PI70313 Swagger API Explorer ignores protocol schemes for operations
PI71238 IllegalArgumentException when getHours() is called
PI71887 JAX-RS Client fails when running in OSGi bundles
Web Services Security PI68101 JSON bits are missing from a URL when SAML authentication redirects a request
PI68809 WSAS XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
PI69415 Support configurable context root for OIDC client redirect url
WebSphere Compute Grid PI70886 Java Batch REST: STOP request may not return JobNotRunningException even when the job batch status returns as COMPLETED.
PI70887 An exception in the batch executor may cause a message to roll-back onto queue (and get re-delivered) instead of consumed.
PI71718 Attempting to purge multiple job instances fails when their executions are not on the same endpoint
PI71719 Batch REST request for job instance job log links fails with remote executions
WMQ messaging providers PI68664 Record-level sharing (rls) is miscalculating the amount of data to be written to partner logs
PI69183 APAR PI18414 may result in the recovery log service using incorrect sequence numbers.
PI69314 ELException, Can not find @Transactional annotation
PI69328 CWWKZ0403E error message occurs due to error Unable to acquire the global write lock in time.

Back to top

Fix release date: 16 September 2016
Last modified: 16 September 2016
Status: Superseded

Download Fix pack 16.0.0.3
 
Component
 Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI38270 NullPointerException in InvocationContextImpl.configureTarget when destroying an already destroyed bean
PI42311 EJB interceptors not called intermittently
PI48614 NullPointerExceptions from CDI code
PI51620 NullPointerException when doing injection with com.ibm.ws.cdi.immediate.ejb.start set to true
PI58669 CDI javax.decorator.decorator annotation not working as expected
PI61397 Ensure application scoped context is initalized properly and active during bean preDestroy
PI64374 Race condition with session scoped contexts
PI64812 Application ClassLoader leaked during application restart from CDI's RuntimeFactory
PI65337 Use of CDI interceptors in stateless EJBs causes exceptions to be wrapped in WeldException
PI66866 Memory leak occurs when an application is restarted
PI67388 Move up Weld level to 2.3.4.Final from 2.2.16.Final.
Database Access, Connection Management, Merant/DataDirect drivers PI66423 OraclePreparedStatement.getReturnResultSet and OracleCallableStatement.getCursor fail after unwrapping statement
EJB Container PI60567 New system property to configure the EJB pool wait timeout
PI62639 NullPointerException in CDIEJBManagedObjectFactoryImpl.getEjbDescriptor when creating EJB instance to pre-load the bean pool
PI63571 AccessControlException: "accessDeclaredMembers" from com.ibm.wsspi.injectionengine.MethodMap.getMethods.
PI63709 Application exception thrown from EJB constructor lost when @AroundConstruct interceptors present
PI63821 Resource reference names starting with java:comp/env are ignored in ibm-ejb-jar-bnd.xml
PI65205 FFDC for TransactionRolledbackException when using UserTransaction in stateful bean ejbRemove method
PI66565 com.ibm.wsspi.resource.ResourceInfo not provided to ResourceFactory for <resource-env-ref> XML elements
PI67070 Customer can get EJBExceptions related to non-persistent EJB Timers during server shutdown
General PI60893 Deadlock caused by SIP Subscribe
PI61548 Potential Denial of Service in WebSphere Application Server if using SIP services (CVE-2016-2960)
PI63871 NullPointerException in MemoryPersistenceManager
PI64472 Automatically determine whether a submit or restart should be issued from the batchManager and batchManagerZos utilities.
PI65456 Issuing "job.ended" CWWKY0010I message instead of "job.failed" CWWKY0011W message, upon job failure.
Install V8 and above PI65506 Display proper asset list when embedded asset repo is missing during IM modify_add flow
Intelligent Management Component PI59258 Dynamic Routing fails to recognize the application until Collective Controllers are restarted
PI63212 Reload of web server with Intelligent Management causes CWWKV0008W messages on a Liberty collective controller
PI66993 Health condition is not set to the Liberty server in the Docker container.
PI67392 DynamicRouting does not have route information for Liberty Docker on initial deployment
Java 2 Connectivity (J2C) PI63520 Parked connection created by PoolManager results in setting a pre-existing client ID to a MQ connection
PI66424 J2CA7002E is logged when server is stopped while in the process of installing a resource adapter.
PI67186 The value of FreeConnectionCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
Java Persistence API (JPA) PI58114 ClassCastException when an equals comparison query is run on an entity with a composite @EmbeddedId
PI64129 CDI applications that inject Validator or ValidatorFactory beans cannot be failed over in a cluster
PI67305 EclipseLink assigns the same object instance to multiple embedded fields
JavaServer Faces (JSF) SunRI implementation PI64899 When using the jsf-2.2 and beanValidation-1.1 features an OSGI warning message can be seen.
JavaServer MyFaces (JSF) Apache MyFaces implementation PI63135 Custom type conversion is sometimes bypassed in EL 3.0
PI63633 Thread-safety issue in the underlying (Apache) JSF 2.0 code causes WebContainer threads to hang
PI64195 @PreDestroy methods are not invoked on session invalidation for JavaServer Faces (JSF) javax.faces.bean.ViewScoped beans.
PI64714 JSF message severities always set to ERROR after ValidatorException
PI64718 Validators are not called when using selectManyCheckbox
JavaServer Pages (JSP) PI64004 The scratchdir JSP attribute is not documented on Liberty
PI65333 A JSP error "unresolved compilation problem" is thrown during runtime
Liberty Application Services PI62861 Server stop runs before the ServletContextListener implementation completes
PI63542 ArrayIndexOutOfBoundsException may occur when doing a JNDI-lookup to a remote EJB that is located in another cell
PI64494 Timing window in generation of Type Code objects from class TypeDescriptors, causes performance problems during JNDI lookup
PI64806 java.lang.StackOverflowError on WAR
PI65244 EJB connection helpers are both null
PI65637 Starting an OSGi Application intermittently causes an endless loop.
PI66570 IllegalStateException thrown on server shutdown
PI67028 AccessControlExceptionthrown from AppClassLoader.getResources() call
PI67672 Extended use of remote EJB may cause error mentioning Phaser parties.
PI67674 Restarting ORB may cause socket bind exception
PI67719 AccessControlException from JTMThreadFactory, JNDI lookup, and JmsManagedConnectionFactoryImpl
PI67739 Configuring a non-default ORB may interfere with application client.
Liberty Archive Install PI66992 z/OS IM offering failed to modify asset due to error 'Failed to load bundle com.ibm.was.determine.job.type'
Liberty Kernel PI62609 When coreThreads and maxThreads are the same value, CWWKE1200W messages, which indicate a hung thread, may appear erroneously
PI63436 Embeddable Liberty command wlp/bin/server fails to run on old bourn shell used by Solaris 5.10
PI64318 Product validation error when running installUtility install
PI67017 Apache Commons Compress was incorrectly added to Liberty's JVM classpath
PI67231 Inconsistent installUtility/feature error messages when installing features or depending features not found on repository
PI67665 Path normalization of configuration variables can cause unwanted modifications
Liberty z/OS PI61412 HTTP access logs are not tagged on z/OS.
PI61645 CWWKF0015I and CWWKF0014W messages are misleading
PI63930 WEBSOCKET-1.1 feature does not work in Liberty Imbedded in CICS TS 5.3
PI64823 zosRequestLogging-1.0 feature does record the SAF mapped user ID in SMF 120 subtype 11 records.
PI65658 Liberty z/OS unauthenticated ID experiences ICH408I calling HttpServletRequest.login with syncToOSThread enabled
PI65709 Storage leak in subpool 249 key 2 when using the zosLocalAdapters-1.0 feature.
PI66150 Liberty server processes the start of WOLA workload to slowly
Security PI60769 IIOP sslRef mismatch not clear in error message
PI61592 Security context not propagated into JCA resource adapter
PI62626 jacc-1.5 feature does not package a separate API jar file even though it exposes the API.
PI62722 Attempting to start or stop a member from the Liberty Admin Center running in a collector on z/OS results in CWWKS2910E
PI63929 Potential open redirect security vulnerability in WebSphere Application Server Liberty CVE-2016-3040
PI63949 When auth-method tag is not used in Liberty a NullPointerException is thrown
PI64065 CWWKS9112W: Invalid run-as configuration for security-role name ApplicationRoleName in the application ApplicationName
PI64790 Cross-site scripting vulnerability in OpenID Connect client CVE-2016-3042
PI65716 configUtility and collective command line utilities do not support the custom password encryption
PI66628 The message when the custom password encryption is not available is not acculate.
PI67237 AccessControlException issued when an API tries to obtain an internal OSGi service via the kernel service SPIs.
PI67467 An intermittent MalformedURLException is issued during the server shutdown when Java 6 is used and there are permissions defined
Sessions and Session Management
PI60026 Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)
Systems Management Functions PI62640 Collective utility help text for --keystorePassword is incorrect.
PI66520 A collective controller shared configuration file is removed after it is renamed.
PI66522 A deploy rule without a defined restart command produces an exception during a deploy operation.
PI66523 The --createConfigFile option of the collective utility allows the config file to be in the configDropins/defaults directory
PI66524 The collective utility writes an unnecessary request to edit server.xml.
PI67220 Liberty member in a Docker container ignores metadata defined in the admin-metadata.xml file included in the container.
PI67221 Docker registry commands in the Docker deploy rule mistakenly prepend the repository with the user name.
Virtual Member Manager (VMM) PI62392 Login failure if userFilter contains userAccountControl attribute
PI63471 getUserDisplayName returning null when basicRegistry is configured
Web Container
PI54459 Information Disclosure in WebSphere Application Server Liberty CVE-2016-0378
PI58875 Application is started even though there has been a listener exception during application start up
PI61651 An uncaught exception in javax.servlet.AsyncListener.onComplete() might cause threads to hang
PI63193 SRVE8094W might happen even if invokeFlushAfterServiceForStaticFile=false
PI65853 WebSphere Application Server Web Container affected by Apache Struts vulnerability (CVE-2016-3092)
PI67093 Information disclosure in IBM WebSphere Application Server CVE-2016-5986
PI67470 ConcurrentModificationException thrown on getServletWrapper when serveServletsByClassname is enabled
PI67832 FFDC created when a feature is removed from server.xml.
Web Services (JAX-WS, JAX-RS) PI64462 NullPointerException in org.apache.cxf.jaxrs.impl.tl.ThreadLocal Providers.getContextResolver()
PI67586 ConcurrentModificationException in org.apache.cxf.jaxrs.JAXRSServiceFactoryBean
Web Services Security PI66148 OIDC Client Service is not thread safe
PI66354 OAuth provider does not encode non-ASCII characters properly
WMQ messaging providers PI45254 Collect more serviceability data for transaction log service
PI65127 Deadlock issue in tranlog database
PI65412 Transaction service may fail to log data correctly when its logs are stored in a database and connection failure occurs
Fix release date: 24 June 2016
Last modified: 24 June 2016
Status: Superseded

