Fix list for IBM WebSphere Application Server Liberty

Product Readmes

Abstract

Fixes for WebSphere Application Server Liberty are delivered in fix packs periodically. This is a complete listing of all the fixes for Liberty with the latest fixes at the top.

New fix pack numbering is introduced. Fix pack 16.0.0.2 for WebSphere Application Server Liberty is the first of a series of common Liberty levels that apply to both Version 8.5 and Version 9.0 of WebSphere Application Server on all supported platforms.

Content

	Release Date	Total number of APARs	Total number of Security APARs	Total number of Open Liberty Release Fixes
22.0.0.6	7 June 2022	3	2	13
22.0.0.5	10 May 2022	4	0	14
22.0.0.4	12 April 2022	5	0	13
22.0.0.3	15 March 2022	4	2	20
22.0.0.2	15 February 2022	7	2	16
22.0.0.1	18 January 2022	6	2	18
21.0.0.12	3 December 2021	1	0	12
21.0.0.11	5 November 2021	2	0	17
21.0.0.10	8 October 2021	5	2	14
21.0.0.9	10 September 2021	3	0	11
21.0.0.8	13 August 2021	1	0	7
21.0.0.7	15 July 2021	4	1	14
21.0.0.6	18 June 2021	2	0	11
21.0.0.5	21 May 2021	4	0	19
21.0.0.4	23 April 2021	3	2	12
21.0.0.3	26 March 2021	2	0	18
21.0.0.2	26 February 2021	3	0	12
21.0.0.1	29 January 2021	2	0	24
20.0.0.12	27 November 2020	6	0	16
20.0.0.11	30 October 2020	2	1	12
20.0.0.10	2 October 2020	6	1	11
20.0.0.9	4 September 2020	4	0	10
20.0.0.8	7 August 2020	2	0	10
20.0.0.7	9 July 2020	2	0	14
20.0.0.6	12 June 2020	4	0	15
20.0.0.5	15 May 2020	3	2	14
20.0.0.4	17 April 2020	6	1	19
20.0.0.3	20 March 2020	6	1	18
20.0.0.2	21 February 2020	11	2	29
20.0.0.1	24 January 2020	2	1	23
19.0.0.12	13 December 2019	1	1	13
19.0.0.11	15 November 2019	8	2	19
19.0.0.10	18 October 2019	8	2	18
19.0.0.9	20 September 2019	6	1	9
19.0.0.8	23 August 2019	6	0	19
19.0.0.7	25 July 2019	4	1	14
19.0.0.6	28 June 2019	5	0	8
19.0.0.5	31 May 2019	3	0	8
19.0.0.4	3 May 2019	4	1	15
19.0.0.3	5 April 2019	10	1	25
19.0.0.2	8 March 2019	9	0	18
19.0.0.1	8 February 2019	11	1	24
18.0.0.4	14 December 2018	29	3	50
18.0.0.3	21 September 2018	31	5	38
18.0.0.2	29 June 2018	45	1	29
18.0.0.1	16 March 2018	32	3	84
17.0.0.4	21 December 2017	54	2
17.0.0.3	17 October 2017	109	3
17.0.0.2	13 June 2017	115	1
17.0.0.1	14 March 2017	90	0
16.0.0.4	13 December 2016	103	1
16.0.0.3	16 September 2016	107	7
16.0.0.2	24 June 2016	121	5
Fix pack 8.5.5.9	18 March 2016	141	2
Fix pack 8.5.5.8	11 December 2015	78	2
Fix pack 8.5.5.7	11 September 2015
Fix pack 8.5.5.6	26 June 2015
Fix pack 8.5.5.5	13 March 2015
Fix pack 8.5.5.4	8 December 2014
Fix pack 8.5.5.3	18 August 2014
Fix pack 8.5.5.2	28 April 2014
Fix pack 8.5.5.1	11 November 2013
Refresh pack 8.5.5	14 June 2013

Fix pack 22.0.0.6

Fix release date: 7 June 2022
Last modified: 7 June 2022
Status: Recommended

Download Fix pack 22.0.0.6

Component	Security APAR	APAR	Description
Intelligent Management Component		PH43910	Liberty routing rules do not always respect a webserver assignment using the '*' wildcard
Liberty Administrative Center	✓	PH45086	IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393 CVSS 3.1)
Security	✓	PH46072	IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475 CVSS 5.0)

Open Liberty Release fixes

Issue/PR	Description
14425	EclipseLink: Deliver Bug #567087
18844	The com.ibm.websphere.logging.WsLevel class is not visible as an API
20082	CWWKE0702E: Could not resolve module: com.ibm.ws.ejbcontainer.remote [852] Bundle was not resolved because of a uses constraint violation.
20908	Default session meta cache name failed with RH DataGrid
20981	ArrayOutOfBounds exception on z/OS with either full or JMX audit events enabled on shutdown
21004	featureUtility viewSettings doesn't show repository settings
21043	Bump netty dependencies to 4.1.77.Final
21050	Liberty OIDC error is being returned with incorrect characters
21060	Correct Service Release and Fixpack processing in JavaInfo
21079	Refresh token is not cleaned up when a JWT access_token had been issued
21097	Custom claims not passed to the back end
21108	Admin center enhancement
21139	PH46072: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475 CVSS 5.0)

Fix pack 22.0.0.5

Fix release date: 10 May 2022
Last modified: 10 May 2022
Status: Recommended

Download Fix pack 22.0.0.5

Component	APAR	Description
General	PH42822	WebSphere Liberty z/OS 20.0.0.9 java.lang.NullPointerException at com.ibm.ws.jaxrs.JAXRSRuntimeDelegate$ClassloaderReference
Liberty z/OS	PH45221	NPE in com.ibm.ws.zos.wlm.internal.UnauthorizedWLMNativeServices.CreateJoinWorkUnit()
	PH45329	Liberty server fails to start with JVM gpf after a racroute request=auth call
	PH45749	z/OS Product registration message CWWKB0108I does not contain full version

Open Liberty Release fixes

Issue/PR	Description
20283	Fix duplicate error messages in RESTful WS (JAXRS)
20306	Bump netty dependencies to 4.1.75.Final
20476	NPE when outputting SimpleTimer close to the end of a full minute.
20509	JSP included jar dependency check incorrect
20522	Update ExpressionLanguage 4.0 API/Impl to 10.0.18
20627	schemaGen improve command line options parsing
20669	Extra text found in description of connectionManager purgePolicy
20676	WEBCONTAINER THREADS HUNG WHILE CLOSING WEBSOCKETS
20693	springboot application packaged with OL 22.0.0.3 failed to run
20730	Deadlock in memory session and logging handler
20762	Port MYFACES-4431 to JSF (Custom Navigation Handler Thows NPE during Flow Handling)
20782	FeatureUtility isf does not resolve already installed user feature
20818	JaxRS-Client fails performing PATCH-requests with Java17
20858	localConnector problems with some combinations of jdk.attach.allowAttachSelf and com.ibm.tools.attach.enable

Fix pack 22.0.0.4

Fix release date: 12 April 2022
Last modified: 12 April 2022
Status: Superseded

Download Fix pack 22.0.0.4

Component	APAR	Description
Contexts and Dependency Injection (CDI)	PH44666	OpenAPI UI is missing CSS
General	PH45006	During server shutdown OSGi applications may log null pointer exceptions (FFDCs)
JavaServer Pages (JSP)	PH44627	Null Pointer Exception in JSP after 21.0.0.7 when skipMetaInfResourcesProcessing=true
Liberty Archive Install	PH44289	Install of z/OS Liberty interim fix fails with CRIMA1076E
Liberty Kernel	PH45316	Liberty packaging fixes - Ensure the proper set of features are packaged when several valid versions exist

Open Liberty Release fixes

Issue/PR	Description
18177	Liberty OP configured with SAML IdP, logout at OP is not propagated to the IdP
19627	MP JWT 1.2 fails to load all relevant MP Config properties
19767	Bump gRPC dependencies to 1.43.2
19937	context-root for web-ext is no longer honored with WLP 22.0.0.1
20082	CWWKE0702E: Could not resolve module: com.ibm.ws.ejbcontainer.remote [852] Bundle was not resolved because of a uses constraint violation
20247	webContainer property skipMetaInfResourcesProcessing=true can cause NullPointerException in JSP taglib
20293	Add security headers to OpenAPI UI
20298	Avoid ConcurrentModificationException during dynamic configuration updates for federatedRepository and user repositories
20303	NPE during handshake when CLIENT_AUTH or SERVER_AUTH is missing in the certificate extension
20310	OpenAPI UI is broken (missing CSS)
20353	NullPointerException in EJBWARRuntimeImpl when dynamically updating server configuration
20403	LibertyRestClientBuilderImpl nonProxyHosts PatternSyntaxException
20441	Timing window where cancellation of scheduled task is ignored

Fix pack 22.0.0.3

Fix release date: 15 March 2022
Last modified: 15 March 2022
Status: Superseded

Download Fix pack 22.0.0.3

Component	Security APAR	APAR	Description
JavaServer MyFaces (JSF) Apache MyFaces implementation		PH43113	ClassNotFoundException for SecureSerializedViewCollection during Session Persistence
Liberty Administrative Center	✓	PH43817	IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)
Liberty Kernel		PH44064	Liberty server command not working on IBM i platform after installing fix pack 22.0.0.2
Liberty System Management	✓	PH43223	IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038 CVSS 4.4)

Open Liberty Release fixes

Issue/PR	Description
12050	@RolesAllowed rejects unauthenticated users when they mapped to an allowed (EVERYONE) role
19316	Duplicate message key in com.ibm.ws.ui.tool.explore
19519	LibertySSLSocketFactory cannot be loaded inside a custom feature
19613	Bump netty dependencies to 4.1.72.Final
19659	Update ExpressionLanguage 4.0 API/Impl to 10.0.14
19673	JWT access token inbound propagation fails when a JWT sent as segments starts with "Bearer"
19780	Adding Monitor Filter increases Startup Time.
19937	Context-root for web-ext is no longer honored with WLP 22.0.0.1
19960	OpenID Connect: Double URL Encoded State Parameter in Redirect location
19981	ConcurrentModificationException in com.ibm.ws.security.openidconnect.clients.common.JtiNonceCache
19991	featureUtility does not pass all features from server.xml to repository resolver
19999	[JPA 2.2] EclipseLink: Deliver Bug #578262
20003	Update Webcontainer ServletVersion Handling to Avoid SRVE8501E errors
20020	AccessControlException thrown from Yoko calls to Class::getClassLoader
20063	server commands not working on IBM i after checkpoint changes
20064	Fix server command on IBM i
20070	503 response returned when request contained a 100-continue header
20165	jsonpContainer-2.0 and jsonbContainer-2.0 features incorrectly use default providers.
20206	Servers stop can fail in products that embed Liberty
20277	False artifact io.openliberty.jaxrs30 in mvn repository

Fix pack 22.0.0.2

Fix release date: 15 February 2022
Last modified: 15 February 2022
Status: Superseded

Download Fix pack 22.0.0.2

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)	✓	PH44762	IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031 CVSS 5.4, CVE-2021-46708 CVSS 4.3)
General		PH41660	After 21.0.0.9 upgrade "DefaultHostname" definition in bootstrap.properties does not overwrite Liberty default
		PH43194	Add support for CICS 5.6 to WOLA
		PH43281	API Discovery UI will not load
		PH43530	NullPointerException in JSP after 21.0.0.7
Intelligent Management Component		PH41615	Intelligent management WebServer plug-in is sometimes unable to route one HTTP session requests to the same member server
Virtual Member Manager (VMM)	✓	PH42489	IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031 CVSS 7.5)

Open Liberty Release fixes

Issue/PR	Description
18299	NullPointerException if used with mpMetrics 3.0
18941	NullpointerException in JSP after upgrade
19177	[JPA 2.2] EclipseLink: Deliver Bug #412391
19545	OpenIdConnectClient cookies not getting deleted after logout
19608	Oracle database helper logging `DSRA8207I` too frequently
19688	Empty com.ibm.ws.logging.hideMessage hides all messages and does not create messages.log
19702	Support for outbound channel selectors to start immediately
19707	Runnable jar hangs after Ctrl + C
19780	Adding Monitor Filter increases Startup Time
19781	Calling `UserRegistry.isValidGroup` or `UserRegistry.isValidUser` when using `federatedRegistry-1.0` can return `true` when `false` should be returned
19785	Federated SAF registries can incorrectly claim a SAF user or group is not in the realm when calling `UserRegistry.isValidGroup`
19826	MP Fault Tolerance annotations at the class level of a Rest Client interface are ignored
19831	The output of ./wlp/bin/productInfo featureInfo missing new lines
19841	defautHostName does not get picked up from bootstrap.properties for cfw
19860	Updating MicroProfile versions on server.xml causes issues with install manager
19897	"ERROR: Input redirection is not supported, exiting the process immediately" reported with Open Liberty as a service on Windows

Fix pack 22.0.0.1

Fix release date: 18 January 2022
Last modified: 18 January 2022
Status: Superseded

Download Fix pack 22.0.0.1

Component	Security APAR	APAR	Description
General		PH42908	HTTP/2 streams still accepted after server shutdown despite OLGH19193
Liberty Archive Install		PH41986	Product validation fails by feature manager when PH39418 is installed
Runtime and Classloader		PH42759	Block class loads for vulnerable classes
Web Container		PH42435	SRVE0250I and SRVE0164E no longer emitted due to OLGH18992
Web Services (JAX-WS)	✓	PH42074	IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310 CVSS 4.8)
WebSphere MQ messaging providers	✓	PH42762	Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server Liberty (CVE-2021-4104 CVSS 8.1)

Open Liberty Release fixes

Issue/PR	Description
16320	OAuth provider Multiple Connections are disallowed in current pre-existing attachment environment error TS003794701
17562	Multiple duplicate element IDs cause excess memory allocations and looping.
18695	Avoid inferring caller in LogRecord.getSourceClassName and LogRecord.getSourceMethodName in Liberty HPEL
19334	Policy attachments file: policy-attachments-server.xml is not processed
19342	[JPA 2.1] EclipseLink: Deliver Bug #463042
19348	gRPC server property "httpEndpoints" is invalid
19366	JMX file transfer errors should not expose resolved file paths
19413	JAX-RS fails with 400 Bad Request when query string contains _type param
19433	JNDI lookup to CORBA URL can hang
19505	SRVE0250I and SRVE0164E messages not emitted unless trace is enabled
19514	Test Failure: AutonomicalPolling1ServerTest.testAddPersistentExecs gets intermittent NullPointerException when transaction timeout aborts the connection
19522	Unresolved gRPC bundles in feature
19547	New HTTP/2 streams still accepted while server is closing
19567	Memory Leak with mpJWT
19585	Classes are still indexed by mpOpenAPI when mp.openapi.scan.disable=true
19589	ArrayIndexOutOfBoundsException during startup with mpOpenApi
19630	Application class loader to ignore designated classes
19631	featureUtility installServerFeature fails when user feature is listed

