The Liberty-for-Java buildpack v3.42 now includes Liberty Runtime 184.108.40.206.
This buildpack contains two production versions of Liberty, a default version that remains constant for approximately three months and the latest version, as an alternate. In this new buildpack, the default version is 220.127.116.11, and the alternate version is also 18.104.22.168. To use the alternate version of Liberty, follow these instructions.
An existing application will not be affected by the new buildpack until you redeploy or restage it. After redeployment, existing applications should continue to run "as is" without any additional changes. New applications will automatically use the new buildpack.
Verbose GC logging in the IBM JRE is now enabled by default. The logs are stored in
/home/vcap/logs. Verbose GC logging gives an insight into the actions that the Garbage Collector is taking. This allows an application to be monitored and better tuned for performance, in addition to being vital for diagnosing memory problems.
Some Liberty-for-Java applications experienced performance degradation starting with Liberty-for-Java buildpack v3.37. This coincided with an updated IBM JRE included in the buildpack that enabled TransparentHugePage (THP) by default. In some multi-tenant environments, enabling THP causes performance degradation. This buildpack mitigates this problem by disabling THP. Users of buildpacks prior to v3.42 can disable THP by setting JVM arg
-XX:-TransparentHugePage and restaging the application.
This buildpack contains fixes for the following security vulnerabilities:
- Multiple Vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud January 2020 CPU
- Vulnerability in Apache CXF affects Liberty for Java for IBM Cloud(CVE-2019-12406)
- Liberty for Java for IBM Cloud is vulnerable to a denial of service (CVE-2019-4720)