Download Fix pack 16.0.0.2
 
Component
 Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI58316 Changes to JSP in EAR or WAR not picked up if CDI-1.2 feature enabled
PI61971 CDI forces a creation of an extra session, which causes memory usage issues.
DynaCache PI59818 Servlet and Object Cache services are initialized multiple times during Liberty startup causing delays and exceptions
EJB Container PI58029 Classloader leak associated with PCRegistry
PI59443 A method named ejbCreate on a managed bean may be treated as a post construct interceptor method
General PI52696 WebSphere Application Server proxy - Too many open files
PI53321 Using WOLA with CICS version 5.3 causes BBOX abend
PI54666 NullPointerException when using IPv4/IPv6 loopback addresses
PI55413 CICS BBO (WebSphere) link server abends with WRITEQ TSQ BBO* error eibresp: 16 eibresp2: 0
PI57228 The HTTP Channel consumes additional memory, in specific circumstances, when processing inbound data.
PI58457 Quotes are automatically added to the cookie Path attribute on version 1 cookies
PI58692 NullPointerException when using batchManager to purge and no arguments specified
PI58800 High CPU utilization can occur for WebSocket sessions that expire using a non-default MaxIdleTimeout value
PI58918 Response Splitting Vulnerability using a specific API CVE-2016-0359
PI59273 A job instance with zero executions cannot be stopped or restarted.
PI61321 Serviceability changes for batch feature
PI61621 The persistent user data and metric values are invalid when a job fails in the middle of a chunk step
PI62053 HTTP Channel Access Log does not properly record how much is written to the file
PI64247 For Double Byte languages an FFDC IllegalArgumentException can occur for a WebSocket connection that closes due to an error
Intelligent Management Component PI61807 Web Server SSL certificate created by the Liberty dynamicRouting feature needs updating
Java Persistence API (JPA) PI47094 ClassCastException using a shared JPA module on JPA 2.1
PI55889 JPA Merge fails intermittently with FOREIGN KEY constraint error
PI58092 Delay in application startup on Liberty
PI58523 When using jpa-2.1 with Bean Validation, XML constraints are not recognized
PI59004 Criteria Modelgen API is not included for the EclipseLink provider
PI59757 JPA PersistenceUnitUtil.getIdentifier() fails for nested EmbeddedId
PI59782 Eclipselink on Liberty is missing javax.json imports
PI59999 OpenJPA custom plugins can cause Classloader leaks
PI62022 Bean validation interceptor is invoked twice
JavaServer MyFaces (JSF) Apache MyFaces implementation PI57255 MyFaces CDI support is disabled if non-CDI application is loaded first
PI59422 Flow beans are destroyed before the flow is finalized
JavaServer Pages (JSP)
PI56811 XXE and RCE via XSL extension in JSTL XML parse and transform tags
PI59436 NullPointerException when using EL expressions returning null
PI60837 A StackOverflowError can occur when com.ibm.ws.el.reuseEvaluationContext is set to true
PI61400 There are unused message properties files packaged in the Expression Language (EL) 3.0 bundle.
Liberty Administrative Center PI58080 Admin Center toolbox cannot save bookmarks with Explore search results which search on tags
PI62052 Potential security vulnerability in Admin Center for Liberty CVE-2016-0389
Liberty Application Services PI53419 Liberty server z/OS: Deadlock adding WABs to web container
PI58841 An OSGi web app using JSP and JSTL by default currently needs to explicitly import the JSTL spec packages.
PI59010 CWWKC2259E: "Unexpected child element defaultDatasource" in WebSphere Liberty for EJB 2.1
PI60496 EBA fails to resolve when blueprint-1.0 is active
PI60749 Common shared library classes return null when calling getProtectionDomain().getCodeSource().getLocation()
PI61468 Application classloaders are leaked by transaction monitoring threads.
PI61906 Classloading trace does not contain details of classpath being traversed.
PI62078 ClassLoader leak in CDI's RuntimeFactory
PI62240 ClastCastException doing a JNDI lookup
PI62385 Classloading perfomance of the Liberty ORB has been slightly improved.
Liberty Archive Install PI60256 Failed to testConnection against wlp-feature-8559.zip
PI62355 License jar upgrade returns a confusing message when it fails due to invalid edition.
Liberty Debug and Tracing PI57488 Null characters added to logs when truncated by user
PI58309 NullPointerException seen with logstashCollector-1.0 feature when access log source is enabled
PI58310 logstashCollector-1.0 feature reports a NullPointerException during server shutdown operation
PI58311 TRAS0120W message reports incorrect lost events
PI58386 Duplicate FFDC records are sent for the same failure by logstashCollector-1.0 feature.
PI60821 NullPointerException when eventLogging feature is removed
PI61051 Removal of ISADC script
PI61371 High Performance Extensible Logging (HPEL) binarylog view does not sort by time stamp
PI62013 Warning message should be issued when wrong source is specified.
PI62015 Unexpected null pointer exception appearing in FFDC logs with logstash collector whenever updating the source
Liberty Kernel PI48971 ActiveMQ properties not being honored in JMSActivationSpec in Liberty
PI59235 Problems with serialization code
PI59906 Server command help is missing the --os option description
PI60941 When installUtility install serverName is run, the server logs and workarea were not created under WLP_OUTPUT_DIR
PI61175 During startup the application manager can cause an FFDC with a ConcurentModificationException causing no applications to start.
PI61177 Spurious error may be logged when bundle starts and immediately stops.
PI61178 Dynamically configuring one or more features from zero features delays starting applications by 30 seconds
PI61319 The help for the productInfo command line tool reports an error rather than provide the help text.
PI61320 Missing attribute message is confusing
PI61324 Server package zips when unpacked lack file permissions for scripts in bin folder.
PI61451 installUtility command may fail with a SocketException: "Too many open files"
Liberty System Management PI57567 Merged plugin-cfg.xml generated by ClusterManager mbean generateClusterPluginConfig operation contains dup elements
PI58426 Collective create always treats --keystorePassword as a required argument
PI61176 Using the IBM JMX REST client from Liberty requires setting too many properties
PI61895 Swagger document and UI in apiDiscovery-1.0 did not show non-ASCII characters properly.
Liberty z/OS PI50018 linkTaskChanID property does not work when used with z/OS Connect service provider
PI52665 z/OS WOLA CICS BBOC control transaction cannot support long command strings from the console
PI54756 z/OS Connect JSON Parse Error message missing JSON payload.
PI56919 IllegalArgumentException: com.ibm.ws.security.saf.SAFException: CWWKS2910E: SAF service IRRSIA00_CREATE did not succeed
PI57546 UserRegistry.getUsersForGroup() is not implemented in Liberty server
PI58016 Asian characters in UTF-8 encoded payloads are converted to escaped unicode characters
PI58155 Liberty server takes ABENDEC6 RC0000FD1D due to CPU time limit exceeded
PI58468 WOLA fails to reconnet to CICS TS after previous executions have succeeded
PI59320 ABEND 0C4 RSN=00000004 or a CICS ASRA ABEND when you have more than 128 WOLA connections in an address space
PI61322 CICS programs called over WOLA are being passed an incorrect channel or container name.
PI61323 An ABENDDC2/ABENDSDC2 occurs in program BBOATRUE when CICS is configured to use an embedded Liberty server.
Performance Monitoring Tools PI60781 NullPointerException being thrown from requestTiming feature if any exception occured
Security PI55373 Collective framework needs to support certificates signed by third party signers
PI59813 Improve the exception generated when client does not trust the server.
PI61090 NullPointerException from FeatureWebSecurityCollaboratorImpl
PI61204 NullpointerException when using ibm_securitylogout in Liberty
PI61253 OAuth or OpenID Connect response does not contain state parameter
PI61622 The French help text of the PasswordUtility command line utility contains typographical errors.
Systems Management Functions PI58664 Liberty collective member status is incorrect
PI62453 When making a JMX Connection to a collective member, the JVM default for HTTPs connections is updated
Virtual Member Manager (VMM) PI54746 Federated repository does not allow a user login with Turkish characters
PI56819 User login failure when uniqueUserIdMapping inputProperty set to non default values
Web Container PI51122 Webcontainer intermittently generates a 500 error with StringIndexOutOfBoundsException
PI56833 WebContainer is setting the Content-Language
PI57951 Line feed code disappears when data is uploaded with enctype="multipart/form-data" in an HTML form
PI58920 Dispatcher type obtained from HttpServletRequest is not updated on post processes
PI59415 Development version of servlet SPI bundle does not match with runtime webcontainer bundle.
PI60797 Enable POST only for a form login
PI61594 AsyncContext.dispatch() might dispatch to an incorrect URI if using different versions of ServletRequest.startAsync()
PI61628 A 404 error might be generated when using redirectToWelcomeFile
Web Services (JAX-WS, JAX-RS) PI53319 ClassNotFoundException on WebSecurityHelper
PI56315 JAX-RS MessageBodyWriter is not run
PI56374 ClassCastException: java.util.TreeMap incompatible with javax.ws.rs.core.MultivaluedMap
PI58097 HTTP Response header with invalid Date string is added to the response on a WebServices request
PI58779 JAX-RS 2.0 @Context injection from client side provider reports NullPointerException
PI58799 IllegalArgumentException inJAX-RS InjectionUtils.java code
PI59519 Update product.json model to match recent changes in API Connect
PI59633 When using JPA to persist an object, the JAX-RS engine does not correctly catch any exceptions that are thrown
PI59640 Security definition is missing from the filtered Swagger document returned by API Discovery Framework
PI59643 Using @Context to get the HttpServletRequest and changeSessionId() always returns null
PI61936 Information disclosure in JAX-RS API
PI62155 Suppress SOAP FAULT error message
PI62450 Swagger processor may allow weaker than expected security
Web Services Security PI59665 OIDC Relying party auth flow fails with 401 error when security trace is enabled
PI59677 OIDC relying party authentication failure due to CWWKS1704E error
PI62735 The groupId(s) get lost in id_token and introspection
WMQ messaging providers PI59123 WS-AtomicTransaction participant recovery after a server crash may never complete
PI60966 Problem distributing transaction between WSAS traditional and Liberty using WS-AtomicTransaction.

Back to top

Fix release date: 18 March 2016
Last modified: 18 March 2016
Status: Superseded

Download Fix pack 8.5.5.9
 
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI50291 Beans searched for through instance interface are not found
PI51134 NullPointerException if all interceptors are on methods overriden, defined at class level or defined in a different method
PI51508 Reduce contention in AbstractOwbBean.equals use
PI52391 BeanManger.equals cannot distingiush between two BeanManagers for the same module after a restart
PI52756 CDI is activated and generates error with no existence of beans.xml
PI52765 Provide a fix for Weld bug in CDI 1.2
PI57976 Objects of class NullInjectionPointImpl are visible in applicaiton code
PI58021 ClassNotFoundException if application contains a jar which contains other archives
Database Access, Connection Management, Merant/DataDirect drivers PI57239 Error when multiple threads attempt to authenticate to Mongo at the same time
EJB Container PI49639 CWWKC2259E: "Unexpected child element" in Liberty profile for EJB 2.1
PI50806 NullPointerException in AbstractEJBRuntime.bindAllRemoteInterfacesToContextRoot when using ejbRemote-3.2 feature
PI53807 Improve message text when EJB SessionContext fails to serialize
PI55049 Non-persistent EJB Timer created while application is stopping may not be removed
General PI48725 Initial TLSv1.0 application data packet read into the wrong buffer by the SSL channel
PI49508 At startup end users requests routed with HTTP 404 response
PI49566 WebSockets might not close the connection if sessionIdleTimeout is set
PI51523 HTTP Channel getCookieValue throws ArrayIndexOutOfBoundsException when cookie is only one-digit double quote "
PI51552 Unwanted CWWKC1556W warning when application starting or server shutting down
PI51740 The HTTP Channel could cause the Operating System to send an RST packet when the connection is closed
PI52417 Host name resolution with collectives on z/OS may not resolve properly
PI52845 SSL handshake fails due to a java.lang.IllegalArgumentException.
PI54212 Update one class in Apache Commons
PI55344 The job logs are producing a date such as 2016-12-28 as opposed to 2015-12-28 during the last week of the year
PI55874 Jobs containing split-flow may continue executing the (split-flow) even after the job is stopped.
PI56019 The com.ibm.websphere.appserver.api.mediaServerControl.1.0_1.0.11.jar file in the dev/api/ibm directory is empty.
PI56057 The MediaServerControl Javadoc provided contains accessibility issues.
PI56076 Batch job logs do not contain the exception stack trace on step or job failures.
PI57100 Remote partition wrongly ends in COMPLETED state when job is stopped, wrongly bypassing partition execution on restart.
PI57542 IOExceptions is not thrown on inbound connections
PI58014 Message's address is null in SipUdpConnLink
PI58049 The exitStatus after the restart of an executor is not properly being rolled back to the correct value.
Install V8 and above PI51130 Updating Liberty using group-mode Installation Manager does not set group-write bits
PI55969 An update to the licenses in IBM WebSphere Application Server Liberty V8.5.5.9 is required.
Intelligent Management Component PI53304 Auto scaling does not fully scale in to the minimum number of servers or scale out to the maximum number of servers
PI57006 A scaling controller might not register a scaling member correctly when the member starts.
PI57007 ConcurrentModificationException in com.ibm.ws.scaling.controller.topology.RepositoryMonitor$UpdateHandler
PI57982 In a Liberty collective, not all instances of an application are used when routing with Intelligent Management for Web Servers.
Java 2 Connectivity (J2C) PI53120 Datasource connection pool minimumPoolSize to be 0 by default for newly created datasources
PI54230 ClassNotFoundException when using generic RA in Liberty
Java Persistence API (JPA) PI46699 A null value is returned when trying to use OpenJPA's DelegatingConnection's unwrap()
PI47094 ClassCastException using a shared JPA module on JPA 2.1
PI47144 Merging an unmanaged entity multiple (3) times leads to an exception.
PI50341 Using java.sql.Timestamp data type for entity version value requests current timestamp from wrong SYSIBM table on DB2
PI50694 ClassCastException is thrown in JPA when QueryCache is enabled
PI51878 ddlGen script is shipped in ASCII instead of EBCDIC in Liberty 8.5.5.7
PI52209 EntityNotFoundException in OpenJPA
PI53589 OpenJPA fastpath broken on Java 8
PI56340 OutOfMemoryError from org.apache.bval.cdi.BValExtension$Releasable objects not being released.
PI56499 AbstractMethodError occurs when using JPA with beanvalidation-1.1 feature
PI58001 NullPointerException from org.eclipse.persistence.queries.ReadObjectQuery under heavy loads
PI58005 With a Liberty image consisting of only EE7 features, importing javax.persistence 2.1 with WDT requires an internal attribute.
JavaServer Faces (JSF) SunRI implementation PI46218 DeploymentException occurs if different web modules in an enterprise application have CDI beans with the same name
JavaServer MyFaces (JSF) Apache MyFaces implementation PI45044 JSF problem in a Portlet environment: Form inputs inside a data table lose their values if validation fails
PI47885 h:selectManyCheckbox and h:selectOneRadio components do not support f:ajax tags.
PI49486 MyFaces leaking file descriptors when reading stylesheet files
PI50108 JSF component binding with ViewScope beans does not work and causes an exception
PI51038 Fix EL 3.0 ImportHandler support in JSF 2.2
PI53555 JSF ViewScope implicit objects are not resolved in JSP pages
PI54702 Null renderer-type tag causes custom TagLib xml parse error
JavaServer Pages (JSP) PI52851 Changing JavaServer Pages (JSP) features between requests can result in a java.lang.NullPointerException.
Liberty Application Services PI51184 CWWKG0031E is received after commenting out a JNDI element and then adding it back at runtime
PI51375 Application Manager change to make time waiting for apps at startup configurable
PI52936 Application classes provides incorrect values when calling getProtectionDomain().getCodeSource().getLocation()
PI54707 Intermittent ConcurrentModificationException thrown on startup when two Liberty apps use a privateLibraryRef.
PI55383 Client container application fails to run
PI55891 SPI classes under com.ibm.ws.container.service reference some non-SPI classes
PI56452 NullPointerException in WABInstaller.java results in "Unable to install bundle" message
PI56644 SPI classes under com.ibm.ws.javaee.dd reference some non-SPI types
PI56831 Classloader.getResource("") does not return url to WEB-INF/classes
Liberty Debug and Tracing PI51841 Request timing can accidently remove an executing request from the active request list
PI52003 New "JSON" format added to binarylog command
PI54917 ConcurrentModificationException in collector manager
PI55910 Logging in InvocationContextImpl outputs array IDs instead of array contents
Liberty Kernel PI51988 Invoking productInfo with valid command but bad option does not give errors
PI52309 WebSphere Liberty default executor auto-tuning is disabled when an embedder overrides the default ThreadFactory.
PI53867 ScheduledExecutorService can temporarily leak classloaders for canceled tasks.
PI54458 Wrong charset returned in page-not-found error when incorrect context root is requested.
PI55031 Fix defect in Equinox framework to incorporate in Liberty
PI55670 Liberty File URLs contain incorrect number of '/' characters
PI56645 Configuration conflict warning message needs improvement
PI56678 FileNotFoundException when application start-up fails.
PI57314 JSP classloading ignores the application parent-last classloader setting
PI57974 OSGi applications may be able to get access to OSGi services provided by Liberty feature bundles which are not considered API.
PI57975 Deadlock may occur when creating a Java util logging Logger
PI57980 Improper error when running Liberty scripts with unsupported Java version.
PI57981 Changing SSLDefault may still require unnecessary configuration of defaultKeystore
PI58006 Feature updates are less likely to result in unnecessary component activation and deactivation
PI58035 When installing features using the installUtility jaccWeb-1.5 and ejbComponentMetadataDecorator-1.0 are not installed
Liberty System Management PI53219 Wrong locale in the content when calling REST API to generate schema
Liberty z/OS PI50915 More details is provided for some failures in WOLA connections via Liberty
PI51171 Allow WOLA client to re-connect after a Liberty server failure or recycle
PI51329 Default JAVA not read from java.env when server is started with a PROC.
PI53339 Liberty on z/OS fails to route messages to MSGLOG DD card
PI53469 z/OS Connect does not preserve JSON payload element ordering as shown in copybook files.
PI53842 Basic authentication not working z/OS Connect dynamic services
PI54855 Liberty on z/OS does not pick up the IFAUSAGE properties file in the product extension directory
PI54886 When starting a Liberty server that has zoslocaladapters configured the sever abends with a System 106.
PI55029 Liberty started task does not expand @WLP_INSTALL_DIR@ when used in the path specified by WLP_DEFAULT_JAVA_HOME in java.env.
PI56289 Calls to WOLA services BBOA1* may hang when Liberty server is cancelled or ABENDs
PI56385 Message CWWKB0101I does not provide enough information to diagnose problems connecting to an Angel process.
PI56987 WLP_SKIP_UMASK=true is not working when Liberty server is started from a started task on z/OS
Messaging Providers PI47483 [WARNING ] CWWKG0032W: Unexpected value specified for property
Performance Monitoring Tools PI55077 Monitor group filter does not work with the component which are not using the code intstrumentation.
Security PI50399 NullPointerException thrown at com.ibm.ws.transport.iiop.security in Liberty profile
PI51188 Login fails with mixed-case password phrase on z/OS.
PI52181 Liberty incorrectly displays warning message aboutWSGUEST user missing the RESTRICTED attribute
PI52566 Incorrectly returning CWWKS4306E when application URI is unprotected and Liberty receives an expired LtpaToken
PI57413 CWWKE0702E: Could not resolve module: com.ibm.ws.management.security is logged when zosSecurity-1.0 is enabled.
PI57668 Collective member certificate login fails with LDAP or Federated user registry
Sessions and Session Management PI53220 Session attribute not stored with Oracle as database session persistence and MultiRowSchema=true
Systems Management Functions PI58002 Collective replica restart may fail
Virtual Member Manager (VMM) PI48674 LDAP binary attribut handling in VMM
Web Container PI42598 Filter with only WebFilter annotation does not get invoked
PI43752 AsyncContext.dispatch() dispatches to an incorrect URI
PI52414 While using an upgrade request the quiesce operation did not complete
PI52415 isFinished on a stream can return true before the stream is fully read
PI53854 Unable to retrieve the REMOTE_USER from the WSRU header without using any security in Liberty
PI54235 A redirect using an URI relative to the current request URL redirects to the wrong URL
PI54414 Managed thread factory not available in ServletContextListener.contextInitialized
PI54701 The Servlet SPI was refactored to provide a complete set of SPI classes.
PI57884 Blocking write is not allowed once WriteListener is enabled.
PI58013 If an error occurs during a request with a ReadListener and is upgraded, a quiesce operation may not complete properly
Web Services (JAX-WS, JAX-RS) PI48389 @PreDestory method invoked twice when @RequestScoped annotated on resource class and no @Context field in the class
PI50692 Data conversion issue for Multi-part MIME on mainframe (z/OS)
PI51798 Liberty JAX-RS implementation may throw NullPointerException
PI52014 User customized provider life cycle annotation @PostConstruct @PreDestroy not work or throw NullPoint Exception when stop server
PI54152 Liberty profile JAX-RS 2.0 Client Side Built-in Providers Installation Performance Issue
PI55038 Injection on implementation of ParamConverterProvider in JAX-RS 2.0 fails with NullPointerException
PI55547 Customized EJB ExceptionMapper cannot be mapped to user defined Exception in more than two JAX-RS 2.0 Applications
PI56455 ClassNotFoundException loading the jaxws-2.2 and appSecurity-2.0 features
Web Services Security
PI49272 Cross site scripting vulnerability in Oauth Service Provider CVE-2015-7417
PI57265 Add OpenID Connect relying party (RP) config option to specify whether to do client side redirect
PI58003 Cross-site scripting vulnerablility in OIDC client web application
WMQ messaging providers PI43413 Deadlock in controller due to timing window in the recovery log service; servant times out
PI53471 Extended Unit of Work API may not throw errors back to the application when they occur during transaction end processing.
PI53472 Thread safety defect in Unit of Work manager initialisation
PI53661 When inside an @Transactional declarative transaction, an error is thrown upon entering an @TransactionScoped context.
PI54151 Unable to find the @Transactional annotation
PI56465 @TransactionScoped bean instances do not have their @PreDestroy-annotated destructors called.
PI56466 Access to UserTransaction methods is not correctly disabled within nested @Transactional annotations
PI56467 @Transactional rollBackOn/do not RollbackOn scans the exception class hierarchy in the wrong direction
PI56529 @Transactional annotation processing code emits FFDC when encountering RuntimeExceptions in the dontRollBackOn list