Fix pack 21.0.0.12

Fix release date: 3 December 2021
Last modified: 3 December 2021
Status: Superseded

Download Fix pack 21.0.0.12

Component	Security APAR	APAR	Description
Liberty z/OS		PH41840	Cannot get a WOLA connection for a client after configuration update

Open Liberty Release fixes

Issue/PR	Description
17428	OpenAPI 2.0 includes non-public fields in the generated documentation
17599	wsoc connection causes quiesce error
18896	OSGiBeanValidationImpl DS component needs to wait for all config to load.
18992	Application fails to restart in server.xml update scenario
19051	Server script depends on the `which` command
19057	Port bind skipped at server startup
19087	Throughput performance degradation in eclipselink due to Thread.getStackTrace calls
19127	AccessControlException in WebAppSecurityCollaboratorImpl performDelegation(...)
19193	Stop allowing creation of H2 streams if server is closing
19197	ClassCastException in JSP relating to JDT internal classes
19227	Bug Fix: Ensure ServletRequestListener#requestDestroyed is always called
19233	Incorrect PostgreSQL session table query

Fix pack 21.0.0.11

Fix release date: 5 November 2021
Last modified: 5 November 2021
Status: Superseded

Download Fix pack 21.0.0.11

Component	Security APAR	APAR	Description
IBM i		PH39665	WebSphere Liberty server fails to start on IBM i running with Java 11
System Management Functions		PH40204	Deadlock found in SingletonServiceManagerImpl registerService

Open Liberty Release fixes

Issue/PR	Description
13990	SAML JSP gets unexpected 500 error due to ClassCastException
16598	ServletContainerInitializer is passed invalid @HandlesTypes classes
16811	Response output may not close at end of dispatch forward
17155	Multiple entries may be added to the Authentication Cache for a custom cache key hashtable login
17972	`@Schema(multipleOf = )` can throw `NumberFormatException` in `mpOpenAPI-2.0` feature
18262	server startWinService & stopWinService commands give incorrect/misleading return codes
18411	Liberty message.log has repeating servlet lifecycle messages
18419	ExpressionFactory#getClassNameServices fails if META-INF/services/javax.el.ExpressionFactory contains comments
18492	gRPC service registration broken for EAR deployments
18663	NullPointerException in JaxRsFactoryImplicitBeanCDICustomizer
18674	HTTP/2 streams closed due to client window update delay
18751	Bump netty dependencies to 4.1.68.Final
18813	Test Failure: testJTATransactionUsedSeriallyWithOverlapAndCommitWithinLastStage NullPointerException
18836	NPE when creating an HttpAuthenticationMechanism with the default package
18866	Fix PasswordUtil.passwordEncode() with "hash" option
18925	Cloudant NLS messages are not used
18973	Investigate weld-osgi-bundle versions in feature files

Fix pack 21.0.0.10

Fix release date: 8 October 2021
Last modified: 8 October 2021
Status: Superseded

Download Fix pack 21.0.0.10

Component	Security APAR	APAR	Description
Liberty Kernel	✓	PH39418	Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517 CVSS 5.5, CVE-2021-36090 CVSS 7.5)
Liberty Kernel		PH40489	SPNEGO fails with 403 error on Java 11 at 21.0.0.9
Liberty System Management		PH39935	CWWKE0701E at Liberty startup reports a ConcurrentModificationException in the APIProviderAggregator class
Web Container		PH40879	Server start hangs caused by plugin-cfg.xml generation
Virtual Member Manager (VMM)	✓	PH38929	WebSphere Application Server is vulnerable to Information Disclosure (CVE-2021-29842 CVSS 3.7)

Open Liberty Release fixes

Issue/PR	Description
17155	Multiple entries may be added to the Authentication Cache for a custom cache key hashtable login
17489	IllegalStateException is thrown when Liberty tries to update a readOnly subject
17950	Fix SRVE8501E Warning
18281	Possible Bug with deferServletRequestListenerDestroyOnError
18282	Bug: AdminCenter SRVE0190E: File not found: /images/tools/wasdev_142x142.png
18299	NullPointerException if used with mpMetrics 3.0
18348	ContainerRequestContext.getAcceptableLanguages() - fails with IllegalArgumentException when invalid locales are specified in the Accept-Language header.
18404	Create PluginGenerator Lock to Address FileNotFoundExceptions
18430	saml web sso sp initiated login flow resulting in buildup of WASSamlReq_xx cookies
18437	JSF throws ClassNotFoundException for o.a.m.el.convert.ValueExpressionToValueBinding
18475	Servlet ReadListener does not receive all HTTP request data
18503	RuntimeCodebase cannot be located on collocated call
18530	Startup hang caused by plugin-cfg generator changes
18552	JAX-RS 2.0 and 2.1 implementation is executing resource method when Content-Type or Accept header contains invalid values
18663	NullPointerException in JaxRsFactoryImplicitBeanCDICustomizer

Fix pack 21.0.0.9

Fix release date: 10 September 2021
Last modified: 10 September 2021
Status: Superseded

Download Fix pack 21.0.0.9

Component	APAR	Description
JavaServer Faces (JSF) Apache MyFaces implementation	PH40182	JSF faces-config parser throws NPE when XML namespace missing
JavaServer Pages (JSP)	PH38133	Incorrect Expression Language (EL) Method Matching with Varargs
Liberty z/OS	PH39946	Liberty logging hideMessage= parameter should also stop messages being written to messageLogDD=MSGLOG

Open Liberty Release fixes

Issue/PR	Description
16700	Improve featureUtility performance with remote repository
17444	Pull in BZ 65358 -- Varargs Method Matching (EL Patch)
17591	IdentifyException accidentally externalized as unusable top level config element
17682	Exception stack trace is exposed in error returns from JMX REST apis
17912	Bump netty dependencies to 4.1.66.Final
18002	`@Schema(multipleOf = )` validation check is wrong in `mpOpenAPI-2.0` feature
18009	Wrong char count in ServletOutputStream with non-ASCII characters skips content
18091	Remove system from code
18155	JSF faces-config parser throws NPE when namespace missing
18213	IOException FFDC logged after HTTP/2 stream is closed by client
18237	Unexpectd FFDC from Jackson

Fix pack 21.0.0.8

Fix release date: 13 August 2021
Last modified: 13 August 2021
Status: Superseded

Download Fix pack 21.0.0.8

Component	Security APAR	APAR	Description
JavaServer Faces (JSF) Apache MyFaces implementation		PH38339	StringIndexOutOfBoundsException Occurs When Creating a Resource

Open Liberty Release fixes

Issue/PR	Description
16700	Improve featureUtility performance with remote repository
16994	Dynamic reconfig of discovery endpoint not updating endpoints in all cases
17313	ubuntu upgrade re-enabled openliberty@defaultServer
17678	Port MYFACES-4065/MYFACES-4187 to JSF 2.2
17757	Passivating remote EJB Stub fails when rmicCompatible=true
17799	gRPC monitoring requires the enablement of both grpc-1.0 and grpcClient-1.0
17828	Update JSP Logic to Avoid Race Condition Regarding trackDependencies
17904	grpcClient-1.0 dynamic enablement unexpected behavior

Fix pack 21.0.0.7

Fix release date: 15 July 2021
Last modified: 15 July 2021
Status: Superseded

Download Fix pack 21.0.0.7

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PH37788	Use first found ejbDescriptor for MD
General		PH35877	Session ActiveCount shows a negative value
	✓	PH34906	XML External Entity Injection (XXE) in WebSphere Application Server Java Batch (CVE-2021-20492 CVSS 6.5)
		PH38224	Invalid command line optional parameters with "featureUtility help installFeature"

Open Liberty Release fixes

Issue/PR	Description
14575	OAuth client registration: Client IDs with GB18030 characters do not work
15726	Re-introduce change reverted from 14248
16282	Nullpointer exception during authorization using OidcLogic
17235	FeatureUtility should return RC=20 when invalid action name is specified
17299	Allow multiple version of singleton feature with featureUtility installFeature command
17344	OIDC RP may fail to login if clientSecret is not configured TS005720300
17437	NPE in com.ibm.tx.jta.util.logging.TxTr.initTrace
17478	Invalid command line optional parameters are shown with "featureUtility help installFeature" and "featureUtility help installServerFeatures"
17482	Unexpected results with JSP trackDependencies in the extended document root
17489	IllegalStateException is thrown when Liberty tries to update a readOnly subject
17576	OIDC Update the description for disableIssChecking
17593	EJB Singleton Lifecycle Deadlock
17635	Bump gRPC dependencies to 1.38.1
17658	ConcurrencyPolicy loses queue slots when managed executor deactivates and erroneously cancels tasks of other executors
17666	JavaMail tries to use a resource file that only exists in the implementation

Fix pack 21.0.0.6

Fix release date: 18 June 2021
Last modified: 18 June 2021
Status: Superseded

Download Fix pack 21.0.0.6

Component	Security APAR	APAR	Description
JavaServer Pages (JSP)		PH36923	java.lang.NullPointerException caused by PH34711
Liberty Kernel		PH37460	Setting 'AutoExpand' to true causes the 'UseJandex' setting to be ignored

Open Liberty Release fixes

Issue/PR	Description
12778	mpJWT-1.1 configured by using jwksUri results in CWWKS5523E at the first jwt token presented to the server
15023	WASReqURLOidc cookie encodes the request url but does not decoded it upon successful redirection
16598	ServletContainerInitializer is passed invalid @HandlesTypes classes
16743	Pull in MyFaces 2.3.9
17040	Revision to httpOption maxKeepAliveRequest default value
17047	PluginGenerator FFDC: BundleContext is no longer valid
17117	Test Failure: Failover1ServerCoordinatedPollingTest.testMultipleInstancesCompeteToRunManyLateTasksPC
17177	Failed to locate data source, null Resourcefactory
17203	ORB.init() called simultaneously on two threads during server start
17268	APAR PH37460 useJandex is ignored when autoExpand is set
17294	java.io.IOException might be thrown during AsyncContext.complete()

Fix pack 21.0.0.5

Fix release date: 21 May 2021
Last modified: 21 May 2021
Status: Superseded

Download Fix pack 21.0.0.5

Component	APAR	Description
Liberty OSGi Applications	PH28781	CWWKZ0404E: An exception was generated when trying to resolve the contents of the application
Liberty z/OS	PH35442	Smf120 subtype 11 records sometimes missing values when a servlet request takes an error path
	PH35542	Abend 0C4 in ntv_registerserver reported on WebSphere Liberty z/OS 20.0.0.12 (wlp-1.0.47.cl201220201111-0736)
	PH36576	CWWKB0086E seen in angel in fix pack 21.0.0.3

Open Liberty Release fixes

Issue/PR	Description
13522	Publish the WebContainer property enableMultiReadOfPostData
14174	The WebContainer properties may not be updated accordingly.
14345	ServletContext getContextPath() does not end with forward slash.
15216	JDBC Kerberos problems on IBM JDK 8
16203	IllegalStateException when calling CDI bean with @Transactional(Transactional.TxType.NEVER) from websocketEndpoint
16307	Update Liberty to not block use of Oracle 21c JDBC driver with IBM Java 8 and Kerberos authentication.
16428	Remove Internal From setHtmlContentTypeOnError
16495	Rename plugin-cfg File Using Files#Move
16524	Fix issue with spanning an audit record across audit logs when signing and encrypting of audit logs is enabled
16539	SESSION ACTIVECOUNT SHOWS A NEGATIVE VALUE
16637	Authorization failure occurs when LDAP or basic user attempts login in SAF federated registry
16661	microprofile-config.properties is not loaded in OASFilter
16694	Avoid virtual host missing warning if server is in the process of shutting down
16764	Deploying two applications with mpOpenApi-2.0 enabled can cause IllegalStateException: SROAP00001: Model already initialized.
16772	[JPA 2.1] EclipseLink: Deliver Bug #573094
16774	PostgreSQL session table check missing qualifier name
16793	Include RelayState in the logout response to IdP initiated slo requests
16808	Issue16807 support new Java policy location per open JDK 9
16843	Cleanup request thread data

Fix pack 21.0.0.4

Fix release date: 23 April 2021
Last modified: 23 April 2021
Status: Superseded

Download Fix pack 21.0.0.4

Component	Security APAR	APAR	Description
Administrative Console	✓	PH34122	Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258 CVSS Score 7.5)
Java 2 Connectivity (J2C)		PH33683	EJB timer service does not adjust for daylight savings time
JavaServer Faces (JSF) Apache MyFaces implementation	✓	PH34711	Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296 CVSS 8.8)

Open Liberty Release fixes

Issue/PR	Description
15336	Replace DNS lookup with regular expression to get the domain name in SSO Cookie Domain function
15989	MyFaces Update State Saving
16054	HSTS Header not added on responses with 404 status
16113	Shared Class Cache not generated on Windows
16118	Create setHtmlContentTypeOnError Webcontainer Property
16160	HTTP/2 ClassCastException during error handling
16184	EJB timer service does not adjust for daylight savings time during fall adjustment
16301	LDAP and Database Identity Stores fail to reprocess deferred EL expressions
16353	Bump netty dependencies to 4.1.62.Final
16364	Premature response completion in Async servlets
16410	Improve messaging in ldapRegistry-3.0 when userFilter and groupFilter do not contain an AVA with %v
16416	Java 2 Security exception when adding custom principal to the subject for Jaspic

Fix pack 21.0.0.3

Fix release date: 26 March 2021
Last modified: 26 March 2021
Status: Superseded

Download Fix pack 21.0.0.3

Component	Security APAR	APAR	Description
Liberty z/OS		PH33563	SAFPasswordUtilityFactory.getInstance().passwordChange results ioException: exception in opening zip file after multiple calls
Liberty z/OS		PH34338	ABEND0C4 during Liberty server shutdown

Open Liberty Release fixes

Issue/PR	Description
5470	NLS message CWWKE0031E is inaccurate when emitted from server script
11249	JAXRS leaks memory when applications do not close their Client references
12606	server.bat script does not read path of jvm.options correctly as documented
14926	Bean Validation 1.1 NullPointerException from ValidationReleasableFactoryImpl
15646	Issue15644ProperMergingOfJava2Permissions
15744	Pull in MyFaces 2.3.8
15799	Plugin Generator can cause server shutdown delay
15822	LDAP group members may be ignored when the member's RDN starts with cn (and possibly other attribute names).
15853	Bump netty dependencies from 4.1.52.Final to 4.1.59.Final
15857	EJB client intermittently throws BAD_PARAM after server restart
15869	MP Config AppPropertiesTrackingComponent synchronization
15878	JAX-RS requests that do not specify the port fail with SSL
15927	Cannot inject optional list with mpConfig-1.x
15943	Merge multi-homed environment related changes into Liberty
15975	Create a UDP connection using the selected outbound interface
15985	Threads backing up during transaction processing due to use of Dictionary
16037	Separating ciphers with two spaces results in unspecified behaviour
16060	Eclipselink bundles lack javax.mail.internet

