Headline
CVE-2022-37422: August Payara 5 Community Release Out Today!
Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.
Payara Community Version 5.2022.3 is out today, bringing concurrency enhancements previously seen in Enterprise and a key security fix, solving the recently discovered CVE-2022-37422. You must update your environments to the latest version to be safe.
Please note: This is not the final Payara 5 Community release, but that final release is coming up in September - soget prepared to move to Jakarta EE 10 or choose Enterprise.
Payara Community Version 5.2022.3 brings 10 bug fixes, 6 component updates, 7 improvements and 1 key security fix.
You can download Payara Community Version 5.2022.3here.
You Must Update - CVE-2022-37422
There is a recently detected a 0-day vulnerability in all distributions of the Payara Platform that affects web applications that are deployed in the default context root(/). To this effect, we have prepared a fix.
All Payara users must update their environment as soon as possible to remain safe. The safe versions are:
- Payara Enterprise 5.42.0
- Payara Community 5.2022.3
- Payara Enterprise 4.1.2.191.36
Not out yet, but coming soon:
- Payara Community 6.2022.1.Alpha4
We would like to credit and give thanks to Marcin Dudek (@dudekmar) who originally reported the issue.
**Payara Community Receives Concurrency Enhancements **
Payara 5 Community users can now enjoy concurrency enhancements previously brought to Payara Enterprise.
Payara-resources.xml already allowed several different types of resources to be defined within it. Now, ManagedExecutorServices is one of them.This allows you to create concurrent ManagedExecutor resources automatically when the .ear or .jar that needs them is deployed.
You can also now use ForkJoinPool for Managed Executor Services.
However, please note, that Payara 5 Community will soon be discontinued and the only safe way to use these enhancements will be with Payara 6 Community or Payara 5 Enterprise - find out more here.
**Enterprise Users: Payara 4.x Extended Maintenance **
Today also sees the release of Payara 4.1.2.191.36. This is the last release before it enters its Extended Support phase. You have been emailed about this but monthly patches will stop being released for the current minor version, and we’ll stop implementing hotfixes and backport fixes for releases older than 4.1.2.191. Please upgrade your environments and contact our support team via the usual channels with any questions.
Webinar Move Your GlassFish Upstream: What You Need to Know About Migration
If you are reading this, it is likely you are already using Payara Platform - but if you still have applications or projects in GlassFish, or know people who do, it’s time to make the change.
Previously scheduled for July, the webinar has now been rearranged for August 24, 3.00 PM BST. Make sure you re-sign up:Release Notes
Payara Community Version 5.2022.3 brings 10 bug fixes, 6 component updates, 7 improvements and 1 key security fix.
See a more detailed overview in the Release Notes:
- Payara Platform Community Edition 5.2022.3
Comments
Related news
Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.