Back to top

Fix release date: 11 December 2015
Last modified: 11 December 2015
Status: Superseded

Download Fix pack 8.5.5.8
 
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI47250 Liberty Profile with CDI 1.2 and CDI enabled application has slow startup
PI49410 Publish the Weld 3rd party version on the repackaged Bundle-Description
PI49978 If CDI 1.2 is enabled then a BeanManager could be returned when resolving any JNDI value.
PI50790 Turn off beans.xml validation by default.
PI50802 ProcessInjectionTarget and ProcessInjectionPoint events are not fired when processing non-CDI Interceptors.
PI52419 Export weld packages so that DeltaSpike Scheduler can be supported
EJB Container PI47475 A NameNotFoundException occurs for injection of resource into ManagedBean in EJB module
PI48390 IllegalStateException thrown during server stop when j2eeManagement feature is installed
General PI42523 Root not injected on URL containing query but omitted path
PI45266 HTTP response splitting vulnerability CVE-2015-2017
PI47651 An OutOfMemory error can occur from a leak in WebSockets when websocket session timeout is set
PI47954 Future.get can hang during ManagedTaskListener.taskStarting for repeating task
PI48097 Cleanup of resources can be missed after Thread.run for threads created by a ManagedThreadFactory.
PI48327 WLP does not handle requests successfully during shutdown
PI48759 The TCP Channel's Host Name Include and Exclude lists are case sensitive
PI50766 ExecutionException raised instead of AbortedException for aborted task
PI51046 BATCHMANAGER SCRIPT WebSphere Application Server SHIPPED IN ASCII ENCODING ON z/OS INSTEAD OF EBCDIC ON LIBERTY 8.5.5.7
PI51656 COMM_FAILURE exception raised during IIOP invocation due to IIOP connection being closed while in use
PI52303 Duplicate IIOP request IDs lead to incorrectly parsed response (from incorrectly handled reply message).
Install V8 and above PI51982 LIBERTY 8557 CANNOT ROLLBACK TO LIBERTY 8553 AND BELOW
Intelligent Management Component PI49835 java.lang.IllegalStateException: The ScalingMemberReplacementService service is not available
JavaServer MyFaces (JSF) Apache MyFaces implementation PI47095 A java.lang.ClassNotFoundException can occur during deserialization of the HTTP session
PI47578 An UnsupportedOperationException is thrown with an eager ManagedBean containing a ManagedProperty in JSF 2.2
PI47600 The "class" attribute cannot be set in a custom tag in JSF 2.2
JavaServer Pages (JSP) PI43036 JspTranslationException when using a JSP tag containing another tag with deferred-attributes
PI44611 JSP engine throwing an IllegalStateException when PageContext.findAttribute(string attributename) is called
PI46827 Memory leak in javax.el.BeanELResolver caused by application restarts
Intelligent Management Component PI52161 Liberty collective server status is not in sync with DataPower status query
Liberty Application Services PI50370 Unnecessary IllegalStateException FFDC created during some server stops
Liberty Archive Install PI50812 Some download error messages are shared with install error messages, but the content of the message only mentions install.
Liberty Debug and Tracing PI49056 NullPointerException when updating traceSpecification programmatically.
PI50369 NullPointer in MethodInfoImpl tracing
PI51010 Liberty core dumps when -Xhealthcenter:level=inprocess jvm option is used with health center agent version 3.0.5 or above
Liberty Kernel PI46358 Problem with notify call for updateTrigger="mbean"
PI46856 Unused server.env file generated when creating client processes using Java 8
PI47941 Liberty featureManager command may hang until killed
PI48377 Unable to use wlp-featureRepo-8.5.5.7.zip as a directory based repository in WDT
PI49759 When setting the trace file name to 'stdout', the distinction between error and general output messages is lost.
PI49927 UPDATE TO COMMAND PRODUCTINFO VIEWLICENSEINFO
PI50096 When Java security is enabled application class loaders may get access to internal packages contained in liberty profile
PI50775 There needs to be a space character preceding the ellipses mark used in some install command line messages.
PI51403 SSL support does not start properly
PI52579 Errors after adding or configuring additional content to server when the server installation path contains unsafe characters
Liberty z/OS PI46937 Security identity not propagated from batchManagerZos to batch exectuor in multi-server environment causes JobSecurityException
PI47050 Unintall zosBundle addon fails if use Java7 to run Liberty installUtility
PI47248 PERMISSION ERRORS ACCESSING RESOURCES IN THE SERVER'S WORKAREA DIRECTORY USING APPLICATION SYNCTOOSTHREAD WITH JSP INCLUDE TAG
PI47476 CWWKT0022E IN LIBERTY SERVER WHEN USING DVIPA HOSTNAME DEFINED BY VIPARANGE
PI47730 SERVICEABILITY ENHANCEMENTS TO ENABLE TRACING IN THE TOOLING THAT z/OS CONNECT USES
PI48362 The performance of inbound requests using the zosLocalAdapters feature is poor.
PI48528 z/OS CONNECT USE OF HTTP GET WITH INVOKEURI FAILS WITH WOLA SERVICE PROVIDER
PI48823 HIGH I/O AND CPU USAGE WITH ZOSCONNECTDATAXFORM DATA TRANSFORMER
PI48987 AFTER RESTARTING LIBERTY WITH z/OS CONNECT, NO z/OS CONNECT SERVICES ARE AVAILABLE
PI50040 CWWKE0701E MESSAGES SEEN AT LIBERTY SERVER STARTUP
PI50389 CONVERTTOJSONPRIMITIVE DATA TRANSFORMATION PART OF z/OS CONNECT USES HIGH CPU
PI50787 A z/OS modify command fails when running OSGi console commands.
Performance Monitoring Tools PI42967 Excessive appendCustomSetString calls cause high CPU when using VE and PMI.
PI49140 Health manager dumps many files into member server's /tmp directory
Security PI44880 Improve serviceability for form-logout processing.
PI47544 Fix keystore file monitoring so it is not polling by default.
PI47823 In Liberty profile ignoreCase=true is not honored for administrator-role entries
PI48220 The hashtable login module does not honor the uniqueId and security name when passing then userId
PI49157 App Server Classic to Liberty profile remote EJB lookup is not working when CSIv2 uses LTPA
PI50589 Liberty profile needs a meaningful message in the NO_PERMISSION exception when failing to decode a GSSUP token.
PI50717 Populating the users to the BasicRegistry might fail due to CWWKS3104E: Multiple users are defined error
PI50825 Access is denied with a WebSphereRuntimePermission for getSSLConfig in CSIv2 during a naming lookup.
Sessions and Session Management PI51030 There is a duplicate creating table problem when using Informix as session database on Liberty profile
Systems Management Functions PI50111 Automatically deployed member fails to start on Microsoft Windows
PI50484 Multiple clusters concurrently deploying to new host have JRE collision
PI50768 wlpInstallDir and/or jreInstallDir and/or otherInstallDir install to default location instead of to user specified one.
PI50824 Scaling member may change to automatic mode on member restart
PI50970 An improvement is made in the collective replica set management to better handle a network isolation condition.
PI50985 Collective controller does not start
PI52103 Vulnerability in Apache Commons Collections used by Liberty
Virtual Member Manager (VMM) PI46476 The principal name is listed as null in the error message CWIML4537E
Web Services Security PI36818 WebSphere OAuth TAI template cache has a synchronized lock and can block a lot of threads
PI51540 CWWKS1758E: Validation failed for the ID token.
WMQ messaging providers PI48396 Performance degradation on application startup
PI52986 In doubt transactions are not recovered on server restart

Back to top

Fix release date: 11 September 2015
Last modified: 11 September 2015
Status: Superseded