Fix pack 21.0.0.2

Fix release date: 26 February 2021
Last modified: 26 February 2021
Status: Superseded

Download Fix pack 21.0.0.2

Component	APAR	Description
Contexts and Dependency Injection (CDI)	PH33219	AdminCenter web app is not updating status after an operation concludes
Install	PH33517	Issue with <INCLUDE LOCATION> tag on Liberty 20.0.0.9 failed to support the WLP_USER_DIR in already built fixes
Java 2 Connectivity (J2C)	PH31875	J2CA0079E: getManagedConnection internal illegal state state = state_inactive mcw

Open Liberty Release fixes

Issue/PR	Description
11777	prepareJSPThreadCount is not documented in Open Liberty - Investigate if any issues using it and document
12490	IOExceptions thrown after HTTP/2 stream is closed by client
12694	EclipseLink: Deliver Bug #538296
14109	Update gRPC dependencies to 1.35
14175	Expression Language 3.0 value lookup performance improvement
14248	Update WC property suppressHtmlRecursiveErrorOutput
14934	JAX-RS client creates a new SSLSocketFactory for every request
15040	ClassCastException might happen when serving a static resource
15433	System WABs may come online with the web container after server reports started
15550	NullPointerException in HttpServletRequest or HttpServletResponse context proxies
15698	FeatureUtility not parsing Liberty custom environment variables

Fix pack 21.0.0.1

Fix release date: 29 January 2021
Last modified: 29 January 2021
Status: Superseded

Download Fix pack 21.0.0.1

Component	Security APAR	APAR	Description
Install		PH32961	InstallUtility and FeatureUtility are working when the variable is a directory, but not part of a file name
Intelligent Management Component		PH31732	Restricting IP access in ssh keys in authorized_keys, results in ssh key being appended when collective member is restarted

Open Liberty Release fixes

Issue/PR	Description
10000	HttpServletResponse.sendRedirect(String location) builds absolute URL including protocoll and server-name
12095	PluginGenerator: BundleContext is no longer valid
12417	Fix java.lang.IllegalStateException: jstl facade bundle can not be located
13515	Add addstricttransportsecurityheader WebContainer prop to metatype
14532	Plugin Generator can cause server shutdown delay
14815	Recovery race
14925	OAuth user registry lookups may use incorrect custom cache key
14928	EclipseLink: Deliver Bug #514486
14936	Issue when deploying Open Liberty application to Openshift
14950	Pull MyFaces 2.3.7 into Open Liberty
14975	OIDC RP: creating a subject with allowCustomCachKey=false results in a subject that includes a cache key
15174	Include tag on windows not parsing correctly
15216	JDBC Kerberos problems on IBM JDK 8
15220	Add HTTP/2 IOException for misbehaving client error case
15237	Clear federated repository specific information from AuditManager thread
15242	Stop the ACME Certificate Checker Task when the server is stopping
15263	HTTP TRACE method requests are rejected with a 403, and `enableTraceRequests="true"` does not help
15305	Pull in CXF-8278
15315	Enable server shutdown on recovery log failure
15337	Dynacache initialization issue when ID is missing
15342	CONTAINER_NAME env variable is not reflected in logstashCollector-1.0
15388	Include tag file name unable to be parsed for featureUtility
15390	Various thread safety issues in the Liberty scheduled executor
15550	NullPointerException in HttpServletRequest or HttpServletResponse context proxies

Fix pack 20.0.0.12

Fix release date: 27 November 2020
Last modified: 27 November 2020
Status: Superseded

Download Fix pack 20.0.0.12

Component	APAR	Description
General	PH30714	PortOpenRetries needs to do retries for hostname lookup failures
General	PH30744	Increased CPU can occur after moving to Liberty version 19.0.0.7 or higher
Install	PH32363	InstallUtility and featureUtility ignores included config files on Windows
Intelligent Management Component	PH31277	Health policies do not trigger
Java Persistence API (JPA)	PH29720	EclipseLink generates SQL for the coalesce function with incorrect whitespace.
Systems Management Functions	PH30558	Do not store Leader ID when server is stopping

Open Liberty Release fixes

Issue/PR	Description
14425	EclipseLink: Deliver Bug #567087
14426	EclipseLink: Deliver Bug #463350
14457	EclipseLink: ClassCastException for Boolean-Typed JPS-Query
14540	com.ibm.wsspi.cache.getProperties() returns empty map.
14542	Java 15: IllegalAccessError when using MP Rest Client
14555	TCP: add retry logic to hostname loookup when opening ports
14582	Prevent jsonp-1.0 and jsonpContainer-1.1 from both starting.
14597	Increased CPU when moving from Liberty 19.0.0.6 to newer releases.
14650	MP GraphQL does not scan JARs in WEB-INF/lib for GraphQL components
14655	Move participatingBaseEntry check to avoid inaccurate logging of CWIMK0004E message
14657	Fix connection manager deadlock for purgePolicy=FailingConnectionOnly
14735	Fix the Logging metatype description message for hideMessage
14743	Variables in include files not recognized after config update
14781	Wrong FailureScopeController used in peer recovery
14826	Allow Spring Boot app with embedded launcher script to deploy
14828	server stop hang

Fix pack 20.0.0.11

Fix release date: 30 October 2020
Last modified: 30 October 2020
Status: Superseded

Download Fix pack 20.0.0.11

Component	Security APAR	APAR	Description
General		PH30494	NullPointerException is received when using the PasswordChange API with more than one UserRegistry
Java 2 Connectivity (J2C)	✓	PH29942	Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693 CVSS 5.3)

Open Liberty Release fixes

Issue/PR	Description
7056	HTTP/1.1 and HTTP/2 behave differently when a non-standard HTTP method is used
12312	Update to commons daemon breaks windows servicel
12724	Unable to Override JAX-RS SecurityContext in ContainerRequestFilter
13073	FFDC raised when fallback method or handler throws exception
13830	Federated repositories returns the string "null" instead of the value null for several methods
13861	Getting ManagedThreadFactory from JNDI is failing in 20.0.0.9
13908	Liberty Java security function does not honor JDK's java.policy file.
14003	Test Failure: com.ibm.ws.microprofile.health20.fat.ApplicationStateHealthCheckTest.testPreLoadedApplicationsHealthCheckTest_mpHealth-3.0
14183	Need an option to load a custom JaasLoginModule without going through com.ibm.ws.kernel.boot.security.LoginModuleProxy
14192	Eclipselink: Wrong month is returned if OffsetDateTime is used in JPA 2.2 code
14377	Server.xml config sources do not respect config_ordinal
14421	EJB persistent timer may attempt to run after server stop issued

Fix pack 20.0.0.10

Fix release date: 2 October 2020
Last modified: 2 October 2020
Status: Superseded

Download Fix pack 20.0.0.10

Component	Security APAR	APAR	Description
Asynchronous beans		PH29578	CWWKE0701E: Frameworkevent error org.osgi.framework.serviceExcception
Liberty Kernel		PH27428	NullPointerException because wsJarUrlStreamHandler creates unusable input stream
		PH27908	Unconverted adapt to web annotations from com.ibm.ws.openApi.internal.annotationScanner
		PH28816	During server startup, the warning "Unconverted adapt to web annotations" appears in server logs
Liberty z/OS		PH28141	Out of memory in cell pool using 500 connections
Web Services Security	✓	PH29368	WebSphere Liberty running oauth-2.0 or openidConnectServer-1.0 features is vulnerable to a denial of service attack (CVE-2020-4590 CVSS 5.3)

Open Liberty Release fixes

Issue/PR	Description
11646	Concurent Login Issue
11722	mpHealth - readiness check reports UP when application fails to start
11847	Add support for traditional websphere property: com.ibm.ws.webcontainer.suppresslastzerobytepackage
12613	Enabling openTracing with no tracer class configured impacts performance
12790	Need to limit how many times an OIDC refresh token can be used to get new tokens
13404	Kafka connector can report failure for acknowledgements which eventually succeed
13551	NullPointerException when starting an EJB module during server stop
13569	Federated basicRegistry returns inconsistent results for case insensitive direct user lookups in scim-1.0
13613	Support IIOP transmission of Supplemental Multilingual Plane characters (such as emoji) in (wide) Strings
13681	Getting ManagedThreadFactory from JNDI is failing in 20.0.0.9
13817	PostgreSQL tables are not automatically generated for transaction recovery

Fix pack 20.0.0.9

Fix release date: 4 September 2020
Last modified: 4 September 2020
Status: Superseded

Download Fix pack 20.0.0.9

Component	APAR	Description
EJB Container	PH27497	CNTR5010E,CNTR0075E Errors after migrating from WebSphere V8.5.5.X TO V9.0.5.X
EJB Container	PH27912	CNTR5104E OR CNTR5102E occurs at EJB start after upgrading WebSphere to V8.5.5.16, V9.0.5.0, V9.0.5.1, OR V9.0.5.2
Install	PH30219	<INCLUDE> Tag not being considered when installing server.xml
Java Persistence API (JPA)	PH26967	OpenJPA's class transformer needs to respect app classloader concurrency
Java Persistence API (JPA)	PH28547	JPA persistence activator retains classloader references, potentially leading to OutOfMemory condition

Open Liberty Release fixes

Issue/PR	Description
11504	Occasional ArrayIndexOutOfBoundsException in JaspiServiceImpl.getDescription during Arquillian Tests
11556	Connection leak when XAResource.recover fails
12832	Bean Validation should consider @ValidateOnExecution when CDI is not enabled.
13027	Jaxrs security not getting SSL Socket Factory updates
13036	mpGraphql Exception allowlist not working. NullPointerException is thrown by mpConfig
13138	tag not being considered when installing server.xml
13170	MDB method restricted from being private final for no methods listener
13309	Application with EJB 2.x local interface that extends java.rmi.Remote fails to start
13331	ignore extra ffdc when application fail to start due to vhost already removed by stop app
13447	Http/2 -clean up connection on error
14183	Need an option to load a custom JaasLoginModule without going through com.ibm.ws.kernel.boot.security.LoginModuleProxy

Fix pack 20.0.0.8

Fix release date: 7 August 2020
Last modified: 7 August 2020
Status: Superseded

Download Fix pack 20.0.0.8

Component	Security APAR	APAR	Description
Systems Management Functions		PH27639	Stopped application may show as started in collective controller.
Security		PH34376	RACF RACMAP filter fails to properly match on realm

Open Liberty Release fixes

Issue/PR	Description
12074	Webcontainer property decodeUrlPlusSign issue
12312	Update to commons daemon breaeks windows service
12450	Batch: Fixes for remote partition job logs
12523	Failed to parse Created TimeStamp in UsernameTokenValidator
12613	Enabling openTracing with no tracer class configured impacts performance
12695	JAX-RS Application Proxy should override getProperties()
12780	CWMRX1001W seen in messages.log
12865	spring-cloud-starter causes ApplicationStarted event to be fired before the ModuleStarted events for Spring Boot web apps
12967	"peer not authenticated" failures in RP to OP communication on some versions of Java 11
13094	MDB message listener method name restricted from starting with "ejb"

Fix pack 20.0.0.7

Fix release date: 9 July 2020
Last modified: 9 July 2020
Status: Superseded

Download Fix pack 20.0.0.7

Component	Security APAR	APAR	Description
Liberty System Management		PH26177	API Discovery UI fails
z/OS		PH23733	Unexpected Transaction CPLT ABEND ASIB when transaction is rolled back

Open Liberty Release fixes

Issue/PR	Description
8048	Unable to write multipart data in Jax-Rs
12032	Configuration for sslSessionTimeout is ignored at runtime
12067	PluginUtility currently looks in the workarea for com.ibm.ws.jmx.local.address but should look in the logs/state directory
12352	Correct spelling mistake in com.ibm.ws.jsp.jstl.facade/bnd.bnd
12375	IllegalArgumentException occurs when processing SOAP response containing SOAP Fault
12399	HTTP/2 read window not updated
12516	Changes to SSL Session Timeout
12537	H2 NPE HttpOutputStreamImpl.flushHeaders
12545	syncQueryTimeoutWithTransactionTimeout="true" with totalTranLifetimeTimeout="0" results in SQLTimeoutException
12567	Fault Tolerance 2.1: org.eclipse.microprofile.faulttolerance cannot be resolved
12599	HTTP/2 connection termination performance
12708	Entry and exit trace is missing when using OpenJDK with OpenJ9 version 8.
12715	JAX-RS @Context injection into ContextResolver failing with NPE

Fix pack 20.0.0.6

Fix release date: 12 June 2020
Last modified: 12 June 2020
Status: Superseded

Download Fix pack 20.0.0.6

Component	APAR	Description
Administrative Console	PH25475	After logging in to admin center console, in the web browser console role is getting exposed
General	PH25479	JAXRS resource not injecting objects via CDI constructor injection
Liberty z/OS	PH25650	Message CWWKO0230I is issued even if the Asynchronous I/O support was not activated
Virtual Member Manager (VMM)	PH24423	With SCIM-1.0 feature and LDAP registry, SCIM queries for group members do not deliver the display name for group members

Open Liberty Release fixes

Issue/PR	Description
9157	Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
10067	Update JPA to fix EclipseLink bug 618
10236	Update JPA to fix EclipseLink bug 558283
10240	Update JPA to fix EclipseLink bug 558414
10812	Update printSessionManagerConfigForDebug method to include cookieHttpOnly
11773	[openidConnectServer-1.0] incorrect http status code for error response invalid_grant
11795	EclipseLink: Deliver Bug #561664
11882	Missing FunctionMapper
11927	Include user name in CWWKS1773E error message TS003412433
11977	May get an NPE in URLEncoder.encode when OAuth provder gets bad clientId TS003459997
11984	JNDI lookup fails with org.osgi.framework.ServiceException
12019	Application MBean status is not updated when application fails to start
12024	The JCA SharedPool can leak MCWrapper objects
12212	Cached configuration not used in some circumstances
12297	Correct JSP 2.3. Feature File

Fix pack 20.0.0.5

Fix release date: 15 May 2020
Last modified: 15 May 2020
Status: Superseded

Download Fix pack 20.0.0.5

Component	Security APAR	APAR	Description
Liberty z/OS		PH24366	Liberty fails to remove the client address space level RESMGRs when cleaning up Liberty's client structures
Web Container	✓	PH20847	Information disclosure in WebSphere Application Server (CVE-2020-4329 4.3)
Web Services Security	✓	PH24154	Identify spoofing in WebSphere Application Server (CVE-2020-4421 5.0)

Open Liberty Release fixes

Issue/PR	Description
11475	CWWKG0090E seen when using include that worked in previous version
11550	SSL Channel: double release of WsByteBuffer race condition
11582	NPE in OpentracingUtils.lookupAppName()
11590	MetricProducer provides a simple timer and concurrent gauge with the wrong MetricType
11595	SAML SP should use 401 instead of 403 when redirects user to IdP
11682	Social login feature cookies may not use dynamically updated web app security config
11696	Exception during UserTransaction thwarts @Fallback on @Asynchronous method
11716	Changes for issue 11646
11746	Unable to create logger error in server startWinService when WLP_OUTPUT_DIR set in server.env
11750	Correct redirect location.
11755	Update Weld3 to 3.1.4
11767	Lock contention acquiring applicationTracersLock in OpentracingTracerManager.ensureTracer()
11785	intermittent h2 timing test failure
11870	H2 NPE check modification

Fix pack 20.0.0.4

Fix release date: 17 April 2020
Last modified: 17 April 2020
Status: Superseded

Download Fix pack 20.0.0.4

Component	Security APAR	APAR	Description
General		PH23757	EJB persistent timer/deserialized context fails with CWWKC1004E (unavailable context) after mpContextpropagation-1.0 disabled
Install V8 and above		PH23517	zosConsoleCommandDisplayWork-1.0 as an auto-feature is not installed
Liberty Archive Install		PH23233	NullPointerException when installing the required WLP server's features from local repository
Liberty z/OS		PH22112	Display work with zosRequestLogging feature does not count servlet requests
Liberty z/OS		PH23817	gpf in liberty server during shutdown
Web Services Security	✓	PH22080	Cross-site scripting vulnerability in samlWeb-2.0 (CVE-2020-4303, CVE-2020-4304)

Open Liberty Release fixes

Issue/PR	Description
4040	Make RC consistent for starting liberty as a Windows Service
4873	Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
8933	Authentication cache fails to find existing Subjects, slowing performance.
9692	Non-English characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9986	Application fails to start because of java.lang.IllegalStateException: Configuration pid com.ibm.ws.app.manager_23 was deleted
10707	Thread safety problem in JSON logging field name mapping code
10986	Invalid JSON data passed to @Path resource method(@Valid MyPojo) yields H500 instead of H400
11043	java.security.AccessControlException: Access denied ('java.util.PropertyPermission' 'org.osgi.framework.bootdelegation' 'read')
11044	custom-login-configuration not honored in java:comp/env bindings without binding-name
11108	mpRestClient-1.3 ignoring hostnameVerifier configuration
11199	EJB Persistent Timer/deserialized context fails with unavailable mp.cleared.context.provider after mpContextPropagation-1.0 disabled
11289	ConcurrentModificationException during JSF application startup
11445	The JarFileClassLoader throws an IllegalArgumentException when defining package com.ibm.websphere.ras.annotation
11454	Remove lock contention and other perf improvements for starting multiple applications
11478	Minor code issue in LdapHelper.getRDN in com.ibm.ws.security.wim.adapter.ldap
11510	Timing window where server loses the ability to run a persistent timer if config update to disable execution overlaps a poll
11534	Async implementation of MP rest client returns CompletionStage of Collection of HashMap but expected CompletionStage of Collection of a user defined type
11535	AdapterUtil.createXAException utility method garbles message parameters
11543	PH22080

Fix pack 20.0.0.3

Fix release date: 20 March 2020
Last modified: 20 March 2020
Status: Superseded

Download Fix pack 20.0.0.3

Component	Security APAR	APAR	Description
Liberty log analytics and monitoring		PH22677	Logstash error when parsing json
Liberty z/OS		PH21809	Liberty on z/OS message routing to msglog dd stops unexpectedly
		PH21956	JVM crash in zosLoggingBundleActivator.ntv_writeFile()
		PH22759	Abend on the z/OS Hard failure Cleanup Thread during server stop processing
Virtual Member Manager (VMM)		PH21704	SCIM fails to search when quotation marks are included in search filter
Web Services (JAX-WS, JAX-RS)	✓	PH22079	Vulnerability in Apache CXF affects WebSphere Application Server Liberty (CVE-2019-17573)

Open Liberty Release fixes

Issue/PR	Description
8547	Oracle connectionProperties being traced
9588	Fix JWKS behavior that returns cached JWK despite the JWK not having right KID
10310	EclipseLink: Deliver Bug #347987
10510	Thread fails to complete during the quiesce period
10552	Webcontainer Bundle Deactivation causes IO Exceptions for the Cached Plugin-cfg File
10697	LDAP registry and URBridge are not un-escaping double quotation and apostrophes from the XPATH search expression
10712	AsyncResponseImpl.initContinuation() throws NPE when Continuation is null
10730	Javadoc of ConnectionManagerMBean.getJndiName is not accurate
10732	Context-root attribute for server.xml web-ext element ignored
10762	Missing warning when a server element is not present
10867	German translation for 'Logout' incorrect for OIDC applications
10961	Request URL mismatch between scheme and port
10981	Yoko ORB shutdown thread hangs
10996	Error parsing JSON when using ELK with logstashCollector-1.0
11052	Basic registry throws PatternSyntaxException when search for users or groups includes braces
11105	HTTP/2 stream initialization race conditions
11123	Enhance NCSA access log 'enabled' attribute documentation

Fix pack 20.0.0.2

Fix release date: 21 February 2020
Last modified: 21 February 2020
Status: Superseded

Download Fix pack 20.0.0.2

Component	Security APAR	APAR	Description
General		PH10461	When using BYO SSH keys, starting a collective controller keeps appending the ssh key to the authorized_keys file
		PH11895	PI81056 did not fully resolve the issue resulting in msg CWWKO0224E (hostname resolution error) during server startup
		PH19384	Liberty for z/OS server using optimized local adapters abends in method WOLANativeUtils.ntv_getClientService on shutdown
	✓	PH19528	Denial of Service in WebSphere Application Server (CVE-2019-4720)
	✓	PH19989	Denial of Service in WebSphere Application Server (CVE-2019-12406)
		PH20816	Install of common Java SDK for Liberty on z/OS fails with CRIMA1161E
		PH20912	Unable to set samesite cookie option with response.addHeader
		PH21213	Unable to install WebSphere Application Server Liberty V8.5 version 20.0.0.1 using IBM Installation Manager
		PH21281	Warnings showing the text "Unconverted adapt" appears in server logs
		PH21564	java.lang.SecurityException possible from messaging component calls to System.getProperty("line.separator")
		PI93822	EJB auto-link fails for java:global with beanName provided

Open Liberty Release fixes

Issue/PR	Description
8015	Delay TCP Port starts until server is initiailized
9085	ServletCacheEngine ignore cache for App using default context root
9157	Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
9512	OIDC RP does not reject requests that match more than one filter
10067	EclipseLink: Deliver Bug #618
10142	Installing mpHealth 1.0 and 2.0 features together causes NullPointerException
10189	Fault Tolerance reports an internal error when an asynchronous method returns null
10196	H2 close with error produces invalid state
10236	EclipseLink: Deliver Bug #558283
10238	Default logging format not being set when using an invalid console/message logging format
10240	EclipseLink: Deliver Bug #558414
10243	Pull in MYFACES-4311 and add a FAT
10248	JsonB provider not found when loaded from library
10293	Test Failure: com.ibm.ws.testing.opentracing.test.FATOpentracing.testImmediate
10310	EclipseLink: Deliver Bug #347987
10337	Java Batch: Error reported when JMS job dispatch message is redelivered
10384	Support for SameSite attribute in Set-Cookie header is needed
10393	PersistentTimerCoreTest.testDisabledLateTimerMessage FFDC indciates missing doPriv on abort
10397	Retry port opening according to configurable number of retries
10426	requestTiming-1.0: servletTiming server configuration does not work with servlet-4.0
10461	Basic registry throws PatternSyntaxException when search filter contains paren
10462	LDAP registry throws InvalidSearchFilterException when principalName search filter contains paren
10508	Avoid using System.getProperty("line.separator") in messaging code
10559	Need to quit warning about strange cookies sent from IBM ID
10578	oidcclient does not expand ID attribute after 19.011
10582	JAX-RS 2.0 ExceptionMapper is ignored when using mpOpenTracing
10587	Yoko ORB shutdown thread hangs
10604	Wrong encoding for special characters (Swedish language)
10702	Decompression Ratio Support

Fix pack 20.0.0.1

Fix release date: 24 January 2020
Last modified: 24 January 2020
Status: Superseded

Download Fix pack 20.0.0.1

Component	Security APAR	APAR	Description
Liberty System Management	✓	PH20161	OpenAPI Swagger UI vulnerability (CVE-2019-17495)
Web Services (JAX-WS, JAX-RS)		PH18762	Add support for gzip encoding

Open Liberty Release fixes

Issue/PR	Description
6956	Liberty depends on the ps command during shutdown
8563	Pull in MyFaces 2.3.6
8773	OIDC Client Requests Tokens with the same auth code
9281	auditUtility command/script file not found in /bin directory.
9307	Error message when MP Open Tracing feature is enabled but not in use
9441	Auto-features which depend on kernel features do not get installed
9943	Map the Spring Boot application's context root to the application's welcome page (index)
9516	Unfriendly user error message displayed and user is blocked from signing in to their application when their liberty session expires
9602	H2 Synchronization problem with tests that are sending duplicate frames
9679	H2 intermittent error when upgrade fails
9708	For a batch job with partitioned step, the PartitionReducer's afterPartitionedStepCompletion gets ROLLBACK on normal completion.
9798	Handling logging out of mp jwt flow introduces an error
9824	Cannot distinguish opaque token that contains two dots from JWT
9848	Resource adapters might fail to start with Bean Validation 1.1 and CDI 1.2 enabled.
9886	Unresolved module com.ibm.ws.rest.handler.validator.jca
9904	javax.servlet.ServletRequest.getParameterValues returns null in Jaxrs applications
10006	service.ranking can be removed from com.ibm.ws.persistence defaultInstances.xml
10030	H2 connection error causes server timeout
10144	Add additional support for range attributes on Active Directory Ldap searches
10165	Fault Tolerance messages not output
10178	Resource leak when installing features through Gradle on Windows
10215	CXF cannot process a gzip encoded SOAP response
10228	Rest Client for MicroProfile loses entity on POST requests with status code 202 response

Fix pack 19.0.0.12

Fix release date: 13 December 2019
Last modified: 13 December 2019
Status: Superseded

Download Fix pack 19.0.0.12

Component	Security APAR	APAR	Description
Liberty Administrative Center	✓	PH18799	WebSphere Liberty is vulnerable to a Cross-site scripting vulnerability in the Admin Center (CVE-2019-4663)

Open Liberty Release fixes

Issue/PR	Description
8395	Remove obsolete com.ibm.ws.webcontainer.channelwritetype from Liberty's metadata and web container properties
9228	LDAP registry returns error code 21 when updating boolean values
9293	Opentracing can cause jaxrs exceptions to not be logged
9386	NullPointerException when using dynamic filter to add mapping for servlet name
9455	HTTP/2 malformed requests should cause stream reset
9499	FFDC when Exception thrown by user code proxied using ContextService
9545	Test Failure: junit.framework.TestSuite.com.ibm.ws.cdi12.fat.tests.SessionDestroyTests
9596	Relax criteria for calling out an FFDC when dealing with the Selector logic
9607	NPE in the SIP Container when a Digest challenge does not contain the `algorithm` field
9625	Unable to load LibertySSLSocketFactory during transaction recovery
9676	Class transformers can fail if a class is loaded from the shared classes cache
9692	Non english characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9825	JNDI literals parsing too verbose

Fix pack 19.0.0.11

Fix release date: 15 November 2019
Last modified: 15 November 2019
Status: Superseded

Download Fix pack 19.0.0.11

Component	Security APAR	APAR	Description
General		PH11427	Service call by service.Create() does not time out in 30 seconds
	✓	PH17678	Man in the middle vulnerability in OpenSAML (CVE-2014-3603)
		PH18113	Add Apache HttpClient library
		PH18282	SCIM API fails to retrieve a group or user with a forward slash in the DN
JavaServer Pages (JSP)	✓	PH13983	Information disclosure in WebSphere Application Server (CVE-2019-4441)
Liberty z/OS		PH18715	java.lang.StringIndexOutOfBoundsException exception in com.ibm.ws.zos.registration.internal.ProductManager.start
Security		PH18751	Exceptions when using keystore ID="defaultkeystore" after upgrading to fix pack 19.0.0.9 on z/OS
Security		PH29291	NullPointerException might be thrown during EJB invocation on 19.0.0.9

Open Liberty Release fixes

Issue/PR	Description
4387	Runnable JAR execution fails when WLP_USER_DIR env var is set to "other" location with CWWKE0005E
7701	Pull in MyFaces 2.3.4
8152	TAI negotiateValidateandEstablishTrust called twice during authentication.
8196	7234-TRACENPE COMMIT1
8404	Confidential for Security Integrity fix CVE-2014-3603
8860	jwkRetriever should not require an sslSocketFactory if using http
8899	federatedRegistry-1.0 group membership may use a repository that does not participate in the realm
9085	ServletCacheEngine ignore cache for App using default context root
9122	Remove additional ; in WebApp.java
9129	Update Commons BeanUtils to 1.9.4
9130	Header Key retrieval fix for case sensitivity
9132	correct certain JSP messages
9143	NullPointerException might be thrown when the security audit is enabled for ejb.
9380	IllegalStateException in JMX Connector RESTHandler from call to getWriter
9416	Add Apache HttpClient v3.1 library
9436	RACF SDBM LDAP registries may encounter OperationNotSupportedException
9437	Test Failure (20180702-1422): com.ibm.ws.jdbc.fat.v41.JDBC41Test.testTransactionTimeoutAbort
9441	Auto-features which depend on kernel features do not get installed
9451	Fix Intermittent NullPointerException on TCP trace during shutdown
9472	H2 Intermittent NPE in HttpOutputStreamImpl.flushHeaders()

Fix pack 19.0.0.10

Fix release date: 18 October 2019
Last modified: 18 October 2019
Status: Superseded