Download Fix pack 8.5.5.7
 
Component
APAR
Description
Contexts and Dependency Injection (CDI) PI40544 CDI decorator for an interface must directly implement cannot inherit from a super class
PI45878 Injected parameters passed in wrong order
PI46326 Performance Improvement on application startup
PI46615 The same class appearing in multiple war files might cause the wrong bean manager to be returned.
PI46639 Name given to a bean with @Named annotation is not the correct default if it begins with two or more capitals
PI47146 CDI does not correctly verify and publish events for JEE Component Classes which support injection
Database Access, Connection Management, Merant/DataDirect drivers PI45007 Allow the user to specify the TLS_CLIENT_CERTIFICATE_SECURITY option on the securityMechanism property on properties.db2.jcc
DynaCache PI45499 The webCacheMonitor feature does not work with JSP 2.3.
PI45536 The Liberty profile cache monitor does not work with application security enabled.
General PI33395 NullPointerException thrown by UDP channel when stopping server.
PI35277 Server not responding to Continue message as expected
PI36179 ReInvites are frequently canceled with NullPointerExceptions
PI42817 HTTP Channel prints FFDCs for MalformedMessageExceptions and IllegalStateExceptions while parsing request message
PI44958 Exceptions when requestTiming is re-enabled
PI46281 NullPointerException in batch JobOperatorImpl after dynamic server configuration change involving batch or its dependencies.,
PI46300 A call to the Batch REST interface to restart a job fails when the job was previously started via the JobOperator.,
PI46303 Issuing a STOP command to a Batch job does not result in the job being in the STOPPED state.,
PI46433 FFDC is produced for a NullPointerException in com.ibm.ws.tcpchannel.internal.SocketRWChannelSelector.updateSelector.
PI46543 Future.get hangs when attempted from taskSubmitted/taskStarting of tasks scheduled via a ManagedScheduledExecutorService.
PI46745 A retry with rollback performed before the first checkpoint is taken causes a NullPointerException to be thrown.
PI46747 Batch status of an instance is in STARTING when instance state is FAILED
Install V8 and above PI46415 Updating Liberty using Installation Manager on z/OS requires a large amount of disk space.
PI46420 Installing Liberty v8.5.5.6 with features or addons using Installation Manager in silent mode fails due to out of disk space
PI46422 Installation Manager unable to install assets from instance of the Liberty Asset Repository Service with no internet connection
PI46563 Update WebSphere Application Server Liberty profile V8.5.5.7 licenses
Java 2 Connectivity (J2C) PI37749 JDBC Wrapper implementation of ResultSet.isClosed returns false after DB2 JCC driver has closed the ResultSet
PI45839 Missing translatable message for error path where invalid valid is specified for a numeric connector property
Java Persistence API (JPA) PI45511 Expose the org.apache.openjpa.lib.rop package in the jpa-2.0 feature to enable the serialization/deserialization of ResultLists.
PI46623 When using the jpa-2.1 feature, an entity containing a lazy field may fail to deserialize
PI47287 Potential memory leak when both validation 1.1 and CDI 1.2 features are enabled.
JavaServer MyFaces (JSF) Apache MyFaces implementation PI38788 Hung thread caused by MyFaces
PI43692 A java.lang.ClassNotFoundException can occur when the session is invalidated and the jsf-2.2 feature is being used.
Liberty Administrative Center PI44185 Stopping Liberty profile 8.5.5.5 controller from the Admin Center causes error
Liberty Application Services PI43122 ValidationException occurs when using JAX-RS and more than one validation.xml
PI43130 Enable strict checking of a single validation.xml file per application classpath.
PI46803 Server with IIOP clients fills heap and throws OutOfMemoryError
Liberty Debug and Tracing PI44096 binarylog command causes java.lang.NullPointerException
PI46922 Request timing does not work with Java EE 7 features
Liberty Kernel PI28387 After a configuration update a web request may temporarily result in an error
PI41611 Collective controller returns garbled stdout of ServerCommands to JXM client
PI42400 OSGi applications that contain blueprint.xml in bundle fragments do not start after Liberty update to 8.5.5.5
PI43382 Product validation error using featureManager to install an add-on, such as extendedPackage-1.0 or javaee-7.0
PI45743 ServiceException when stopping the server immediately after a configuration update
PI45777 The configuration schema does not include a default value for the 'optional' attribute on the 'include' element.
PI45942 Creating a new server can result in a server.env file being generated in the wrong place
PI46475 IIOP/CSIv2 may fail to start correctly due to missing UserRegistry
PI46612 Server dump command fails when a Java dump file cannot be found.
PI47138 Default welcome page uses 'Beta' description for supported server
Liberty System Management PI46936 FileTransferMBean.deleteFile(String) may not be able to delete an empty directory on IBM i operating systems
PI47155 File transfer could sometimes fail due to controller deleting the file before the transfer is complete
PI47206 JSONConverter incorrectly de-serializes MBeanServerNotificationFilter
PI47351 If the appSecurity feature is installed no application starts unless SSL and a UserRegistry are configured correctly.
Liberty z/OS PI38734 Add mapped SAF identity to the SMF 120 subtype 11 records
PI38852 z/OS connect in Liberty is not recognizing the mapped RACF userid is a member of a group
PI45470 Abend S478 RC=4 when trying to stop the server
PI45472 ABEND0C4 when running batchManagerZos from a dataset
PI45842 Abend S478 RC=4 when trying to stop the server SP231
Security PI37396 Potential spoofing vulnerability in WebSphere Application Server CVE-2015-4938
PI43224 The authData configuration element needs enhancing to include alias and database in its description.
PI43359 Javadoc relating to isServerSecurityEnabled needs to be updated to apply to its function in Liberty profile
PI43583 Logout fails due to ConcurrentModificationException in high-stress, multi-threaded environment.
PI43768 Remove SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA from the strong cipher list.
PI46545 Add exception to security error message CWWKS1102E.
PI46748 Enabling security through adminSecurity-1.0 may cause servlets to not configure completely
Systems Management Functions PI41230 Liberty 'collectiveController replicaPort' limits size of port number
PI42819 Collective join or replicate with --useHostCredentials option completes even if host credentials are missing.
PI43401 Incorrect error message when host authentication credentials cannot be retrieved by collective controller.
PI45838 A scaling member logs an FFDC with IllegalArgumentException during server shutdown
PI46378 Collective and cluster member started/stopped state not promptly updated.
PI47142 Improve collectives replica reconfiguration performance by improving internal storage structure in Frappe.
Virtual Member Manager (VMM) PI45051 LDAP: Error code 53 - R000128 Filter is not supported
PI46454 UserRegistry getUsers method does not use LDAP userFilter configuration specified in the server configuration
PI46472 LdapRegistry does not work when the search results cache is defined as <searchResultsCache enabled="true" />
PI53797 Ignore case configuration is not honored in LDAP repository configuration
PI54153 Login fails when ibm-entryuuid attribute value is null for a user
Web Container PI38116 Provide option to not flush internal response objects in FileServletWrapper.
PI41941 Improve error messages SRVE9002E and SRVE8011E
PI42281 Suppress SRVE0255E error message in systemout trace
PI44057 There is an increased performance overhead for users of the SSL feature in Liberty profile
PI44214 getParameter() does not work after getReader()
PI47153 Liberty profile performance issue when using @postContruct and @preDestory annotations in servlets
Web Services (JAX-WS, JAX-RS) PI38723 NullPointerException generated by Apache wink library when processing HEAD requests
PI40556 WebServiceContext is lost, resulting in a NullPointerException
PI42710 javax.xml.bind.UnmarshalException: unexpected element can occur on first request
PI46436 Wrong media type for the response when using JAXRS-2.0
Web Services Security PI44461 Must not call getClob for PostgreSQL
Fix release date: 26 June 2015
Last modified: 22 June 2015
Status: Superseded

Download Fix pack 8.5.5.6
 
Component
APAR
Description
Contexts and Dependency Injection (CDI) PI29421 CDI getInjectableReference() is not working as expected
PI36177 PostConstruct method is not called if there is a second method of the same name
PI40778 Nulls are being injected in place of EJBs that depend upon an @resource
PI41728 An inherited qualifier with a value is overridden but the more distant value's ancestor is applied to a bean.
Database Access, Connection Management, Merant/DataDirect drivers PI38333 Cleanup fails with an SQLException for unsupported operations
PI38941 IllegalArgumentException when attempting to configure DB2 data source property keepAliveTimeOut
DynaCache PI36904 Cache provider name description is incorrect and unclear.
EJB Container PI39344 EJB application update time greater than two minutes when server is under load
General PI31734 HTTP response might have multiple Set-Cookie: JSESSIONID headers
PI32026 The message: "BBOA8090E An error occurred during TRUE enablement with reason code 63" is not clear for client self-assist
PI33453 Chunked request might fail to receive all responses caused by delayed last CRLF.
PI36010 Channel framework NCSA access log service time
PI40058 Allow for pre-CDI injections to work for websocket Server Endpoints when CDI is disabled.
PI41780 The server does not shutdown with an active websocket session in use
IBM i PI35258 server start fails with "Command /QOpenSys/QIBM/ProdData/JavaVM/jdk70/32bit/bin/java not found"
Install V8 and above PI40035 Update licenses for IBM WebSphere Application Server v8.5.5.6
Intelligent Management Component PI34716 Web server server-status page shows STARTED applications under STOPPED servers for Liberty collectives
PI37873 Potential server hangs are possible during server stop when using the scalingMember feature
PI39714 Dynamic routing in Liberty does not work if applications have an empty url-pattern for a servlet-mapping in web.xml
Java 2 Connectivity (J2C) PI39295 IllegalStateException: context is null prevents resource adapter from being stopped
PI40410 WorkContextLifecycleListener not notified of contextSetupCompleted
JavaServer MyFaces (JSF) Apache MyFaces implementation PI38066 Request to Prefix mapping of Faces servlet may return a 500 Error.
PI38898 The jsf-2.0 feature might fail to start with java2security enabled
PI38977 The el-3.0 and jsp-2.3 features should require a minimum of Java SE 1.7.
JavaServer Pages (JSP) PI31922 New JSF applications may fail after deployment if another JSF application is deployed in the server using its own EL parser
PI33328 javax.faces.application.FacesMessage is not serializable
PI37304 Incorrect JSP translation for the expression
PI37485 Comparison between encodings should be case-insensitive JSPG0088E
Liberty Administrative Center PI39293 AdminCenter line graphs plots can get out of sync with the summary field values.
PI39713 Alert panel in Admin Centre's dashboard may not display all alerts.
PI39717 Invisible close button on background task details dialog
PI39718 Misaligned background steps description.
PI39719 AdminCenter graphs do not display when using a browser with a Russian Locale.
PI39991 If the AdminCenter Graphs slow down because of system load, the X axis labels of some graphs can become unreadable.
PI40192 Bidirectional Preference toggle button on Mozilla Firefox browsers does not render correctly
PI40419 If edit button is clicked before tools are fully loaded in user's tool box, then there is no remove icon on newly loaded tools.
PI40633 A 400 error code displays in the console when loading Admin Center
Liberty Application Services PI29785 FFDCs with IllegalStateException: Cannot stop from state UNINSTALLED created when Liberty profile server is shut down
PI34959 Artifact SPI in Liberty profile missing classes StructureHelper and ArtifactContainerFactoryContributor
PI38923 Exception logged during server shutdown
PI39795 JNDI Contexts in the java: * namespaces are not serializable
Liberty Debug and Tracing PI38281 During High Performance Extensible Logging mode TruncatableThrowable exception is logged as wrapped exception
Liberty Kernel PI34141 An IllegalStateException may be generated by the com.ibm.ws.classloading bundle on shutdown when unregistering a service.
PI34161 Liberty profile %D NCSA access logging directive does not record the correct elapsed time for a request
PI34201 REST connector can potentially use an invalid endpoint
PI35483 400 bad request error from channel component while parsing headers with trailing white space
PI36907 Nested elements are not merged if cardinality is 1 or -1
PI36912 Updates to nested elements provided by a user extension may not result in a configuration update
PI36944 Nested configuration with unresolved references can have incorrect values
PI36999 An error parsing a file in configDropins prevents other files in configDropins from being loaded
PI37977 Contextual proxy is not usable until the context service that created it is looked up or injected into an application.
PI37978 Direct lookup of ManagedScheduledExecutorService sometimes returns wrong type.
PI37983 Schema and feature list contain English when locale is set to pt_BR and zh_TW
PI39099 Liberty OSGi SPI JARs do not compile with Java 7
PI39798 Liberty executor can hang when work is submitted outbound over HTTP and back into the same server.
PI40224 Java 8 VM no longer supports MaxPermSize
PI40775 Symbolic links to server directories from Liberty usr/servers directory do not work as expected
PI40819 File permissions too restrictive when WLP_SKIP_UMASK=true specified for Liberty profile server
PI40996 IllegalArgumentException thrown when bootstrap property key is a zero-length string.
PI41012 NullPointerException when installing a corrupt jar file
PI41671 Files with extensions other than XML are read from configDropins
PI42525 Specific application elements may not be removed correctly
Liberty System Management PI37984 Collective deployment fails when using root directories as write paths.
Liberty z/OS PI33798 WebSphere Application Server for z/OS can encounter CML lock contention when under heavy load.
PI37650 UNPRINTABLE CHARACTERS IN SCRIPTS BBGJS2LS BBGLS2JS
PI38709 Server started on z/OS with a started procedure does not place logs into the location specified by WLP_OUTPUT_DIR.
PI38774 Using DFHJSON to format strings with numbers for the data, quotes(") were not placed around the data.
PI38851 Distributed ID not properly mapped when used with WOLA in Liberty
PI39623 Collectives are unable to start servers on z/OS that run as started tasks
PI41507 zosLocalAdapters (WOLA) requests run as the UNAUTHENTICATED user instead of the client user
Security PI28455 UnsupportedCryptoAlgorithmException is not included in com.ibm.websphere.appserver.spi.containerServices_1.0.0.jar
PI34405 Server SSL port is blocked indefinitely when client authentication is used and the truststore is empty.
PI35075 The certificateUtility createSSLCertificte tool does not give a useful message if the keystore already exists.
PI37897 SSL configuration attribute added to the metatype.
PI38712 Enforce the optional nonce parameter in the OIDC Authorization code flow(provider)
PI38713 Enforce the optional nonce parameter in the OIDC Authorization code flow(client)
PI38772 OpenID connect relying party fails when hostname contains "oidc"
PI39322 Fix poorly worded error message that appears when the a keystore fails to load.
PI39325 Allow larger ciphers, 256 bit ciphers, to be a part of the HIGH cipher list.
PI39647 Support JSON array as custom claim
PI41257 The securityUtility tool does not run if only the kernel feature is installed.
Systems Management Functions PI36632 A FFDC java.util.NoSuchElementException was reported on the collective controller by ServerCommandsMBeanImpl class
PI37256 Application ADDED notification being issued during Application removal.
PI38096 FFDC with java.lang.IllegalArgumentException is thrown when removing a member from collectives
PI40358 Concurrent cluster membership changes can result in a member being removed from a cluster.
PI40550 Collective remove command did not handle bad user name correctly
PI40561 Java home for the collective join command is not set correctly in a post join action operation with a server deployment.
PI41251 Removing a running member from the collective does not stop it publishing its state data to the collective repository.
Virtual Member Manager (VMM) PI38554 LDAP filter issues with VMM
PI40564 User filter expressions containing a '!' do not work as expected.
Web Container PI31292 getPathInfo returns a semi-colon for the ";xxxx" appended after the request URI
PI31447 The server adds a /(slash) to the response URI if the inbound request URI has a ;(semi-colon)
PI31622 Privilege escalation with serveservlets CVE-2015-1927
PI38357 Add more details to the WebAppHostNotFoundException
PI38383 Unhelpful message in console.log: Uncaught.init.exception.thrown.by.servlet
PI38782 Add property to initialize the class during Class.forName()
PI39941 Close does not wait for the timeout
PI40414 No access to all org.apache.japser.el classes
PI40416 Unsupported Operation Exception after programmattically added servlet context listener throws an exception
PI40418 WebContainer throws a java.lang.IllegalArgument exception when parsing parameters
PI41465 When HttpInputStream.isReady() is called after that same API has already returned false, an IllegalStateException can occur.
PI41894 A java.io.IOException is not propagated back to a dispatch caller.
PI42283 On an async request, fix the thread context state and transfer the security context between threads.
Web Services (JAX-WS, JAX-RS) PI38077 jax-ws-catalog.xml support for META-INF for WAR module
Web Services Security PI36866 Obtain sensitive information with Apache WSS4J CVE-2015-0226
WMQ messaging providers PI28223 NullPointerException in JNDINestedFrameworkSupport (JNDI lookup)
PI35539 Potential java.util.ConcurrentModificationException when starting OSGi applications within WebSphere Development Tools.