Download Fix pack 19.0.0.10

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PH05014	Null CDI Bean results in a NullPointerException thrown in Apache WebBeans code
General	✓	PH16611	Multiple vulnerabilities in HTTP/2 implementation used by WebSphere Application Server Liberty
Intelligent Management Component		PH16337	Liberty OIDC is not working with dynamic routing plug-in
Liberty z/OS		PH14100	Out of storage condition caused by a leak in LSCL causing rc12 Reason Code 24 from BBOA1CNG
Liberty z/OS		PH16940	Liberty servers abend with an ABENDSEC3 RSN=20000800 when a Liberty server is shutdown using force or similar
Security	✓	PH15518	Multiple vulnerabilities in WebSphere Application Server Liberty (CVE-2019-4304, CVE-2019-4305)
WebSphere Compute Grid		PH13367	Job Partitions reported failing due to a deadlock on Java Batch Job Repository tables
WMQ messaging providers		PH13286	Provide mechanism to disable 1PC optimization

Open Liberty Release fixes

Issue/PR	Description
7767	Expose JSF MyFaces Implementation classes as third-party
7849	The JWK retriever does not remove stale JWK from cache
8532	Deadlock issue when using persistence batch framework
8597	Federation of a custom UserRegistry (CUR) results in different behavior than when stand-alone
8612	export jsf-2.3 impl classes as third-party
8614	export jsf-2.2 impl classes as third-party
8736	Case TS001514963: requestTiming does not show all SQL queries
8808	OIDC RP does notHTTP Auth header as containing a valid OIDC id_token
8840	CWIML0514W occurs using uppercase group DN on getGroups
8863	Failure to parse multiple comma separated links in an HTTP Link header on a Jaxrs Response object
8886	GA Fault Tolerance - Metrics 2.0 integration
8903	When JACC is enabled, annotated role mapping is not enforced properly.
8951	OperationNotSupportedException: [LDAP: error code 53 - R000128 Filter is not supported (sdbm_search:1413)]
8979	requestTiming-1.0 feature does not work in OpenLiberty
9021	JSF File Descriptor leak in DefaultFaceletFactory
9033	Erroneous CWWKL0058W warning when multiple JARs in library have META-INF/services
9069	Web Admin Security Updates
9079	Terminate misbehaving HTTP/2 connections

Fix pack 19.0.0.9

Fix release date: 20 September 2019
Last modified: 20 September 2019
Status: Superseded

Download Fix pack 19.0.0.9

Component	Security APAR	APAR	Description
Liberty Debug and Tracing		PH15280	Leak of RACF ACEE control blocks in Liberty server
Liberty Kernel	✓	PH17088	Apache Commons Compress denial of service vulnerability (CVE-2019-12402)
		PH17796	ConfigHash value in plugin-config.xml causing parsing issues
Liberty z/OS		PH15877	Angel stops without detecting active Liberty servers
Security		PH15505	Collectives keystore mismatch
WebSphere Compute Grid		PH10566	Issues with remote partition restart if server crashes

Open Liberty Release fixes

Issue/PR	Description
7600	social login linkedin flow is broken and needs updating
8169	ProfileManager.getImpl call ignores realm allowOpIfRepoDown setting
8219	Support direct HTTP/2
8473	webAppSecurity overrideHttpAuthMethod set to BASIC or FORM does not function
8546	HTTP/2 trailer improvements
8561	CWIML4564I informational message lists wrong LDAP server.
8647	java.lang.IllegalStateException when running Liberty wlp-webProfile7 19.0.0.8
8761	Java Batch: Remote JVM partitions not restartable after executor shutdown
8793	Custom fields not logging when using LogRecordContext and field names contain underscores

Fix pack 19.0.0.8

Fix release date: 23 August 2019
Last modified: 23 August 2019
Status: Superseded

Download Fix pack 19.0.0.8

Component	APAR	Description
Database Access, Connection Management, Merant/DataDirect drivers	PH15281	Postgres SQL Large Object API blocked
Liberty z/OS	PH13341	The --clean action is ignored when WLP_ZOS_JOBNAME is set
Security	PH15089	A login might be required for unprotected resources when none of TAIs processed a request
Sessions and Session Management	PH13932	"Using collection QEJBASSN for session persistence." is always output with startup of Liberty servers
Virtual Member Manager (VMM)	PH14786	Using non ASCII characters (ex. Chinese) in an SCIM filter fails
Web Container	PH14619	ServletContext.getRealPath() should not return null for nonexistent files

Open Liberty Release fixes

Issue/PR	Description
5035	Update ServletContext.getRealPath() behavior
7521	Call Class.forName() within doPrivileged block from WASURLObjectFactoryFinder
8085	HttpServletMapping.getPattern is not correct for /* mapping
8128	Clean up URIMatcher40 and ServletWrapper
8141	Adding mpConfig-1.3 feature while the server is running does not install the configuration feature properly
8250	OIDC discovery endpoint does not emit the revocation endpoint
8252	Eclipselink: Fix bug 547173
8274	WSOC: fix a read during close timing window.
8277	login process is carried out for unprotected resources even TAI does not intercepts a request
8304	Loose application with MP Health not picking up changes after recompile - GM 19.0.0.7
8307	Error on edit for OAuth client with no secret
8339	openidconnect emits httpclient spurious log warnings for certain cookies
8346	Liberty 19.0.0.7 Blocks all Large Object API functions for Postgres
8401	Add doPrivileged block in WASInitialContextFactoryBuilder for class look up
8449	content-length header should not be required for HTTP/2 requests
8458	Channel framework chains not closing down before timeout
8460	8458 - Loop until cfw chain is closed
8474	PushBuilder should ignore headers with null values
8482	URBridgeEntity uses NLS message key, REQUIRED_IDENTIFIERS_MISSING, which is not defined

Fix pack 19.0.0.7

Fix release date: 25 July 2019
Last modified: 25 July 2019
Status: Superseded

Download Fix pack 19.0.0.7

Component	Security APAR	APAR	Description
Liberty Administrative Center	✓	PH13994	Clickjacking vulnerability in Liberty Admin Center (CVE-2019-4285)
Security		PH13970	After updating to 19.0.0.4, SESN0008E errors started occurring
Systems Management Functions		PH13649	Invalid command line optional parameter (--hostName) with "collective help addReplica"
Virtual Member Manager (VMM)		PH13757	SCIM 1.0 returns HTTP 404 return code for user search

Open Liberty Release fixes

Issue/PR	Description
5337	NullPointerException in BridgeUtils seperateIDAndRealm(...)
6158	Pull in MyFaces 2.3.3 once it is released
7539	Federated Repositories LoginBridge does not handle output property mappings that are multi-valued
7552	JPAContainer incorrectly sets App Classloader as the CCL
7612	Scrub error response for unwanted characters
7670	IllegalArgumentException in MP Metrics from timing issue
7854	WSLogManager static fields not properly initialized in jdk7
7871	Fix NPE in WebAppSecurityCollaboratorImpl when invoking web resource using custom HTTP method
7888	socialLogin needs to produce choice menu with one provider and localAuth enabled
7920	WASReqURL cookie path is not set when the context root of an application is set to root
7984	When Auditing function is enabled, it is potential that SRVE0777E error is logged
7986	Memory leak when stopping applications
8034	NullPointerException in UniqueNameHelper.getValidDN
8096	After updating to 19.0.0.4, SESN0008E errors started occurring

Fix pack 19.0.0.6

Fix release date: 28 June 2019
Last modified: 28 June 2019
Status: Superseded

Download Fix pack 19.0.0.6

Component	APAR	Description
Channel Framework	PH13269	Delay ALPN init until required and free ALPN resources on connection errors to prevent OutOfMemory
Liberty Debug and Tracing	PH11759	Performance drops when writing a large amount of log entries to Liberty console log
Liberty z/OS	PH12644	Keys are not stored in ICSF with triple-length PCICC format
Security	PH07530	A NullPointerException is thrown during SAFKeyRingNotificationMbeanImpl initialization
Web Services Security	PH11031	OAuth runtime emits error when adding EXTENDEDFIELDS column many times

Open Liberty Release fixes

Issue/PR	Description
6317	JAX-RS request context modified after client request
7207	EclipseLink: Deliver Bug #421056
7433	Avoid inferring caller in LogRecord.getSourceClassName and getSourceMethodName when processing System.out calls
7440	Investigate possible difference in values between Prometheus and JSON format metrics
7632	EclipseLink: Deliver Bug #421056 pt2
7634	Session time based write option not honor small time interval
7695	java.sql.Connection's network timeout not getting set to the correct value
7831	Timing issue between deleted configuration and configuration store

Fix pack 19.0.0.5

Fix release date: 31 May 2019
Last modified: 31 May 2019
Status: Superseded

Download Fix pack 19.0.0.5

Component	APAR	Description
General	PH11801	Liberty 19.0.0.3 cannot start Java health center starting with IBM JDK 8.0.5.31
Security	PH08972	Liberty on z/OS message CWWKS2934E issued during initialization is confusing when it does not reflect final status
Systems Management Functions	PH11844	Joining a member to a back level controller fails when the collective uses a collective-wide ssh key

Open Liberty Release fixes

Issue/PR	Description
6095	Ability to extend the size of the log buffer beyond 8k on WebSphere Application Server Liberty Profile
6391	Building .tar.gz server package fails on Windows
7307	redirectcontextroot=true and redirected secure page causes null
7332	remoteIp "proxies" Default Regex Adjustment
7407	Better handle private headers during message deserialization
7434	NullPointerException in MethodAttribUtils.getXMLCMCLockAccessTimeout
7441	NullPointerException in AppDefinedResourceFactory
7448	NPE in LTPAConfigurationImpl.loadConfig

Fix pack 19.0.0.4

Fix release date: 3 May 2019
Last modified: 3 May 2019
Status: superseded

Download Fix pack 19.0.0.4

Component	Security APAR	APAR	Description
Liberty z/OS		PH10537	SMF 120 subtype 11 and 12 records should report the value of cvtzcbp
Liberty z/OS		PH10538	The RCVTID is not available to Java applications deployed in Liberty
Messaging Providers	✓	PH06340	Potential denial of service vulnerability in WebSphere Application Server (CVE-2019-4046)
Security		PI91146	Liberty runs unnecessary authentication logic when TAI is configured

Open Liberty Release fixes

Issue/PR	Description
1338	invokeForUnprotectedURI triggers unnecessary authentication
5376	LdapConnection getAttributesByUniqueName() throws EntityNotFoundException for existing user
6756	Initial requests with custom method (including PATCH) fail with HTTP/2
6982	JAX-RS 2.1 Performance
6987	Redirect Scheme and Port Mismatch
7044	Externalize ThrowIOEForInboundConnections httpOptions
7052	mpFT 2.0: Circuit Breaker metrics updated incorrectly when non-failure exception thrown
7071	Outbound SSL Connection IOException
7080	FT 2.0: Circuit breaker does not correctly restrict executions when in half-open state
7083	Using Automatic WorkQueue for Async JAX-RS responses
7102	Improve BNF Header Storage
7171	inherited templated transient views raising "unable to create views" exceptions
7184	Test Failure: EEConcurrencySpecTest.testListenerInvokeAnyWithTimeout Future.get interrupted during taskDone with CWWKC1120E
7211	getManagedConnection: illegal state exception. State = STATE_INACTIVE after abort due to transaction timeout
7260	Problems with resolution of environment variables

Fix pack 19.0.0.3

Fix release date: 5 April 2019
Last modified: 5 April 2019
Status: Superseded

Download Fix pack 19.0.0.3

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PH09834	java.lang.VerifyError on OpenWebBeans with Java 8 update 11 and 7 update 65
EJB Container		PH08828	OutOfMemory in InjectionEngine cache
General		PH09657	Usage Metering discards metrics on HTTP 500 response from metering service
		PH12825	TransactionScoped observers do not fire
Java Message Service (JMS)	✓	PH07036	Potential Spoofing vulnerability in WebSphere Application Server (CVE-2018-1902)
Liberty Administrative Center		PH06250	Accessability section 508 compliance for admin center
Liberty z/OS		PH09140	Liberty server request failures after the angel process is canceled
Web Container		PH08872	The servletRequeset.getContextPath() might return a different context path when using with OIDC client application.
Web Services (JAX-WS, JAX-RS)		PH09634	The policy-attachments-server.xml file under WEB-INF is not processed
Web Services Security		PH09651	OpenID Connect client authzParameter and tokenParameter values not updated when dynamically removed from server configuration

Open Liberty Release fixes

Issue/PR	Description
4300	DefaultExtensionProcessor file.not.found message does not contain default message that takes a parameter
6019	ApplicationManager startTimeout blocks startup when app is missing
6129	Fix Java 2 Security issues with JSPs
6246	Apply "useAuthenticationDataForUnprotectedResource" to jwtSso cookie
6255	jsonp-1.1 API dependencies incorrect
6295	ClassCastException when using binaryLog with --monitor
6317	JAX-RS request context modified after client request
6360	Filter out embedded server dependencies for Spring Boot 2.1.x
6407	Test Failure (20190101-0221): com.ibm.ws.kernel.boot.ServerStartAsServiceTest.testWinServiceLifeCycle
6521	Generic types are lost in MP Rest Client and JAX-RS clients due to bug in JsonBProvider
6527	Stack overflow scheduling new ManagedScheduledExecutor task from task
6573	Application exceptions should not be wrapped in EJBException
6628	Command line variables are not working on windows
6641	ClassNotFoundException thrown during sessionPostInvoke
6659	ServletRequest.getContextPath() might return wrong value when OIDC app is in used
6668	Externalize maxOpenConnections tcpOptions
6725	Using slash slash comment in JSP expression spanning lines can get JSP error
6727	JSP slash slash comment fix
6761	Custom JAX-RS ParamConverter does not work for collection and array types
6768	Using slash slash comment in JSP expression spanning lines can get JSP error, Java7 compatible
6790	Loading classes from multi-release jars does not work
6812	HTTP request header "If-Modified-Since" parsing fails with IllegalArgumentException if default Locale is not US
6822	Automatic EJB Timer creation skipped if database tables do not exist
6868	WebContainer: make code more service deactivate aware
6951	ClassNotFoundException during JSF initialization
6953	Tolerate missing ps

Fix pack 19.0.0.2

Fix release date: 8 March 2019
Last modified: 8 March 2019
Status: Superseded

Download Fix pack 19.0.0.2

Component	APAR	Description
General	PH07896	Liberty server start hangs on "CWWKZ0018I: Starting application" when thread pool max size is set
Liberty z/OS	PH08209	Add support for CICS 5.5 for WebSphere Optimized Local Adapters
	PH08497	Message ICH408I is not generated when user lacks access to profile prefix in appl class
	PH08753	Ship assembler DSECT that maps SMF 120 subtype 11 z/OS connect user data
Security	PH08030	Changes needed in the SAFAuthorizationService API
Virtual Member Manager (VMM)	PH08428	NullPointerException is thrown when creating a SCIM user with missing name
Web Services Security	PH06141	Multipart/related SOAP part Content-Type issue
	PH08466	OAuth introspect endpoint does not return correct issuer if OpenID Connect provider configures issuerIdentifier
	PH09706	Liberty OIDC message numbers CWWKS1754 through CWWKS1759 are duplicated