Back to top

Fix release date: 13 March 2015
Last modified: 11 March 2015
Status: Superseded

Download Fix pack 8.5.5.5
 
Component
APAR
Description
Contexts and Dependency Injection (CDI) PI15310 StackOverflow error or NullPointerException occurs under heavy load
PI27526 The @Produces annotation method on class results in a non-null injectionpoint instance on first invocation.
PI30964 EJBs conflicting with listener configuration and CDI events
Database Access, Connection Management, Merant/DataDirect drivers PI28913 DSRA0304E and DSRA0302E messages with cause and exception as null creates confusion.
PI34199 Connection cleanup fails when using an unsupported JDBC driver.
PI34376 Unable to specify empty port number for DataDirect Connect for JDBC and Microsoft SQL Server JDBC Driver
DynaCache PI28515 DynaCache CWWDY1064E or DYNA1064E is written for containsKeyDisk() operation
EJB Container PI27706 Intermittent FFDC of IllegalStateException when stopping a Liberty profile server with a message-driven bean application
PI27924 UserTransaction cannot be used from a CDI instance created within the context of an EJB
General PI17680 SipApplicationSession accumulate after BYE transaction if reINVITE transaction not responded to
PI21665 WebSphere can use the same from tag and via branch in two different requests even if call-ID is different.
PI23787 While using the B2bUAHelper the branch becomes longer when the UAS sends the re-Invite. This fix is to shorten the branch.
PI24850 Inbound 412 response not counted in PMI
PI26722 SIP container splits the reason header into two headers due to a comma inside a quoted string
PI27022 Print the levels of CICS modules to allow customer verification
IBM i PI26461 On Japanese IBM i partitions, when console.log exists, server start fails.
Install V8 and above PI31113 Installation Manager requires accepting license terms twice to install the Liberty offering with additional assets.
PI33671 Update legal license for IBM WebSphere Application Server V8.5.5.5
Intelligent Management Component PI32944 Dynamic Routing to some application instances might fail when the application is installed in multiple clusters.
PI33067 Liberty profile server may hang when using the scalingController feature
PI33071 Auto scaling not monitoring host-level cpu or memory usage
PI33123 Intelligent Management enabled WebSphere Plug-in does not route requests for Liberty servers with empty clone ID
PI33124 "dynamicRouting setup" creates JKS formatted keystore instead even when,-keystoreType=PKCS12 parameter is specified
PI33793 Scaling controller does not start a server to meet minimum instances when a host with capacity becomes available
Java Persistence API (JPA) PI16847 Schema setting in the ORM file does not propagate to the generated sequences
PI18178 NullPointerException in QueryKey.createKey using criteria with QueryCache enabled
PI19732 First JPQL with left join fetch for lazy loaded specified and data cache enabled. Subsequent does not get loaded.
PI20433 JPA pagination is not working
PI24575 Use of JoinColumn targets to another JoinColumn key exposed as an attribute causes a ConstraintViolation exception
PI26049 OpenJPA PersistenceException: LongId cannot be cast to <class name>
PI35626 ApacheValidationProvider class not found when using third party packages that utilize Bean Validation.
JavaServer Faces (JSF) SunRI implementation PI29457 The jsf-2.0 bundle is unnecessarily declaring the org.apache.commons.logging.impl package as API.
JavaServer MyFaces (JSF) Apache MyFaces implementation PI27290 Multi-window usage with server-side state saving throws a javax.faces.application.ViewExpiredException
PI30335 Dependency injection of a JSF ManagedProperty comes after a @PostConstruct on Liberty Profile
JavaServer Pages (JSP) PI24001 The JspWriterImp is not properly cleaning up resources in memory after a request completes.
PI29973 Log the value of the jdkSourceLevel attribute used by the JSP container
PI30519 Issue with duplicate JSP attributes
Liberty Administrative Center PI33313 Screen scrolls down to the bottom while typing in the input fields in deploy tool
PI34787 Wrong message when deploying server package file located on the collective controller in Admin Center
PI34806 Extra line shown in browser when going from the toolbox to any tool
PI34808 Can not display server's actual status, always displays a straight line on monitor panel on Microsoft Internet Explorer
Liberty Application Services PI26941 Installing and uninstalling an application many times causes OutOfMemory
PI27843 Deleting and re-adding the same zip application to the dropins folder can result in an IllegalStateException.
PI30922 The server does not automatically restart a running application after annotation-based metadata has changed
PI31351 The description of the autoStart attribute on the application config element is misleading.
PI33384 Value of context root configuration is silently ignored when not applicable
PI35537 Inability to resolve JSP modules due to incorrect internal feature dependencies for javax.jsp
Liberty Debug and Tracing PI35310 Timed Operations which are not available are displayed as null.
PI35314 isAnyTracingEnabled should evaluate object as a precondition then the primitive boolean type.
Liberty Kernel PI20344 Liberty embedded server writes .cache files to the incorrect location
PI28126 NullPointerException or IllegalArgumentException thrown during runtime class scanning or class weaving.
PI28337 FFDC error when updating configuration to remove a feature
PI28560 Add httpDispatcher property to control padding of a 404 message.
PI28985 WDT show "base instance from which to inherit context" under the main "Thread Context Propagation" section.
PI29210 ManagedServiceFactoryTracker/BundleContextImpl throw IllegalStateException when server is being stopped
PI31002 Error deleting configuration for context service
PI31143 The default executor of a WebSphere Application Server Liberty Profile server can deadlock in rare cases.
PI31247 Server takes 5% longer to start after moving the Liberty profile wlp install directory.
PI31531 Invoking the 'server' script from a shell with the CDPATH environment variable set may fail.
PI31565 If users use a script to run multiple install actions, they may not know which messages are for installing which feature.
PI32074 NullPointerException in thread pool code occurs during server shutdown
PI32690 Using symbolic links to applications outside of the WLP install directory could result in an IllegalStateException.
PI32778 Feature jca-1.6, jms-1.1, and mdb-3.1 cannot be installed from offline local directory
PI32942 Websocket client code can miss processing incoming data that is received immediately after HTTP upgrade response headers.
PI32943 Spurious FFDC reporting javax.management.InstanceNotFoundException
PI33015 Applications containing symbolic links do not always restart when the linked content is changed.
PI33376 Server shutdown hangs when using the sessionDatabase-1.0 feature
PI33526 collectiveMember-1.0 exposes third-party JAX-RS APIs
PI34128 When Liberty profile starts from a cached state the logs do not indicate the features that are installed.
PI34335 Incorrect lookup of provisioned public Liberty profile features
PI34797 A CWWKG0074E error message might be unnecessarily generated when certain server.xml elements are not properly configured.
PI34969 The SPI package com.ibm.wsspi.http references non-SPI types.
Liberty System Management PI32646 Structure of collective repository has changed in fix pack 8.5.5.4
PI34002 Unable to invoke file transfer operations on paths terminating with slashes on collective host
Liberty z/OS PI20582 Application attempt to do authorization with SAF fails w/error code of 03008XXX (if SyncToOSThread is enabled)
PI26263 The OLA load modules shipped by z/OS Connect Liberty Profile V8.5.5.2 are not compatible with same modules in WebSphere Application Server 8.5.5.2
PI26630 Liberty Profile on z/OS supports LDAP but does not propertly map LDAP identities to SAF-based Ids
PI26950 Message "IRR012I Verification Failed. User profile not found"
PI27338 Wildcards are not allowed in service URLs for z/OS Connect on z/OS Liberty
PI29459 Storage leak of ACEE objects in native storage when using zosSecurity-1.0 with certificate authentication
PI29823 Excessive contention of the MVS local lock is seen when using WOLA in WebSphere Application Server for z/OS Liberty Profile.
PI31147 Requests fail when Driving requests through z/OS Connect using data transformation.
Performance Monitoring Tools PI31214 ServletStatsMXBean is reporting errorneous data when thread terminates.
Security PI27787 Cannot encode password with leading/trailing spaces
PI27898 JaasLoginContextEntries with same name causes wrong behavior.
PI31523 NullPointerException when specifying both OAuth20Mediator and data source in oauthProvider
PI31809 CWWKE0701E when security ID value is null
PI33008 Privilege escalation with IBM WebSphere Application Server Liberty profile
PI33281 Making the information returned by the certificateUtility to include the SubjectDN the certificate was created with.
PI33357 Privilege escalation vulnerability with Run-as user for EJB
PI35581 Possible performance degradation when doing programmatic login.
Systems Management Functions PI30931 Avoid creating member node path when cluster name is empty or null.
PI30985 On z/OS environment, ServerCommandMBean failed to make remote connection as it used wrong encoding when is reading ssh key.
PI34003 Under some conditions, a request to the CollectiveRepositoryMBean exceeds a time out and results in a null pointer exception.
PI34011 After recovery from a failure Collective Repository Report: not ready
PI34012 Collective controller unable to establish a TCP connection with its replicas
PI34184 Adding or removing an application does not always reflect the correct final state of the application.
PI34417 Message CWWKX8000E can be erroneously logged when a collective member loses its connection to a collective controller
PI34486 Under extreme load, the controller cannot service all of the incoming http requests.
PI34573 java.io.IOException: The filename, directory name, or volume label syntax is incorrect
PI34796 Add National Language Support (NLS) for the default post transfer action.
PI34982 Provide backward compatibility for admin metadata publishing
PI35001 Repository monitor could not get service from repository member
PI35166 Prevent a multi-replica collective controller replica set from reaching an inconsistent state in the data under rare conditions.
PI36241 Server package deploying using host credentials failed with an ArrayIndexOutOfBoundsException
Virtual Member Manager (VMM) PI27333 Property case sensitivity is not handled properly in search expression.
Web Container PI15886 An invalid cookie name causes an IllegalArgumentException to be thrown.
PI23529 ServletConfig returns null on empty mappings list
PI26908 Error page handling is broken when the web application is CDI enabled.
PI28910 ServletRequest.isAsyncStarted() incorrectly returns false on a thread after AsynContext.dispatch() has been called.
PI29275 A java.lang.NullPointerException occurs when attempting to add a listener programatically that does not exist.
PI29820 Liberty profile SSL client certificate authentication does not work with IBM HTTP Server
PI31038 An IllegalStateException is thrown on calling setWriteListener when getOutputstream is called from the readListener.
PI31717 ServlerResponse.flushbuffer() does not work correctly.
PI34052 When running an upgraded request the application cannot run a JNDI lookup.
PI34145 Do not Invoke onAllDataRead() once onError() is called from ondataAvailable()
PI34857 Need Plugin log file location as part of server.xml pluginConfiguration stanza
Web Services (JAX-WS, JAX-RS) PI22432 java.lang.NullPointerException in JaxWsInjectionMetaDataListener interface
PI27318 Applications using Apache Wink on WebSphere Application Server Liberty generate spurious ICH408I messages noting insufficient authority for guest user ID
PI30173 JAXRS1.1 declares 2 APIs and 1 SPI, but the packages are not encountered at runtime.
PI31063 There are no jars for javax.wsdl.* packages under the dev folder, although they are declared as spec API in the jaxws-2.2.mf.
PI33107 Upgrade Apache http client to the latest version 4.3
PI33130 @HandlerChain annotation cannot work with @WebServiceClient annotation
PI33206 Liberty profile wsdlLocation attribute not working together with jax-ws-catalog.xml
Web Services Security PI32329 Access token not deleted in database when using custom mediator class
PI32912 ResourceOwnerValidationMediator.init() is never invoked
PI33202 Potential privilege escalation with OAUTH2
WMQ messaging providers PI19361 Application server failed to start because transaction recovery failed
PI29167 EBA start issue due to OSGi framework NullPointerException in Liberty Core
PI34587Back to top XmlPullParserException when Liberty profile is configured with a local bundle repository
Fix release date: 8 December 2014
Last modified: 4 December 2014
Status: Superseded