Open Liberty Release fixes

Issue/PR	Description
4975	Destroy of aborted connections and removal from the pool
5094	Fix NPE in servlet cleanup for WebSocket request
5833	The federatedRepositry-->primaryRealm-->defaultParents element should support multiple occurences in the server.xml
6017	Auto plugin generation is inconsistent with OSGI applications
6183	Incomplete SRVE0279E message
6273	JAX-RS clearing RuntimeContext for server side message when resource invokes a client
6287	Add default value to the remoteIp "proxies" attribute in the metatype.xml of the HTTP Channel
6298	Update WebContainer.getCacheManager() to avoid NullPointerException
6323	Invalid archive files no longer prevent apps from starting
6348	Fix 500 error when servletPath is NULL
6371	Handle exception on call to connection.abort
6381	WLP 18.0.0.4 fails to rotate trace log on Windows
6408	Fix for connection wait timeout message not being translated.
6427	Connection wait time does not dynamically change to 0
6452	showPoolContents waiting connection requests value is incorrect
6490	Test Failure (20190203-0423): PolicyExecutorTest.testConcurrentUpdateMaxWaitForEnqueue
6518	Redundant log file in workarea after sever start with errror: java.lang.IllegalArgumentException: The property 'osgi.configuration.area' ... is being overriden ...
6524	SSL Channel throws NullPointerException during stress

Fix pack 19.0.0.1

Fix release date: 8 February 2019
Last modified: 8 February 2019
Status: Superseded

Download Fix pack 19.0.0.1

Component	Security APAR	APAR	Description
General		PH02684	Add an openIDConnectClient configuration option to allow token reuse
		PH07247	Unnecessary HttpHostConnectException FFDC logged for usage metering
JavaServer MyFaces (JSF) Apache MyFaces implementation		PH06135	JSF 2.0 throws a NullPointerException during server shutdown
JavaServer MyFaces (JSF) Apache MyFaces implementation		PH06389	JSF can leak JarFiles causing problems with application removal
Liberty z/OS		PH05262	Calling request.login() from a servlet does not sync the ID to the thread
		PH07190	It is difficult to debug problems when the Liberty server connects to a earlier angel process
		PH07213	Ship assembler dsects for smf120 subtype 11 and subtype 12 records
		PH07486	Liberty generic MODIFY HELP output is too verbose
Web Container		PI80786	Http 500 is returned from a request with too many parent directories (forward slashes) in the url
		PH05787	ConcurrentModificationException
Web Services Security	✓	PH07297	Denial of Service vulnerability in Guava (CVE-2018-10237)

Open Liberty Release fixes

Issue/PR	Description
3553	Set 400 status code for invalid URI
3645	User ID is not synced to the thread during HttpServletRequest.login()
4809	Remove internal designation/updates for servletPathForDefaultMapping/make servlet-4.0 default / tests
5077	3645 sync user during login
5341	Modify default ldapRegistry-3.0 read timeout to be 1 minute
5772	AppClassLoader does not correctly handle null response from ClassFileTransformers
5785	CWWKS9582E: The [defaultSSLConfig] sslRef attributes required by the orb element with the defaultOrb ID have not been resolved within 10 seconds.
5798	H2: Separate Continuation Frame Checking Between Read And Write
5862	ConcurrentModificationException happens when a web application receives a large number of requests immediately after it starts.
5963	DataSourceDefinition, ConnectionFactoryDefinition, and AdministeredObject properties should not be path normalized
5970	trackLoggedOutSSOCookies setting causing multiple login failure
5976	ConcurrentModificationException from ReferenceContext starting web application
5983	5785-orbssltimeout2-commit1
5992	JarFiles never released by JSF
6020	Fix Open Liberty Windows Service name in server.bat
6036	PollingDynamicConfig tasks can be leaked
6042	Hot update broken in 18.0.0.4
6058	Invalid connection pool Prometheus metric format (monitor, mpMetrics)
6073	OL 18.0.0.4 server package does not package loose application as war
6113	Pull MYFACES-4251 to JSF 2.3
6123	Trace Specification logging level "off" does not work
6152	NamingException masked when listing entries in a JNDI context

Fix pack 18.0.0.4

Fix release date: 14 December 2018
Last modified: 14 December 2018
Status: Superseded

Download Fix pack 18.0.0.4

Component	Security APAR	APAR	Description
DynaCache	✓	PH02049	Cross-site scripting vulnerability in cache monitor (CVE-2018-1767)
General		PH02212	Application with CDI 1.2 in Liberty 18.0.0.2 fail to start
		PH02361	WebSphere Liberty OIDC client implementation is proxy-unaware
		PH02742	NPE when doing direct forward operation
		PH02750	java.lang.classCastException occurs in OidcClientImpl.logout
		PH03409	Seemingly erratic thread pool growth during low or no-load situations after upgrading to 18.0.0.1
		PH04652	WebSphere Application Server Liberty for z/OS provides no metrics for usageMetering-1.0
		PH04653	Updated CPU limit (--cpus) not recognized by usage metering feature
		PH05071	JVM hang when calling GarbageCollectorMXBean.getLastGcInfo for usageMetering-1.0
		PH06256	CWWKS1739E: A signing key required by signature algorithm [RS256] was not available when upgrading to 18.0.0.3
		PI97786	eclipselink throws "argument type mismatch" for jpql case expression
		PI99263	ServletContext.getRealPath() returns null for resource in extended document root
Install V8 and above		PH03040	Fixpack 18.0.0.3 cannot be installed on IBM i
Install V8 and above		PH04137	Updating WebSphere Liberty for z/OS to fix pack 18.0.0.3 fails with NullPointerException
JavaServer Pages (JSP)	✓	PH02063	Potential security bypass in WebSphere Application Server with Expression Language library (CVE-2014-7810)
Liberty z/OS		PH02955	Unable to use SAF Keyring for collective SSH communication
		PH03549	When the zosWlm-1.0 feature is enabled. the health indicator of the server is only ever set to 2 percent
		PH03768	EntryNotFoundException SAFGRP is not a valid group
		PH04243	EC3 abend reason code 20F00600 occurs after a 422 abend
		PH04282	Error authenticating when Liberty server tries to connect to a back-level angel process
		PH05100	OutOfMemory failure in Liberty under CICS when connected to an angel process
Messaging Providers		PH00027	After migrating to WebSphere Application Server V9, the CWSID0046E error is seen in the logs
Systems Management Functions		PH03232	Incorrect server state reported in a multicontroller collective
Virtual Member Manager (VMM)	✓	PH02811	Privilege escalation vulnerability in WebSphere Application Server (CVE-2018-1901)
		PH04136	Attempt to create user in SCIM returns 500 HTTP status code with DefaultParentNotFoundException message
		PH04147	Attempt to update user ID in SCIM returns 500 HTTP status code with IllegalArgumentException message
Web Services (JAX-WS, JAX-RS)		PH02234	Issue when processing the caller token for UsernameToken
Web Services (JAX-WS, JAX-RS)		PH03014	A property is set in the RequestContext but the interceptor does not read this property resulting in a NullPointerException
Web Services Security		PH03004	CWWKS1721E: The resource server received an error it was attempting to validate the access token z/OS Connect EE
Web Services Security		PH05414	OpenIdConnect client subject might not contain Id Token
WebSphere Compute Grid		PI87244	Firewall prevents the Liberty Java batch tool from displaying job logs

Open Liberty Release fixes

Issue/PR	Description
1438	JAAS login module shared library is missing protection domain
3113	ArrayIndexOutOfBounds in LdapConfigManager.setFilters()
3919	Future does not return immediately when timeout fires when using timeout with Async
4132	full tmp dir prevents server from reading server.env during startup
4135	Pull in MyFaces 2.3.2 once released
4202	Migration of JMS delivery delay.
4332	Need to fix first line of output from Liberty JSON log format to actually be JSON
4535	LogRecordContext API is missing from /wlp/dev/api/ibm jars
4760	Expose a couple of packages to the thread-context in jsf-2.3
4792	Fix BundleContext is no longer valid error on server shutdown
4853	Provision compatible javax.annotations API for SpringBoot applications
4873	Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
4898	H2: fix some HTTP/2 code and test issues uncovered by further parallel stream stress testing
4912	Fix missing doPriv in unwrap
4913	JSR375: When JASPIC is enabled, a login panel pops up even EVERYONE role is assigned
4955	Externalize multiple httpOptions
4960	Faces servlet mappings defined in web-fragment.xml do not work - jsf-2.2
5045	Add a recursion counter for messagehandlers into BaseTraceService
5076	NullPointerException in ClassLoadingServiceImpl
5088	SpringBoot applications fail to start when a non jar file is in the library directory
5094	Fix NPE in servlet service which may happen when WebSocket is used
5114	Test Failure (Liberty - Mac EBC - 20180915-0112): PolicyExecutorTest.testStartTimeout
5126	HTTP/2 engine must tolerate priority frames received in any state and better handle flow control problems
5149	update openidconnect client way of sending credentials to userinfo endpoint
5154	Flush queued actions when an app is removed
5164	/metrics output got truncated on Japanese locale
5244	MYFACES-4252 Classpath._searchDir can throw NullPointerException
5277	Fix Java 2 Security access issue in kernel DefaultFileStreamFactory
5293	Deadlock in ZipFileArtifactNotifierImpl
5339	H2: Fix race condition in multi-stream writing logic
5345	Improve our serviceability around page search and chasing referrals for Ldap
5363	MP Rest Client does not honor MP Config-specified providers
5383	Occasional HTTP/2 MessageSentException: Message already sent
5395	SSL config not used by RestClient
5425	JAX-RS Client does not pool HTTPS connections
5428	Fix bug in server package server-root command
5441	JMSContextInjectionBean uses deprecated CDI method
5453	Microprofile appProperties element not showing up in schema
5465	Pull MYFACES-4260 to both jsf-2.2 and jsf-2.3 features
5483	release bug: implement PH02361 in development stream
5498	When using advanced connection manager property numConnectionsPerThreadLocal and connection fail during cleanup, the connection managers connection pool may fail to remove failing connections resulting in no connections being available.
5510	Deliver fix for CVE-2014-7810
5557	OpenId Connect clients might exhibit a thread leak
5560	MessageSentException intermittently during flushBuffers
5585	EJB timer ScheduleExpression serialization incompatibility
5590	Failed to createMinimumEscapeHandler for unknown jaxb class
5637	Expose jsf 2.3 org.apache.myfaces.push.cdi to thread context class loader
5647	Fix --include default to have /usr for server and shared folder
5779	Too many threads during low-load operation
6002	CWWKS1739E error may occur when using OpenID Connect in 18.0.0.3

Fix pack 18.0.0.3

Fix release date: 21 September 2018
Last modified: 21 September 2018
Status: Superseded

Download Fix pack 18.0.0.3

Component	Security APAR	APAR	Description
General		PH00304	The maximum connections setting of a data source's connection pool is not always honored
		PH01447	Improvement to SSL Closing Handshake
		PH01499	APAR for OLGH4402
		PH01610	Application fails to start due to JAXBEXCEPTION after upgrading to 18.0.0.2
	✓	PI99176	Information disclosure in WebSphere Application Server Liberty (CVE-2018-1683)
		PI99600	AccessControlException thrown when connecting to Health Center with Java 2 Security enabled
		PI99672	Remove the first_rows hint from Oracle V10+ pagination queries
Intelligent Management Component		PH00735	Null Pointer Exception when HTTP or HTTPS ports blank in server.xml
Java Persistence API (JPA)		PH01681	Then and else expressions should be case result instead of case operand type
Liberty z/OS		PH01179	Duplicate entries of the BBGZSCFM module are listed in the output of IPCS LPAMAP
		PI96910	ICH error messages are not issued during Liberty startup when checking for access to BBG.SECPFX.* and APPLl profiles
		PI97659	Display memlimit value and source as well as region information in Liberty log at startup
		PI98758	Setting enablefailover to false for the safregistry can produce misleading messages if authorized services are not available
		PI99411	The Liberty message log DD is not configurable
Security	✓	PH01295	Information disclosure in WebSphere Application Server Liberty (CVE-2018-1755)
		PI97676	Message CWWKS1100A may be misleading
		PI99285	User login fails when configuring zOS mapDistributedIdentities
Systems Management Functions		PH00435	Collective controller logs NoSuchElementException from LivenessMontiorV2
		PH00566	Member should fail over after continuous 2 minutes sendHeartBeat failure
		PH00730	The unnecessary information should not be generated in repository dump file
		PH00926	Collective repository dump should include non-sensitive host and jmx auth information to help diagnose issues
Virtual Member Manager (VMM)		PH00881	SCIM does not return paged results for requests that do not include the 'count' parameter
		PH01668	SCIM incorrectly returns 500 on MaxSearchResultsExceeded
		PH01863	SCIM updates to users can result in attributes being marked for deletion that were not designated for deletion by the request
		PI99257	Requests to SCIM to retrieve a resource by ID that do not include an ID result in an 500 HTTP status code
		PI99317	Request to SCIM "groups/{ID}" endpoint specifying "members" attribute does not return the group members
Web Container		PH00448	A CWWKE0702E message is printed when the webCache-1.0 feature is enabled
Web Services (JAX-WS, JAX-RS)	✓	PH00401	Potential man-in-the-middle attack in WebSphere Application Server Liberty for JAXWS(CVE-2018-8039)
	✓	PH01221	Potential man-in-the-middle attack in WebSphere Application Server for JAXRS (CVE-2018-8039)
Web Services Security		PH12959	OAuth provider does not update settings in the consent cache
	✓	PH03418	Code execution vulnerability with OpenID connect in WebSphere Application Server Liberty (CVE-2018-1851)
		PI95405	Liberty may not find key in JWK by x5t
WebSphere Compute Grid		PH02256	File access exceptions when running a Java Batch application with syncToOSThread enabled