Download Fix pack 8.5.5.4
 
Component
APAR
Description
Contexts and Dependency Injection (CDI) PI18530 Interceptors are ignored on generic methods defined in an interface and then overriden in a subclassi
PI25563 CDI issue is observed when an application is deployed with ScheduledExecutorService scheduled tasks
PI26680 CDI application gets error: passivation capable beans must satisfy passivation capable dependencies
PI32674 On extremely rare occasions a concurrent modification exception may be thrown during resource injection.
DynaCache PI24250 Error appears in message log using WebSphere Development Tool (WDT) generated cachespec.xml.
PI28117 Message observed message.log DYNA0044E: XML parsing warning: cvc-elt.1 when using a WDT generated cachespec.xml
PI28487 Apichk errors in distributedMap-1.0 and webCache-1.0
PI28503 distributedMap does not inherit properties of baseCache
PI28507 ExternalCacheGroup does not work in distributedMap-1.0
PI31235 DynaCache does not delete OSGi configuration of application defined caches when the application server is stopped.
PI31236 Web caching does not support cachespec.xmls generated by WebSphere Developer Tools (WDT)
EJB Container PI23290 EJB sessionContext.getCallerPrincipal() call not working in asyncbeans
PI25789 Reference binding fails for a service that implements an interface but does register it
PI25888 EJB container error scenarios should be improved
PI26025 Reference and injection error scenarios should be improved
PI31041 Adding an activationSpec or admin object for a started MDB fails intermittently
PI31045 persistence.xml fails if property names contain leading or trailing whitespace
PI31046 Extended persistence contexts are not joined to container-managed transactions
IBM i PI26623 server start status message is missing process Id on the IBM i platform
Install V8 and above PI28168 Update license notices files for Liberty Profile
PI31174 Improved the warning messges for invalid features that fail to be installed using the featureManager command.
Java 2 Connectivity (J2C) PI28115 Resource adapter installation is aborted prematurely during shutdown, leading to other problems
PI31210 Applications can be started before connection factories and administered objects from standalone resource adapters are ready.
Java Persistence API (JPA) PI28881 Some l10n feature names are missing information
JavaServer Faces (JSF) SunRI implementation PI25638 JSF MyFaces WebSocket issue
JavaServer MyFaces (JSF) Apache MyFaces implementation PI27409 JSP and JSF TLD jar export-package and version Issues
PI32405 An UnsupportedOperationException is encountered when initializing an eager application-scoped JSF ManagedBean
JavaServer Pages (JSP) PI12666 Getting the IllegalStateException: component with duplicate ID message when using the shipped MyFaces 2.0
PI18404 The JSR 303 implementation of BeanValidation cannot be configured as expected.
PI18025 JSPG0046E: Unable to locate tagfile
PI25445 A performance degradation can occur under heavy load for applications using the EL
PM81849 Issue with JSP tag file compiled into invalid package/class name
Liberty Application Services PI20988 Problems when running the server package command
PI23168 java.lang.ClassNotFoundException in data sources after upgrading to Liberty Profile V8.5.5.2
PI24221 Application name or module filename containing the # character fail unexpectedly
PI24783 Setting classloader delegation mode to parentLast can result in JNDI lookup failures
PI25838 Application archive errors are unclear
PI26102 The javadoc for the com.ibm.wsspi.resource package is missing
PI26149 FileNotFoundExceptions when file paths include spaces.
PI27080 Message with prefix CWWKC0044W may be missing an insert.
PI27366 Need to throw NameNotFoundException for invalid names for parity with full profile
PI27414 Javadoc needs improvement
PI27693 Javadoc changes to make methods use correct list structure
PI28245 StateChangeException: CWWKS9110E when changing application deployment
Liberty Debug and Tracing PI20149 Access logging shows incorrect time taken to process the request
PI20363 Error message enabling trace specification in runtime even though the trace specification is valid.
PI21485 StackOverFlowError or Infinite loop using HPEL logging.
PI26064 Logging needs to be improved
PI26811 Logging of Throwable parameter for which getStackTrace() returns null fails
PI26813 When e.printStackTrace() is called, the output can be missing some lines of user code
PI27085 Expose logging SPI
PI27291 Binary log attribute cleanup
PI32852 HPEL API not visible from applications
Liberty Kernel PI22215 Liberty profile server uses excessive CPU when TCPIP is stopped
PI25220 Need improved messages for common parsing failures
PI25283 Potential hang in server stop
PI25294 Port listeners can be restarted twice when configuration is updated
PI25376 Versioning of repository content does not work so any breaking changes to the data breaks old clients
PI25530 Error message when you try to install a feature from the Liberty repository does not indicate the first failure
PI25861 Path arguments to the featureManager tool are always relative to install directory
PI25863 Errors in command-line utilities
PI25869 Incorrect processing of configuration elements in the server.xml configuration file
PI26034 Toleration for Java 7 and 8
PI26041 Kernel programming interfaces should be improved
PI26048 Kernel error scenarios should be improved
PI26065 The server command needs to be improved
PI26079 The handling of MIME types needs to be improved
PI26810 NullPointerException in HandlerHolder line 240 during server shutdown
PI27073 ProductUtility validate outputs errors multiple times
PI27210 Deployment of a large application with very detailed trace enabled may cause a tracing loop
PI27213 Running the ws-productutil.jar version command on z/os results in a missing property error.
PI27294 NullPointerException in ConfigSigner
PI27296 Minifying an empty server and installing an ESA feature causes a NullPointerException
PI27299 RuntimeException: Invalid call to WsByteBuffer method. Buffer has already been released.
PI27413 Liberty profile steals focus on Macs
PI27415 Unable to find out which configuration attributes can be overridden by variables
PI27418 Workarea paths too long
PI27431 Avoid extraneous warnings and errors during configuration processing
PI27558 Tolerate Equinox osgi.clean property
PI27697 Intermittent IllegalStateException in AtomicServiceReference
PI27702 IllegalStateException in FeatureManager
PI27737 Server dump does not include shared configuration files
PI28120 Private features are allowed to be included by features from different Liberty profile product extensions.
PI28124 Application reports java.io.IOException: Exception in opening zip file,
PI28125 OSGi application can fail to start with java.lang.Exception: ORPHANED,
PI28154 Insufficient error messaging for ServerLock waitForStart()
PI28265 Intermittent exceptions in org.apache.felix.scr.* classes
PI28380 Need improved error messages for file permission problems
PI28382 Liberty profile server incorrectly allows 2 data sources to be configured with the same JNDI name
PI28546 Suppress erroneous error messages during server shutdown
PI28547 NullPointerException in ThreadPoolController during server shutdown
PI28551 Default landing and some error pages provided by the server load slowly.
PI28776 Fix several kernel issues
PI28780 Incorrect class name in error reporting from DynamicVirtualHost
PI28880 NullPointerException during shutdown while updating features
PI28894 Liberty embedded server fails to notify the user if the server fails to start
PI29008 Feature display labels are translated into local language
PI30972 ClassNotFoundException: com.ibm.ws.kernel.productinfo.ProdctInfo when using featureManager
PI31047 The install directory cannot contain a plus sign
PI31059 The server start command sometimes uses jvm.options for non-server processes
PI31165 java.util.concurrent.RejectedExecutionException when default executor is dynamically updated
PI31266 CWWKE0701E java.lang.ExceptionInInitializerError thrown from [com.ibm.ws.http.internal.VirtualHostImpl((79)]
PI32649 Auto features that required an iFix were not previously installed by the featureManager install command but now are
Liberty System Management PI28128 Pax archives not supported in file transfer upload through a collective
Liberty z/OS PI19688 Outbound service from WSAS to CICS via WOLA hangs
PI23547 When REU=Y some requests to override a link succeed when all should fail
PI24444 WebSphere WOLA API calls failing with abend BBOX in CICS for CICS TS 5.2
PI24692 The WOLA three-part name allows mixed case while the CBIND class profile they must match requires upper-case
PI26809 java/lang/StackOverflowError with loop in ntv_mapDirectByteBuff
PI27687 java.lang.IllegalStateException: Native service for RRS transactional support is not active or available
PI28915 CWWKB0227E message should be more accurate
PI30941 An FFDC reporting a CTX4SWCH RC=368 is generated during server shutdown.
Messaging Providers PI28278 Enabling Messaging Security may cause com.ibm.websphere.sib.exception.SIResourceException: uniqueUserId is null
PI28473 Fix usability defects in JMS
Performance Monitoring Tools PI28558 Monitor attribute cleanup
PI28567 Application deployment occurs before all the system bundles are started while removing the monitor-1.0 feature
PI28572 When SUN Java is used for Liberty server, the processCPUUsage metric does not report the right CPU usage
PI32796 ClassNotFoundException occured while querying monitoring data with traditional PMI Mbean (Perf MBean)
Plug-in PI27023 Intelligent Management enabled WebSphere Plug-in stops routing after an application is removed and added.
Security PI08268 Information Disclosure in WebSphere Application Server
PI17688 WASReqURL cookie might be overwritten if multiple login processes are performed
PI17836 CWWKS4106E: LTPA configuration error when setting keysPassword in the server.xml,
PI25808 Principal names or unique IDs containing special characters are not handled properly
PI25813 Fix double-encoding of "state" parameter in OAuth flow
PI25819 Parameter order should not matter for securityUtility command line tool
PI25834 Exception could be thrown getting user registry during shutdown
PI25843 Cancel button on default OAuth/OpenID Connect consent form pages does not work
PI25853 Possible race condition could prevent access to keystore
PI26165 The periodic Authentication Cache cleanup stops under certain OSGi DS timing conditions
PI26166 Improvements to Javadoc accessibility for security SPIs and APIs
PI26513 Change to make sure the RC4 ciphers are not used by default.
PI26514 Improve the processing of multiple SSL configurations
PI26947 User registry updates: Add getUsersForGroup method, do not require a user registry with appSecuirty-2.0 feature
PI26962 NullPointerException from security collaborator
PI27195 Intermittent SSL problem where the keystore information seems to be missing.
PI27775 Remove unnecessary FFDC data while stopping the user registry
PI27778 Support Japanese CP1399 codepage on z/OS
PI28061 Add an option to track logged out LTPA tokens on a server so they cannot be used login on that server again
PI28127 A Trust Association Interceptor cannot commit an HTTP servlet response to send a redirection
PI28264 Expired tokens not cleaned from the token cache
PI28371 Fix issue with OAuth/OIDC consent no longer being cached
PI28395 User registry service is not ready for service and it causes creating the LTPA key to fail
PI28432 Fix NPE during authorization.
PI28600 Warning message CWWKS9112W may flood the logs when a security-role does not have valid run-as configuration
PI29911 Potential Information Disclosure with Liberty profile servlets
PI31385 Meta type is wrong for token limit per user and client
PI31388 The OIDC and OAuth response on HTTP needs to be URL Encoded
PI31396 An OAuth error message was hard-coded and did not exist in the message file
PI31415 No message indicating OAuth endpoint service has started/is ready
PI32465 Inconsistent behavior when OAuth20 configuration contains more than one identical filter.
Session Initiation Protocol (SIP) Container PI10457 Allow configuring response code when a non-confirmed session is invalidated
PI14132 SIP container does not handle error case where a UA uses the same to-tags in different responses.
PI17820 SIP custom property dip.no.route.error.code is ignored if the application is down
PI18729 SIP transaction is not being destroyed when application is un-deployed because of a timer
PI20221 SIP container removes data from reason header if it contains white space
PI20350 Unable to add Require: precondition to reliable 18x response
PI20505 Negative PMI counter
Systems Management Functions PI26676 Collective messages improvement
PI26678 Singleton service fixes
PI26826 Resolved multiple Frappe service registry and utility problems
PI26840 Resolve multiple collective repository test failures
PI26843 Resolve multiple collective member test failure problems
PI26848 Failed to remove cluster member
PI26855 Resolve multiple collective replica problems
PI26858 Security utility writes XML files using default charset without XML declaration
PI27277 Collective MBeans better report errors that occur when dependent services deactivate while in use.
PI27588 Remote file transfer via collective controller not working with backslash path on Microsoft Windows
PI28123 Extra information in log file
PI29528 Wrong cluster member is being removed during startup of a different cluster member within the collective.
PI31359 Resolved multiple Collective replication service issues
PI32466 Resolve multiple collective repository issues
PI32474 Resolve multiple collective singleton issues
PI32622 Failed to deploy zip to a remote host
Virtual Member Manager (VMM) PI25203 Propagation Login via external LtpaToken2 cookie does not create correct SecurityName when using Custom LdapRegistry
Web 2.0 and Mobile Toolkit PI24470 Update to IBM Dojo Toolkit (idt) version 1.10.0
Web Container PI08280 Tag file is not found in loose configuration deployment
PI20210 Request's parameters can be modified by the application (via string object modification).
PI20514 If servlet init() method throws an exception then the remaining servlets in the web module are not initialized during startup.
PI22830 404 not found error generated for a request without trailing slash
PI24225 The servlet name was not output in the SRVE8500W message.
PI25531 FFDC might be thrown by a filter when the server is shutting down
PI25625 com.ibm.ws.webcontainer.webapp.WebApp.handleRequest NullPointerException
PI26080 The configuration attributes for HTTP sessions should allow duration strings
PI26812 ServletContext.getServerInfo() does not return version
PI26852 Untranslated messages in the severe trace points
PI27348 An empty string "" as the URL pattern of a servlet causes an unwanted 302 redirection and an exception
PI27361 WebContainer Objects get nullified before final use, resulting in a NullPointerExceptions
PI27362 The expected java.lang.IllegalArgumentException is not thrown when <distributable> element is added to web.xml
PI27372 Call to getRequestDispatcher inside Filter init method causes an exception
PI27373 General changes and updates to com.ibm.ws.webcontainer-8.0's metatype-mbeans.properties
PI27556 Use of incorrect names in references in web.xml cause a NullPointerException
PI27557 NullPointerException when there is an active request and the server is shutting down
PI28404 Unable to generate a plugin-cfg.xml file when there is no http port declared in server.xml
PI28603 ServletRequest.getRequestedSessionId() returns null for a client created jsessionId.
PI31004 Cannot delete JSP using REST call
Web Services (JAX-WS, JAX-RS) PI22648 PreDestroy method is not being called when class is to be destroyed
PI26093 Info center documents use of LtpaAuthSecurityHandler, but we do not have this class available when using JAX-RS 1.1
PI26609 The com.ibm.websphere.appserver.thirdparty.jaxrs_1.03 bundle cannot be resolved when loading jars under dev folder
PI26611 If there are multiple path parameter in a resource method, there is only one path parameter generated in its corresponding wadl
PI27070 Support third-party JAX-RS providers when jaxrs-1.1 feature is configured
PI28137 Redundant error message might be displayed if user defines different URL mapping in web.xml for webservice endpoint.
Web Services Security PI26957 Cannot resolve com.ibm.websphere.appserver.thirdparty.wssecurity_1.0.1 bundle when using only wlp/dev directory.
PI26959 Cannot read local cache file used in web services security configuration
WMQ messaging providers PI12571 WorkCompletedException occurs when importing transaction via JCA
PI16613 NullPointerException in FFDC coming from RecoveryManager.preShutdown
PI19445 OSGi EBA applications intermittently fail to resolve
PI25862 The osgi.jpa-1.0 feature is inexplicably superseded
PI26314 Various small bug fixes related to OSGi Applications
PI28889 Transaction log is created in the wrong location
PI28983 XAFlowBackControl L3 diagnostic facility enabled in Liberty
PI33257 Revised com.ibm.wsspi.uow javadoc to document new override of runUnderUow method on UOWManager
Fix release date: 18 August 2014
Last modified: 12 August 2014
Status: Superseded