Open Liberty Release fixes

Issue/PR	Description
2489	Global error when there are no registries available (Ldap,etc) for VMMService
2659	Capture security context from Java Batch thread when syncToOSThread is enabled
3422	Check for override of default configuration and ignore
3489	MP Rest Client does not use Liberty SSL config when making outbound requests
3522	Update Xalan library
3853	basicRegistry-1.0's 'ignoreCaseForAuthentication' attribute does not apply to getUsers(...) method
3952	Add global error when user registry is not found
4002	Incorrect CWWKZ0022W messages printed with VirtualHost Usage
4016	Quiesce should not be blocked by application start
4028	Liberty 18.0.0.1 startup issues with Arabic locale
4040	Make RC consistent for starting liberty as a Windows Service
4044	Server failure before framework startup can leave JVM running
4158	Need to squelch "Could not obtain lock" errors appropriately
4186	Need to improve config dropins processing
4203	In 18.0.0.2 an IllegalArgumentException can occur when "maxParamPerRequest="-1"
4211	Java 2 security issue in org.apache.cxf.transport.https.HttpsURLConnectionFactory
4244	Add global error when user registry is not found
4272	When a thread is interrupted waiting for a connection from the connection manager, maximum connections will be decremented.
4275	NPE in JAXRS client when OpenTracing is included
4310	Spring boot application deployment in Liberty throwing Class cast exception
4341	PageControl's 'startIndex' is not honored when 'size' is greater than results
4345	Add doPrivileged code for InetAddress related activity in messaging
4346	Add doPrivileged code for InetAddress related activity in IIOP
4368	ConcurrentModificationException when a JAXRS API has multiple consume and/or produce MediaTypes
4392	Fix server hang issue when bootstrap.properties variable is incorrectly specified
4402	Format problem with logs when traceFilename=stdout and traceFormat=ENHANCED / BASIC
4462	NonPersistent EJB timer dying if timeout throws exception on last retry
4465	RejectedExecutionException: Trigger.getNextRunTime: null creating EJB timer
4505	SSL Closing handshake improvement
4521	Install kernel does not throw exception if already installed features are specified again with a different capitalization
4530	Install kernel map installs features without wlp/bin and wlp/dev contents
4531	ManagedScheduledExecutor tries to run tasks during server shutdown
4550	Injection race condition in JAX-RS during startup
4609	Maven features should provide transitive dependencies for stable API, third-party API
4619	PersonAccount's and Group's get(String), isSet(String), and unset(String) methods may throw NullPointerExceptions
4666	Correct getServletPath for default mapping
4712	release bug: mpjwt JsonWebToken.getAudience() return type noncompliant with spec when no audiences present.
4717	Update Yoko to favour CSI endpoints

Fix pack 18.0.0.2

Fix release date: 29 June 2018
Last modified: 29 June 2018
Status: Superseded

Download Fix pack 18.0.0.2

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PI92477	WELD-2447 ClientProxy serialization support should be container agnostic
		PI95074	WELD-2466 null pointer exception in webservice calls
DynaCache		PI94514	NullPointerException occurs using a MetaDataGenerator
EJB Container		PI95215	MessageEndpoints are notProperly released
General		PI95821	StabilizeProduct Insights Enablement
		PI96187	Update bluemixUtility command for data sovereignty regulations
		PI96735	Access log "maxfiles" attribute not working as intended with value of 0
		PI97234	APAR for OLGH2631
		PI99031	Garbage collection events not captured by logstashCollector-1.0 for IBM Java 8 SR 5 FP 6 and above
Intelligent Management Component		PI92330	CWWKS2910 error when using dynamic routing in Liberty on z/OS with SAF security
Java Persistence API (JPA)		PI92847	JPQL with trim is not handledProperly and it results in DatabaseException
		PI93064	EclipseLink throws ORA-00932 for CLOB fields in an ElementCollection
		PI94027	EclipseLink JPQL generation for nested arrays with 'in' expression
		PI95283	EclipseLink InsertObjectQuery concurrency failure
		PI95766	db representation of boolean values withPostgres is incorrect
		PI97483	Eclipselink re-sorts insert and removes statements within a transaction
		PI97786	Eclipselink throws "argument type mismatch" for JPQL case expression
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI93972	Classloader issues in JSFExtensionFactory can cause NPE
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI94947	Update of composite component within ui:repeat does not work
Liberty Administrative Center		PI98574	If Liberty Admin Center was accessed via reverseProxy,the Liberty server made an unnecessary request back to theProxy server
Liberty z/OS		PI82554	WebSphere Liberty AngelProcess does not identify its version and fix pack level during start-up
		PI90719	Command line script to detect if commandPort is enabled, for use duringPause/resume request
		PI93922	SMF120-11 timeused and starttime is only set for a forwarded servlet
		PI95864	Specifying an angel name of "" for the server does not register server to default angelProcess
		PI96813	It is difficult to automate WebSphere Liberty from messages on the z/OS console
		PI96954	Liberty on z/OS memory leak in 64bitPrivate due to native DirectByteBuffer support
		PI97611	ABEND0C1 in ntv_getAngelVersion with WebSphere Liberty version 18.0.0.1
Security		PI89624	CWWKS4106E: LTPA configuration error in Liberty
		PI95717	suppressUncoveredHttpMethodWarning configuration does not work
		PI96014	Authfilter in Liberty not matching when multiplePaths are defined
		PI96597	There is an issue with the cache
Systems Management Functions		PI95994	Deploying docker container as liberty collective member failed with error "already appears to be a member."
Systems Management Functions		PI97924	Improve the error handling of a Collective join command using sshPrivateKey option
Virtual Member Manager (VMM)		PI96814	SCIM returns HTTP status code 500 whenPassed an invalid filter
Web Container		PI93226	SRVE0266E : Error occured while initializing servlets:java.util.ConcurrentModificationException
Web Services (JAX-WS, JAX-RS)		PI97288	Attachments behavior change in Liberty after migrating from tWAS
Web Services Security		PI94599	Intermittent NPE in SocialLogin feature when a running server is reconfigured
		PI96012	Client authentication JWTS require "sub" claim
	✓	PI96884	Information disclosure in WebSphere Application Server Liberty (CVE-2018-1553)
WebSphere Compute Grid		PI90716	Liberty z/OS CWWKY0035I: An exception occurred while trying toPersist job java.lang.IllegalStateException: no match found
		PI90961	Liberty on z/OS: Batch JMS dispatcher change to lazy access of connection factory
		PI93514	JobPurge request deletes the batch db records even when the executor JVM is stopped
		PI98247	After batch events config change,atchManagerZos hangs waiting for job completion; batch job log events notPublished correctly
		PI98295	The dispatch (JMS) message for a stopped job can, if later consumed, cause a later restart execution of that job to fail.
		PI99138	Repeated delivery of Batch job dispatch JMS message resulting in ClassCastException each time

Open Liberty Release fixes

Issue/PR	Description
1261	LDAP registry with global class mapping in groupMemberIdMap adds "objectclass=*" to Group searches
2792	On restart of a Java Batch job, deserialization fails when checkpoint objects contain array type fields
2877	JSP engine unable to find tag files within loose JAR file
3045	Send and receive Strings in SIB messages using strict UTF8
3102	In 18.0.0.1, the minify option is not making the runnable JAR package any smaller
3103	Access Log "maxFiles" attribute not working as intended with value of 0
3106	Kernel Service MBeans not properly exposed
3127	Federated repositories does not restrict the names of extended properties
3132	Package `com.ibm.websphere.kernel.server` is not exposed as IBM-API
3140	Default app classloader ProtectionDomain set by common libraries
3160	AsyncIO native direct ByteBuffer leak
3198	Avoid full deserialization within ObjectMessage.toString()
3226	NullPointerException from EJSContainer.postInvoke() method
3233	Close streams for repositories represented by a single JSON file
3248	Add mapping of all JSP files in web module into the generated_web.xml
3280	Test Failure (20180420-0319): LoadTest.testCommitAndRollback RuntimePermission denied for WSJdbcTracer invoking newProxyInstance
3383	ldapRegistry-3.0 does not configure a read timeout for JNDI connections
3490	PI96086 - Nested EJB Async method calls not honoring nested get(timeout, unit) timeouts
3520	suppressUncoveredHttpMethodWarning does not work
3533	Redeploying WABs leads to OutOfMemoryError
3577	JAXRSClientImpl.target(UriBuilder) fails with IllegalArgumentException when client built with input containing a template variable
3578	Batch runtime should only transition to InstanceState.JMS_CONSUMED from JMS_QUEUED state.
3700	java.sql.SQLFeatureNotSupportedException: Method org.postgresql.jdbc.PgPreparedStatement.getLargeUpdateCount is not yet implemented.
3739	Failure to load JPA PersistenceServiceUnit used by Batch feature using V2 version of JobInstance entity.
3752	Connection leak if failure occurs while managed connection is being constructed
3779	Update EclipseLink binaries from 2.6.6.WAS-3e5c71a to 2.6.6.WAS-0ab4033
3785	Security exceptions thrown when trying to use IIOP with Java 2 security
3851	JAX-RS Client APIs fail when attempting PATCH method over HTTPS on IBM JDK
3889	Validate paths within WAR files

Fix pack 18.0.0.1

Fix release date: 16 March 2018
Last modified: 16 March 2018
Status: Superseded

Download Fix pack 18.0.0.1

Component	Security APAR	APAR	Description
General		PI93106	Product insights attempts to send usage after failed registration
Java Persistence API (JPA)		PI92398	Under certain conditions OpenJPA can insert an embeddable into the Datacache map
		PI95871	Wrong context Classloader in org.apache.openjpa.enhance.pc
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI87954	Hung thread issue in MyFaces _getMetaDataTarget
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI90391	Fix bug MyFaces-4045 in IBM myfaces implementation
Liberty Administrative Center		PI93411	Saving changes to member's configuration files via Admin Center's Server Config tool get applied to the controller instead
Liberty Kernel		PI94763	Fileupload causes NullPointerException on getHeader() call
Liberty Kernel		PI94116	Open Liberty rollup for 18.0.0.1
Liberty OSGi Application		PI88291	Slow start of the web services and error during the startup of the services
Liberty System Management		PI92311	Memory leak in liberty swagger library during application stop/start
Liberty z/OS		PI91275	Add an informational message to WebSphere Application Server Liberty on z/OS logs to indicate which angel process is used
		PI91511	SMF 120-11 UserData added from a filter does not show up in the final SMF record
		PI92070	WebSphere Application Server Liberty on z/OS WOLA CICS link server fixes for RTXSYS and RTX parameters
		PI92171	An intermittent performance degradation is observed with CICS v5.4 and Liberty 17.0.0.3 compared to Liberty 17.0.0.1
		PI92868	WebSphere Application Server Liberty on z/OS crash in CICS BBOATRUE during shutdown when embedded Liberty servers are at a mix of 16.0.0.3 and 17.0.0.3
Security		PI86784	Enable the function of enforcing URL hostname verification as an attribute on the ssl element of server.xml
	✓	PI90980	Potential spoofing vulnerability in WebSphere Application Server (CVE-2017-1788)
		PI91500	GetUserPrincipal().getName() returns garbled user ID on 17.0.0.3
		PI92764	Message CWWKS3005E issued when a Federated repository is configured
		PI94094	SAF API doc missing from Javadoc package in Liberty
Sessions		PI93474	Remove SessionManager instance when application is stopped
Systems Management Functions		PI92781	A Liberty collective controller sometimes logs a NullPointerException
		PI92828	Liberty collective intelligent management features may fail to function correctly intermittently
Web Container	✓	PI90804	Security vulnerability in Apache Commons FileUpload used by WebSphere Application Server (CVE-2016-1000031)
Web Container		PI92334	Application class loader is not set correctly in a thread during an async operation
Web Services (JAX-WS, JAX-RS)	✓	PI92494	Potential denial of Service in WebSphere Application Server Liberty for JAXWS(CVE-2017-12624)
		PI92886	Policy attachments not working as expected
Web Services Engine		PI92386	High CPU usage on Liberty when using IBM JDK
Web Services Security		PI88321	Liberty always honors RelayState during IdP-initiated SAMLWeb SSO
		PI93303	CICS_REGION_BUT_API_DISALLOWED surfaces using OAuth-2.0 feature
		PI93579	exp' is earlier than the 'iat' in OIDC token
		PI96273	Some 404 and 500 errors in OAuth or OpenID Connect might expose configuration information

Open Liberty Release fixes

Issue/PR	Description
402	Add stop command to readme file
407	Informative error message for collision with reserved resource adapter ids
938	Challenge when using request.authenticate with BasicAuthenticationMechanismDefinition
1047	LDAP paging failure recovery reuses cookie when switching failover servers
1102	Improve CDI performance by not loading too many classes
1125	Readd ability for hot replace for trace injection for IBM Java 8.0.0.6+
1142	MyFaces-4045 JSF 2.2 flow reentrancy fix
1143	RememberMe cookieName needs to support EL expressions
1150	Corrections to AnnotationTargetsImpl_Targets.isInstanceOf
1164	Fix Java 2 Security problems with Bean Validation 2.0 code
1173	Pull in MyFaces-4177 to JSF 2.3
1202	Fix for resetting autocommit for non transactional datasources
1204	Grant Hibernate validator accessPrivateMembers permission by default
1210	Channel.ssl FFDCs thrown during server shutdown
1232	Description of runIfQueueFull should refer to relation with maxPolicy
1243	Pull in MyFaces-4066 to JSF 2.3
1255	Fix and test issue where a connection error occurs on a free connection
1266	Fix JPA 2.2 Bindings Files
1267	Bean Validation CDI extension fixes
1272	Pull in MyFaces-4176 - Search expression fails to resolve component outside of form
1278	PI91306: UriInfo.getMatchedResources() does not return resource class information
1311	Update EL handling in database and LDAP identity stores
1320	PI87504: JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
1336	Release JACC policy context in post invoke
1344	Try to remove an existing SAF map before adding one
1349	Update Bean Validation 2.0 descriptions to mention providers used
1362	Thread context propagation for managed completable future
1372	In beans.xml, element causes ProcessAnnotatedType<> events to not fire
1382	Cannot register a second (synchronized) handler with an already active logging source
1384	ConcurrentModificationException when both Console and Message JSON handlers are configured
1424	If the command port is disabled when issuing a pause or resume request from the server script, issue a message saying so
1433	Fix Java 2 Security errors in LogUtils by ensuring getClassLoader calls are in doPriv
1439	Improve synchronization mechanism between BaseTraceService and MessageLogHandler
1459	Property com.ibm.ws.jaxrs.client.disableCNCheck not honored
1485	Fix NPE that may occur when multiple CDI-injected servlets are specified in the web.xml for a JAXRS application with load-on-startup specified
1498	Fix IOException not closing socket
1501	Fix JSF _ComponentAttributesMap performance issue
1504	Address CVE-2017-1000208 vulnerability in Swagger Parser for MicroProfile OpenApi
1520	Improve performance when JAX-RS applications are updated
1553	Web binding overrides are not properly recognized with autoExpand apps is enabled
1565	Fix exception when parsing faces-config-extension element
1578	Cannot use app-defined for Bean Validation
1597	SQLServer JDBC driver not recognized when defining a dataSource on
1599	Fix for JDBC getClass().getInterfaces() method calls
1607	Fix NPE in EJBAsyncRuntimeImpl.modified when updating asynchronous config
1671	Fix BundleException Cannot connect region 'system.bundle' to itself
1674	ServerEndpointControlMbean returns true when isPaused is called with an empty target
1685	Resource.getRequestPath returns incorrect path in JSF 2.3
1687	JDBC pool manager must avoid caching values obtained from the managed connection factory
1709	Fixed JASPIC error and exception messages
1731	Fix Java 2 Security errors related to JAX-RS getServiceReferences() and getService() methods
1743	Fix context class loader in servlet async dispatch or runnable
1758	Make consoleLogLevel default to an env variable setting first
1764	Fix NPE that could occur during MyFaces validation
1765	AccessControlException from JAX-RS 2.0 when servlet filter is used
1786	No longer WARN on 404 Not Found
1795	Fix writing of single-file-repositories
1865	PushBuilder.push error conditions updated
1911	AccessControlException from the EL API when using JSF 2.3
1935	Java 2 Security issues in batch-1.0 feature
1944	WebSockets for non-secure BASIC_AUTH adhere to session invalidation
1948	Avoid overwriting updates made to the session cache by another thread
1950	Implement HttpServletResponse.getTrailerFields()
1952	PI93226: ConcurrentModificationException during application startup
1963	Fix Java 2 Security issue with package minify
1975	Remove SessionManager instance when app is stopped
2010	Update HttpServletResponse setTrailerFields error conditions
2016	Ensure header names are non empty and accept empty header values
2022	Retrieve all values on multi-valued LDAP properties
2044	Return the correct HttpServletMapping during include, async and when using a named dispatcher
2050	Fix org.apache.myfaces.flow.cdi.FlowScopeBeanHolder incompatible across versions
2057	Handle null/empty contracts in JAX-RS Client.register(...) calls
2067	Fix CWWKS4106E: LTPA CONFIGURATION ERROR IN LIBERTY when using PKCS11Impl provider
2071	Fix for garbled User Principal when binary data is retrieved from registry
2086	Throw IllegalStateException in SseEventSink.send when SseEventSink is closed
2143	Fix batch runtime table version determination
2150	Close JAX-RS sink on exception
2175	Fix ConcurrentModificationException during app startup
2251	Product information for replaced products should not be displayed
2270	Issue warning message when it is determined security not present
2336	Fix ConcurrentModificationException during app startup
2340	Fix JSON output of JSON console (remove duplicate basic messages and abide by consoleloglevel)
2358	Fix java.lang.NullPointerException in AccessLogger
2385	Fix NPE that can occur with certain logging configurations