Download Fix pack 8.5.5.3
 
APAR Description
PI05046 No thread pool stats MBean available when checking the MBeans thru JConsole
PI05668 Bottom-up web services fails to generate the WSDL on the Mac using Java 1.7 hotspot 64-bit
PI06904 Issue with JSF and WSRP
PI07204 VerifyError JVMVRFY012 using OSGi applications
PI08569 404 happens intermittently in Portal/WCM
PI09148 Redeploying OSGi apps without restarting generates a ClassCastException
PI09474 Default webapp error page is not provided
PI09594 Potential Information Disclosure with Exception handling
PI09596 NoClassdefFoundErrors for a particular JSP servlet. Causes permanent failure of loads
PI09875 Not all JVM javax packages are available to applications
PI09896 SRVE0288E appears at server startup
PI09981 Explicitly configured RDN properties are not retrieved for users during login.
PI10102 Subsystem-content with type=file in product extensions does not resolve relative to product extension location using with minify
PI10300 Honor the searchTimeout property for login
PI10769 AJAX form update with PrimeFaces 4.0 not rendering correctly
PI10792 OpenJPA FetchJoin does not always get the correct result.
PI11018 FileTransferMBean.deleteFile(String) method cannot delete an empty directory as documented in the javadoc.
PI11348 CWWKS3002E message might be logged while switching user registry.
PI11393 UIComponent.findComponent ignores overridden method findComponent of a NamingContainer.
PI11569 NullPointerException from a JSF MyFaces implementation
PI11628 OptimisticLockException may occur when JPA application uses Timestamp in @Version field
PI11642 CWWJP9992E: openjpa.Enhance: Error
PI11738 Spring load time weaving does not work with Liberty profile.
PI11788 Blueprint bundles using JPA fail to start.
PI12201 Application is redirected to HTTPs port of the applicaton server instead of IHS server port when confidential is set
PI12245 Inserting facets causes IllegalStateException
PI12399 Liberty server productInfo validate script fails after interim fix is installed
PI12496 EmptyStackException when accessing an Instance that is created by a producer method that has an InjectionPoint as parameter.
PI12546 Setting com.ibm.ws.logging.console.log.level=off still results in one line of output
PI12549 When JAVA_HOME environment variable is set, Liberty Profile server does not start
PI12737 OpenJPA runs superfluous select statement when calling EntityManager.persist(..)
PI12939 JSP gets re-compiled redundantly if the owner of the JSP class is different than server ID that runs the server.
PI13004 Serviceability apar to enhance dynacache tracing.
PI13207 Transactional listeners added too late to observe begin event
PI13291 NullPointerException generated when trying to get a file with spaces using getResourceAsStream()
PI13560 Problems updating an application after a bad EBA has been installed
PI13592 Server start fails to create default server on IBM i
PI13616 OpenJPA-2286 ArgumentException: Attempt to compare incompatible types.
PI13641 The secure JFAP chain does not start on time
PI13914 java.sql.SQLException when performing a JPA query
PI14007 Persistence unit defaults are ignored when there is more than one "mapping-file" element in persistence.xml.
PI14034 Problem handling CDI interceptors
PI14205 Prevent NullPointerException during WebApp shutdown
PI14236 Deliver common install for Liberty profile repository features
PI14290 Remove temporarily deployed artifacts
PI14316 Liberty Profile restConnector does not release file handle after a file upload
PI14340 No option to set Secure attribute for WASPostParam cookie
PI14458 Quick restart of a Liberty Profile server results in port already in use error condition on Linux
PI14513 Parent naming-container not reflected in client-ID
PI14544 Blueprint application startup deadlocks when using a bean for a reference-listeners and the bean uses the reference
PI14746 Memory leak in J2C PoolManager due to reaper alarms not being cancelled.
PI14747 Parsing of ibm-web-ext.xml might fail using some XML parsers
PI14841 z/OSMF V2R1 generates spurious ICH408I messages on user login
PI15121 Liberty Profile is locking certain war files on Microsoft Windows preventing the undeploy process.
PI15289 Issue with validation of strings with escaped commas
PI15291 The package command fails with message CWWKE0070W indicating an invalid loose configuration file.
PI15496 A join operation halts when the resouces/collective directory exists, but is empty.
PI15513 No default charset is specified for a post transfer join action
PI15549 Invoking isClosed() on native JDBC connection results in NullPointerException
PI16286 Controller flight recorder missing from server dump
PI16375 UnrecoverableKeyException: Cannot recover key: Invalid password for file
PI16382 CertificateUtility tool does not provide a parameter for the user to set the key size
PI16432 REST connector error "Argument type mismatch" when using CompositeData with byte []
PI16626 Basic authentication requests fail in Liberty Profile
PI16652 Configuration support needed for z/OS Connect
PI16667 Resource adapter stops immediately after it is started.
PI16669 Liberty sets incorrect product registration values when running in CICS
PI16677 z/OS local adapter support is missing
PI16678 Abend 0C1 reported in Liberty Profile V8.5.5 when trace on and zosSecurity enabled.
PI16718 java.lang.StringIndexOutOfBoundsException occurs when starting OSGi application
PI16751 Help for "collective addReplica" does not explain "endpoint"
PI16845 Install time for resource adapter or start up time for application is not formatted correctly for some languages.
PI16961 Memory leak occurs for JAX-WS managed client if using ibm-ws-bnd to customize properties
PI16987 Memory leak when WAB bundles are stopped and restarted
PI17042 Unable to customize unique ID attributes for LDAP servers
PI17233 The output of the --createConfigFile option for the collective command should use a variable rather than an absolute path.
PI17246 The MBean information stored within the collective repository does not remove stale data across a restart.
PI17399 The initial state of a joined or replicated server is not set for a new server registered to the collective.
PI17457 Javacore file is packaged into the server dump in an incorrect encoding.
PI17600 Collective members are unregistered unexpectedly.
PI17624 The Apache foundation's CMS migration required modifying the xml schema namespace for OpenJPA extended ORM documents..
PI17634 Liberty server may hang when using the AdminCenter.
PI17830 Changing the configuration of shared libraries can result in NoClassDefFoundError or ClassNotFoundException
PI17879 Liberty generateClusterPluginConfig operation creates a plugin-cfg.xml file with extra entries that are not need
PI18177 Add additional check in session manager to remove incorrect cloneIds if HttpSessionCloneId property is set.
PI18279 z/OS local adapter support is missing
PI18352 VMM makes too many LDAP JNDI calls with ibm-allGroups configured.
PI18357 Add serviceability message to indicate missing login page or error page for form login
PI18437 Failure to switch RRS context onto thread
PI18467 binaryLog command missing expected results on filtering based on IncludeMessage filter.
PI18548 SSL context gets changed during execution of application, causing handshake issue between servers
PI19025 ClassNotFoundException in Liberty Profile when traditional PMI is enabled
PI19123 The output of ws-schemagen.jar is incorrect for some child elements.
PI19130 Server package command does not handle relative paths gracefully
PI19143 Plugin config generation fails when no applications are defined
PI19277 z/OS Connect service configured serviceGroupingName entry is missing from SMF 120 subtype 11 records.
PI19790 NullPointerException during a z/OS Connect's attempt to access HTTP request data after the asynchronous request timed out.
PI19830 Provide stack trace in FFDC when response already committed (SESN0066E) scenario occurs.
PI19831 Applications fail to start when running Liberty servers in embedded mode without the Java agent.
PI19843 getUserDisplayName is not returning the correct result per the configured attribute for user display name
PI19845 Stop time for server is not formatted correctly for some languages.
PI19901 On a restart the controller can end up in a bad state and not be able to start up.
PI20025 A server package deployed through admin center deploy uses the host's default name, and not the deploy target host name.
PI20027 No MBean exists to identify which Liberty server is being used.
PI20170 Improve error message for installing wrong edition feature
PI20176 Admin center explore visual representation improvements.
PI20910 java.lang.IllegalStateException: BundleContext is no longer valid when undeploying application
PI21284 Weaker than expected security when installing features with Liberty Repository
PM96440 Bad login performance for the user if its is member of more number of groups.
PM98767 When using Data-Direct Connect JDBC Driver for Oracle, the connection cleanup fails
PM98768 Using CustomDataStoreHelper, TestConnection operation on Network Deployment edition fails with exception
PM99129 Injection of datasource into CDI bean does not work correctly
PM99163 A tag file is not found when an application is deployed with the option "Run server with resources within the workspace"
PM99381 WSAT transaction failed when using JDBC and JPA together

Back to top

Fix release date: 28 April 2014
Last modified: 25 April 2014
Status: Superseded

Download Fix pack 8.5.5.2
 
APAR Description
PI11264 Files without group write permission when installing from a group mode installation manager on z/OS
PI05059 Fail to login to an application with SSLHandshakeException
PI05139 Support certificate authentication to fail over to a form base logon
PI05324 Potential Security vulnerability with JavaServer Faces (JSF) 2.0
PI05359 Tag attribute creates unnecessary string objects
PI05419 FeatureUpdate failure in zos Liberty profile
PI05509 Change description of maxConcurrency property to convey more details
PI05525 StringIndexOutOfBoundsException thrown when URI is not normailzed
PI05575 java.lang.NullPointerException may be thrown from the JAXB unmarshaller under load.
PI05661 Potential Cross-site scripting vulnerability on OAuth
PI05673 OpenJPA persistence.xml parameter roundTimeToMillisec causes cut-off of milliseconds in dates
PI05703 Race condition in Liberty profile server on z/OS
PI05749 Application resources are shut down before the application when shutting down a Liberty profile server
PI05837 @Inject into non-CDI managed instances can intermittently fail
PI05940 Liberty profile fails to package core dump on Linux
PI05956 Provide an option to disable running of 'ALTER SEQUENCE ... INCREMENT BY' statement for sequences
PI05977 EJB-in-WAR injection (JAX-RS) causes a ClassCastException
PI06080 CDI application fails to start with WebBeansConfigurationException when a decorator bean class
PI06211 Liberty Profile on IBM i does not properly load classes via a symbolic link
PI06340 An applied interim fix is not detected and is not available at runtime.
PI06613 A controller in a multiple-controller replica set fails to start. It never produces the 6011i message.
PI06687 The initial placeholder configuration is not canceled resulting in an unneeded file in the controller's fdb directory.
PI06699 The collective utility gives incorrect directions when a controller is replicated more than once to the same server.
PI07519 Criteria API creates INNER JOIN instead of the expected LEFT OUTER JOIN
PI07608 JSF MyFaces NavigationHandler throws a NullPointerException if current ViewId is null
PI07636 Error changing server application publishing option from loose to non-loose config when using Oracle JDK causes failure.
PI07726 Unclear error message when authentication data fails for JMS activation specification.
PI07811 Cannot use SSL termination
PI08109 When servlets are running premature deactivation of DataSourceService causes hangs and app restart
PI08267 Potential denial of service with XML parser
PI08333 The generated report message for timed operation need to be updated
PI08354 Timed operation junk collection
PI08401 Liberty Profile does not find the applications HandlerChain.xml file
PI08455 Running collective join in a non-English language the signer trust prompt does not accept the non-English confirmation options.
PI08462 Incorrect misleading error message output when installing Liberty Profile extensions archive on a incompatibly licensed Liberty install.
PI08476 Common install kernel for WebSphere Liberty profile repository
PI08496 Support for disabling the console bundle with Liberty profile on z/OS (Liberty/CICS)
PI08641 java.lang.ArrayIndexOutOfBoundsException when using restConnector.jar
PI08871 Support installing artifacts from WebSphere Liberty profile repository
PI08874 Conversion errors from JMX REST connector
PI09183 Allow container managed authentication for database session persistence
PI09206 Some ESAs have an empty line in the OSGI-INF/SUBSYSTEM.MF file which causes extended content installation to fail
PI09253 Third party security integration in Liberty profile server on z/OS
PI09492 500 error occurs if serializing a cache object to persist to disk fails.
PI09651 NullPointerException from LogViewer command
PI09696 Self-extracting jar created using 'server package --include=usr' fails with error Failed to find license agreement files
PI09715 Should be able to set up ISA DC wherever you want when installing Liberty core.
PI09925 Port conflict message is not generated on Liberty profile collective controller
PI09972 Cannot enable timedOperations report dynamically
PI10049 Base enablement for JCA support
PI10103 Support Certificate authentication to fail over to a Form Base Login
PI10134 Potential Information Disclosure
PI10294 JSP compile errors due to regular expressions
PI10340 Restore com.ibm.ws.session.service.SessionManager interface
PI10342 There are permission errors when accessing resources in the server's workarea directory using application syncToOSThread
PI10505 ClassNotFoundException when the ServleltStatsMxBean is accessed from the Liberty Profile JMX client
PI10925 Access logging does not appear to be dynamic
PI11516 Re-enabling the HttpEndpoint on Liberty profile server does not work
PI11949 WS-Adressing feature did not work correctly with JDK7
PI12051 Pooled threads have unexpected context class loaders
PI12116 Application reports java.io.IOException: Exception in opening zip file
PI12632 Allow defaultHttpEndpoint host to be overridden without configuration change.
PI12926 commons-upload.jar vulnerability
PI12983 Web request failure due to a NumberFormatException while decrypting an LTPA token.
PI12984 Collective member servers do not have read access to the collective repository outside of /sys.was.*
PI13273 Creating the collective configuration writes to WLP_OUTPUT_DIR but reads from WLP_USER_DIR
PI14355 Authentication errors when running under stress
PM43415 Registering tag library in JSPx with default XML namespace causes a NullPointerException
PM62691 Native Query with specified result class can throw NullPointerException when return data contains a null-valued column
PM81674 ELexpressions are not evaluated when preceded by two backslashes
PM86470 Timing window causing java.lang.IllegalStateException
PM87133 Performance Monitoring Infrastructure (PMI) ActiveCount may be inaccurate when a session is accessed by multiple threads.
PM87880 Slashes used in OpenJPA method EntityManager.createNativeQuery is removed in the resulting JDBC query
PM88291 Transactions rolled back silently when coordinated by the UOWManager
PM89272 Liberty Profile server opens extra listener on ephemeral port and localhost
PM89432 Isolation level is not working properly for JPQL queries with nested sub-queries. It is generating incorrect query.
PM90293 Session manager makes an unnecessary call to the database to retrieve session information when multi-row session persistence.
PM90626 function publishEvent is called with UIComponent.class instead of source.getClass according to spec Java doc
PM90664 NullPointerException when using AnnotatedType via ProcessAnnotatedType on @stateless EJB
PM91408 Result of aggregate function max is 0 on empty table (instead of null)
PM91573 CDI app fails to start with AmbiguousResolutionException due to how parameterized types are detected for injection
PM92677 The cookie does not get set in the browser
PM92967 Issues with download of files greater than 8gb.
PM92983 Custom feature is not loaded
PM93750 JPA finder cache does not account for dynamic FetchPlans
PM93829 Async servlet lost original identity after resume
PM94033 Incorrect locking behavior with JPA PESSIMISTIC_LOCK mode
PM94199 Servlet <error page> processing incorrect for <error-code> <exception-type>
PM94792 Exceptions are thrown if there is a new line after ${. The JSP does not load correctly.
PM95013 Creating OAuth 2 custom mediator sees NoClassDefFoundError
PM95057 GPF in Liberty Profile server in ntv_registerProduct
PM95097 Poor performance using WMQ JMS in Liberty Profile server only
PM95110 Liberty Profile throws IllegalStateException when browser closed connection.
PM95209 Configuration validation for the repository client heartbeat and timeout do not report when the configuration is out of bounds
PM95293 The url connection created when using the wsjar protocol does not properly implement the getContentLength() method.
PM95300 When servers leave or join a cluster group no notification is printed in the log file.
PM95424 Add secure flag to WASReqURL cookie for Liberty Profile
PM95534 When the aged timeout is set beyond integer range a negative value is returned
PM95662 The attribute 'ID' is not a recognized attribute for the element 'wasJmsEndpoint'
PM95964 CWWKB0105E error when loading z/OS native code in a Liberty profile server.
PM96057 No cache control headers were received from WebSphere Application Server OAuth.
PM96140 Configuration in web.xml to load JSP during application initiation is not working.
PM96163 JSPs with references to tag files fail with SRVE0777E
PM96235 Unhandled exception during the initialization of the ServletContainerInitializer
PM96357 OpenJPA: Version field returns NULL when explicity projected from a JOIN in select clause
PM96443 Liberty Profile server starts despite port conflict failure in http endpoint/channel.
PM96445 OpenJPA ExternalValue mapping works incorrectly with CriteriaAPI multiselects
PM96464 NullPointerException thrown when determining the active user registry from the user registry service
PM96532 Setting converterId breaks converter selection by type.
PM96613 JSF.js: Calling JSF.getViewState() with a direct reference to a element throws an exception
PM96659 Entity object instance generated by native SQL query may have null embeddable field
PM97023 Console output for server start command does not currently indicate server startup failures.
PM97079 Expose receive action permission for temporary destination queue
PM97228 An exception can occur when an LTPA token timeout occurs and the CDI WebBeansConfigurationListener accesses the session
PM97353 Compilation errors when a JSP contains an auto increment variable.
PM97510 Stackoverflow in OpenJPA due to endless recursive calls in 'isLoaded'
PM97514 Unable to associate different applications to differing HTTP endpoints
PM97549 Liberty Profile for z/OS registers with IFAUSAGE using the wrong product owner.
PM98149 Liberty Profile throws a NullPointerException from HttpDispatcherLink.sendResponse.
PM98238 Inconsistent resolution of the variables in f:ajax@listener MethodExpressions
PM98245 Liberty Profile web container does not destroy servlet when UnavailableException occurs
PM98301 z/OS Liberty Profile server does not unregister with IFAUSAGE at server shutdown
PM98409 NullPointerException occurred on Liberty Profile when performing programmatic isUserInRole check.
PM98421 CData section in web.xml causes Liberty profile RuntimeException
PM98653 Queries with a sort clause return fewer entries than the same query that does not have a sort clause.
PM98732 Web services caching does not work properly dynacache changes the configuration value of required in components
PM99374 JPA version field in a projection always returned as an integer
PM99378 Allow Liberty profile to return jar URLs rather than wsjar URLs from classloaders.
PM99775 Interim fixes do not apply new feature manifests
PM99783 Batch update fails due to java.sql.SQLException: Unsupported feature and -2 return code from Oracle JDBC driver

Fix release date: 11 November 2013
Last modified: 10 November 2013
Status: Superseded

Download Fix pack 8.5.5.1
APAR Description
PM86094 Liberty Profile fails to connect to LDAP when using SLDAP (SSL)
PM86131 Error message CWWKS2910E with internal error code 0x02008002 may occur in stress environment with SAF security enabled.
PM90352 SRVE0315E: An exception occurred: com.ibm.ws.webcontainer.webapp.web
PM98907 Remove unneeded data in database analyzer and logs

Back to top

Fix release date: 14 Jun 2013
Last modified: 13 Jun 2013
Status: Superseded

Download Refresh Pack 8.5.5
 
APAR Description
PM73545 Authorized handler for the HTTPs protocol not found.
PM77507 OSGi applications using JPA can fail to start and issue no error messages.
PM78466 Properties files in a directory in an ear file are not added to the classpath of a war inside the ear
PM78567 java.net.MalformedURLExceptions are thrown when attempting to access URLs when multiple non-OSGi applications are installed
PM79227 No property to disable the Liberty Profile Server welcome page
PM80457 Server.xml is not honoring attributes for logging tag
PM82758 Unable to retrieve list of users from LDAP registry when using getUsers()
PM82831 Java.lang.NoClassDefFoundError during startup of Liberty Profile, shared library not available.
PM83557 IllegalStateException while processing transactions.
PM83572 Type2 datasource transactional="false" fails
PM84523 CWWKC0060W for VT_CLASS_RESOURCE in WLP not documented
PM85517 Message CWWKC0044W does not contain information necessary to debug problem
PM85520 JSPs inside directories are not pre-compiled
PM85563 FFDC reports contains excessive redundant information
PM85564 EJB application exceptions not output to messages log
PM85565 Unable to resolve included nested configuration located outside wlp\usr directory
PM85566 IllegalStateException when removing transaction feature from the server configuration
PM85567 IllegalMonitorStateException observed in trace incident reports
PM85568 httpOnlyCookies configuration attribute not honored
PM85569 Minor updates to transaction functionality
PM85570 Configuration validation error when there is whitespace in empty elements
PM85571 Configuration changes can be lost
PM85574 JSP taglibs not available to the tools
PM85653 Some HTTP requests are not served correctly
PM85656 NoClassDefFoundError: com.ibm.ws.jsf.util.FacesMessages
PM85657 Unexpected java.lang.IllegalArgumentException FFDC
PM86037 SRVE8043E error when Liberty Profile is installed in path that has spaces
PM86263 A web application throwing a RuntimeException prevents the servlet from being loaded
PM86268 Application stop waits for 30 seconds when stopping server
PM86271 Tools add wrong jars to client classpath
PM86272 Extra information in trace.log
PM86273 Untranslated message in log CWRLS0010_PERFORM_LOCAL_RECOVERY
PM86275 Java.lang.ClassNotFoundException running SecurityUtility and ProductInfo commands
PM86277 Some extra annotated fields are appearing in ffdc reports
PM86278 File monitor returns duplicate entries for deleted directories
PM86279 JPALookupDelegateImpl deactivate is not the inverse of activate
PM86281 Error: Could not find or load main class when running isadc command
PM86285 When using simple TAI Liberty Profile returns a 401 error when expecting a 403 error
PM86287 System properties not applied over bootstrap properties
PM86288 BundleException is thrown when there is only the beanvalidation-1.0 feature enabled
PM86289 Throwing a RuntimeException from FileMonitor can stop all file monitoring
PM86290 Translation error in help in French securityUtility
PM86291 SecurityUtility fails with 0 exit value
PM86292 Can not override the default JSP expression factory implementation.
PM86293 Log message CWWKZ0019I incorrectly suggests the application is not completely started
PM86294 JSP includes <%@include file="xxx.jsp" %> reports no error if file not found
PM86299 Liberty Profile support for one way hash
PM86304 REST connector client has JSONConverter marshalling problem for empty HashMap
PM86305 Error CWWKZ0056E if there are spaces in the drop-ins location filename
PM86306 Incorrect class version loaded by OSGi
PM86307 productInfo compare does not take interim fixes on target into account
PM86308 Running with session in memory and using the HTTP plugin, sessions may be lost
PM86309 z/OS native launcher does not support PID_DIR and PID_FILE
PM86310 OSGi application performance issue
PM86311 State mismatch running Oauth with multiple iterations
PM86315 Need to support the png mime-type by default
PM86316 A dump or javadump action directed to a server with an empty --include= generates an incorrect error message.
PM86318 Organize session config options into groups for Eclipse tooling
PM86319 Server JMX connection fails if the network connection is changed while the server is started
PM86321 Kernel launcher issues
PM86322 A redirected HTTPs request with invalid port number receives a vague error message
PM86323 ApplicationMonitor config element not dynamic
PM86324 CWWKS2911E appears in logs 5 times for one error
PM86325 Service difficulties due to bundle ordering issues
PM86326 Excessive FFDC for BundleException
PM86328 Inaccurate timestamps
PM86329 NullPointerException in DropinMonitor.tidyUpMonitoredDirectory
PM86330 Unconditional xx:MaxPermSize warning when using server script
PM86332 Command "server start <server>" fails when umask is set to other than 000
PM86333 Server.env does not override system.env if it contains an uncommented string in first line (liberty.env)
PM86334 CWWKS security messages unclear
PM86336 Tools show "Classloader Service" for the config entry for classloader
PM86337 AuthCache sizes do not specify a valid range
PM86339 Server config reports a nested element is removed when present
PM86342 Default error page does not show HTML
PM86343 Trace specification not using current format
PM86345 NullPointerException in jpaemfactory.isOpen if EM factory not created
PM86346 Applications attempt to start twice using RAD "RunAs" for JEE ear
PM86348 The exception message was null when using unknown tags in server.xml
PM86349 Keystore problem does not give a clear exception message
PM86350 Improve message for missing data-source configuration
PM86353 ABEND0EC3 with reason code 20F00400 in Liberty Server
PM86629 Enable transaction logging to an rdbms
PM86635 Application does not appear to have started
PM86636 Server config application element type attribute picks up default from location attribute
PM86895 java.lang.NoClassDefFoundError for javax.ws.rs.core.Application
PM87131 Oauth could allow a remote attacker to obtain someone else's credentials
PM87412 ProductInfo compare command output can be confusing when checking APAR inclusions.
PM87511 NullPointerException when web.xml has a reference mismatch.
PM87603 ExecutorService does not handle incorrect configuration nicely.
PM87604 Missing JNDI feature diagnostic improvement
PM87718 Improve performance for session database multi-row
PM87719 Javax.faces.el.MethodNotFoundException: java.lang.NullPointerException
PM87724 Improve values in generated plugin-cfg.xml file
PM88023 Numerous FFDC files are being created for an exception.
PM88040 Improvements to stack trace and logging

Back to top

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z0000001ipVAAQ","label":"Download Documents (Bulletins, iFixes, Fixpacks)"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;CD0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]

Document Information

Modified date:
17 July 2024

UID

swg27043863

Page Feedback