Fix pack 17.0.0.4
Fix release date: 21 December 2017 Last modified: 21 December 2017 Status: Superseded Download Fix pack 17.0.0.4

Component	Security APAR	APAR	Description
EJB Container	✓	PI89936	Vulnerability in Apache Commons affects EJB Embeddable Container and JPA Client (CVE-2015-7450)
General		PI80333	Support CPU constraints in ProductInsights
		PI82233	Non-daemon threads are created with remote EJB using the IIOP transport
		PI82510	Liberty appserver automatically decompresses the bodies of incoming http-soap messages
		PI82557	TCP Channel access lists not documented
		PI84016	OpenJPA orm.xml default schema used over 'openjpa.jdbc.Schema' property
		PI84349	Liberty Oauth 2.0 may encounter a SQL syntax error for the option "LIMIT" during cleanup
		PI84428	ArrayIndexOutOfBoundsException from OpenJPA for query on EmbeddedId
		PI85402	EclipseLink does not recognize Java 9 platform
		PI86208	Cannot decode IOR due to ClassCastException
		PI86321	Liberty OpenID Connect Relying Party does not handle large id_tokens in implicit logins
		PI86840	Eclipselink generates sequence IDs incorrectly for @EmbeddedId classes that are shared across multiple entities
		PI86914	Correct mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
		PI87557	Null pointer exception when TAI returns NULL TAIResult
		PI87565	OutOfMemory issues from webcontainer component WebComponentMetaDataImpl
		PI88051	Application reload when a JSP file under WEB-INF is updated
		PI88485	The groupProperties membershipAttribute does not work when filters exist
		PI88618	CWPMI0010W was found in the messages.log
		PI88620	Performance degredation when federating SAF registry
		PI89003	Help tet for the BatchManager listJobs command is unclear
		PI89041	FFDC java.lang.IllegalStateException: Module has been uninstalled. occurs when dynamically configuring Liberty
		PI89278	Incorrect value of FreeConnectionCount
		PI89446	Product Insights throws NullPointerException
		PI89584	Certain early startup and product script messages are not properly translated into non-English languages
		PI89672	OutOfMemoryError in ArrayList containing objects of type com.ibm.ws.logging.internal.impl.IntrospectionLevelMember
		PI90013	30 second delays for remote EJB when running as a collective member
		PI90154	BluemixUtility fails to create/delete instances of Watson Discovery service
		PI90282	CWWKB015E IWMEJOIN return code 2,135 during servlet read listener
		PI90699	ProductInsights errors after resuming from 'sleep' state
Java Persistence API (JPA)		PI80863	Issue with the way OpenJPA caches and reuses query parameters for BETWEEN expressions when OpenJPA's QueryCache property enabled
Java Persistence API (JPA)		PI81260	OpenJPA does not pass-through SSL connection properties that set using openjpa.ConnectionProperties when creating Db2 connection
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI88288	jsf-2.0 MyFaces error handling cannot be enabled in production project stage
		PI88850	High CPU issues from org/apache/myfaces/
		PI89168	Protected-view not working in Liberty 16.0.0.4
		PI89363	ProtectedViewException for a protectedview access while checking the OriginJeader for appContextpath
		PI90507	Instances of action listener in a FaceLet are not being removed until app shutdown
		PI90509	Fix for MYFACES-3752
Liberty Application Services		PI69483	Removing IBM-App-ForceRestart header causes applications not restarted
Liberty Kernel		PI90930	Open Liberty Rollup for 17.0.0.4
Liberty z/OS		PI86596	Removal of possibly misleading FFDC z/OS liberty Async Servlet support
		PI90060	Messages occurring very early at startup are not printed to the MVS console when requested in the zosLogging configuration
		PI90429	When starting a Liberty server as a started task on z/OS from the server script there is no option to specify a job name
Performance Monitoring Tools		PI81367	java.lang.ClassNotFoundException dumped in the FFCD log file when PMI monitor feature is enabled
		PI87599	ConnectionPoolStats MBean was not available if enabled the trace with com.ibm.websphere.monitor.*=all
Security		PI88769	Liberty 17.0.0.2 is throwing ClassCastException when calling ibm_security_logout with Extreme Scale feature enabled
Session Initiation Protocol (SIP) Container		PI78794	The SIP Container fails to parse a message when the size exceeds 2048 bytes and double CRLF is sent before the message
Session Initiation Protocol (SIP) Container		PI79119	With number.of.parse.errors.allowed set to -1 WebSphere drops well formed requests
Systems Management Functions		PI81552	Application state becomes stale at the Liberty collective controller
		PI83274	Incorrect collective member status shown in Admin Center
		PI88296	Password protected ssh keys cannot be used for remote host authentication
Web Services Security		PI84359	OIDC WASReqURLOidcp cookie constantly grow when LTPA token expired
	✓	PI89103	OpenSAML used by WebSphere Liberty contains XML external entity (XXE) vulnerability (CVE-2013-6440)
		PI89575	LTPA cookie is not created in certain single sign-on scenarios
WebSphere Compute Grid		PI88583	In WebSphere Liberty 17.0.0.x Java batch executor fails with CWWKS0800E error

Fix pack 17.0.0.3
Fix release date: 17 October 2017 Last modified: 17 October 2017 Status: Superseded Download Fix pack 17.0.0.3

Component	Security APAR	APAR	Description
Dynamic Cache		PI78148	SRVE0014E from servlet caching
Dynamic Cache		PI78552	DYNA1064E is logged on some dynacache APIs when the underlying cacheprovider does not support disk caching
EJB Container		PI87472	EJB remote injection fails with NPE if ORB not yet available
Federated Repositories		PI05723	Handle long data type from VMM for extended properties
		PI79440	NullPointerException in URBridgeXPathHelper.getExpression()
		PI79452	NPE in LdapConfigManager.getSupportedProperties()
		PI81497	When one base DN is the subset of another in a federated repository, LDAP failures occur
		PM95697	LDAP contexts getting leaked after first connection exception
General		PI77400	BBOA1INV Fails with RC = 8 RSN = 44, FFDC invalid group name returned
		PI80363	Allow configurable maxFieldLength in the logstashCollector
		PI80397	Remote EJB call with the same object in multiple arguments fails
		PI80932	WSCredTokenCallbackImpl class is not visible to applications
		PI81056	Liberty server needs to retry starting the TCP channel after error CWWKO0224E due to hostname resolution error
		PI81124	Closing websocket session throws NullPointerException
		PI82101	Task retry not immediate after XAResource rollback
		PI82109	Provide support for CICS 5.4 in WebSphere Optimized local Adapters
		PI82218	JAX-RSResponses contain unnecessary Cxf-Content-Language header
		PI82296	AsyncContext.comple() fails when called from a readListener
		PI82327	java.lang.RuntimePermission error when destroying an upgradeHandler
		PI82364	For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
		PI82556	AppSecurity-2.0 does not include trustAssociation in Liberty
		PI82672	productInsights does not register embedded WebSphere
		PI82684	During server shutdown, if ProductInsights is trying to complete its first registration it may not cancel all of its tasks
		PI82994	filenotificationmbean may not notify the listener
		PI83111	Monitor function of AdminCenter does not display the correct value of "used connections"
		PI83159	JAX-RS resource methods report as not found when using scientific notation as path parameters
		PI83439	ClassCastException thrown when using remote EJBs in servlet with parent-last classloading
		PI83516	Using reference-listener along with service factory causes TransactionManager errors
		PI83682	ProductInsights not reporting used JVM memory correctly
		PI83713	Path template variables in JAXRS 2.0 do not support scientific notation
		PI83901	The context ClassLoader is not getting set properly when loading CDI extensions at app startup
		PI84036	JAX-RS Client must access endpoints via authenticating proxy
		PI84083	Usage data is not queued if connection to Bluemix Product Insights host fails
		PI84327	WebSphere Application Server Product Insights does not send in group name translations
		PI84487	Certificate login does not work with custom user registry on Liberty
		PI84842	The application's classloader is leaked when restarting the app
		PI85373	Open Liberty Rollup for 17.0.0.3
		PI85490	Deadlock caused by WsLogManager and SIB trace code
		PI85492	Commit of HTTP response in render_response(6)
		PI85683	Register Windows service and start/stop service for Liberty fails if it is installed in directories names with a space
		PI85783	Accumulation of org.apache.cxf.transport.http.osgi.HTTPTransportActivator objects
		PI85910	OIDC does not recognize x5c tag in JWK
		PI86198	Inconsistent aliasing between --jobParameterFile and --jobPropertiesFile in the batchManager and batchManagerZos CLI
		PI86443	Use of the JAX-RS multipart media type results in a java.lang.ClassNotFoundException: javax.ws.rs.core.MediaType
		PI87119	NullPointerException caused by external port component configuration
		PI87467	CDI injection into JAX-RS classes is broken when using multiple apps and one app is not CDI-enabled
		PI87504	JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
Install V8 and above		PI88170	Block installUtility/featureManager install userFeature '--to=core'
Java 2 Connectivity (J2C)		PI82859	Incorrect value of connectionPoolstats
		PI86100	Intermittent sharing scope for data sources being created at the same time on two different threads
		PI87470	Unable to install resource adapter using loose configuration file
Java Message Service (JMS)		PI81329	NCSA access logs %B option output displays "-" instead of the size of the response in bytes
Java Message Service (JMS)		PI81864	ConcurrentLinkedList tailsequencenumberlock garbage collected
Java Persistence API (JPA)		PI77555	Eclipselink scrollable cursor results in a ClassCastException
		PI80863	OpenJPA caches and reuses the query parameters for BETWEEN expressions when OpenJPA's query cache is enabled
		PI81260	OpenJPA does not honor SSL connection properties for DB2
Java SDK		PI85250	Hung thread issue in myfaces _getMetadataTarget
Java SDK		PI86494	Messages returned from JSF APIS are in the incorrect order
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI82893	JAVAX.FACES.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL value affects display behaviour for required fields
	✓	PI87299	Information disclosure in Apache MyFaces affects WebSphere Application Server (CVE-2011-4343)
	✓	PI87300	Information Disclosure in WebSphere Application Server in JSF (CVE-2017-1583)
JavaServer Pages (JSP)		PI82529	HTTP transport encoding CP943C is used for JSTL params
JavaServer Pages (JSP)		PI83486	StackOverflowError generated due to the JSP TabLibraryCache recurses into loadWebInfMap with the value "/WEB-INF"
Liberty Application Services		PI87139	Configuration updates blocked by application restart
Liberty Application Services		PI87468	Schema lists invalid attributes for resource adapters and EJB applications
Liberty Debug and Tracing		PI83872	NullPointerException in MultipleCriteriaFilter when retrieving logs from Liberty binary log
Liberty Kernel		PI87138	Synchronization in ConcurrentServiceReferenceElement creates a performance bottleneck
		PI87471	Potential NullPointerException ServerXMLConfiguration.parseDirectoryFiles
		PI87480	AccessControlExceptions in Liberty kernel code
Liberty System Management		PI85828	Correcting algorithm for collective deployment using a local file
Liberty z/OS		PI78510	.pid directory created with wrong permission settings
		PI78787	WOLA ACEE copied from CICS invalid for TSS
		PI79017	z/OS connect cannot read request that came in with transfer-encoding=chunked
		PI79034	For products that embed Liberty, some bootstrap.properties do not take effect at server startup
		PI82088	Prevent Error loop when TDQ is unavailable for write
		PI83503	WebSphere Liberty servers with zOS connect failing to start with abend 0c4 in wolanativeutils.ntv_activatewolaregistration
		PI85520	Message CWWKO0229I is not issued when asynchronous I/O is configured
Messaging Providers		PI83027	Default threadpoolstats data cannot be retrieved due to InstanceNotFoundException
Performance Monitoring Tools		PI80861	The Japanese translated message for TRAS0115W is incorrect
Security		PI73345	Distributed identity mapping not working in Liberty z/OS
		PI84335	PasswordUtil API classes are not packaged in a separate PasswordUtil.jar file
		PI84597	Liberty z/OS trace includes unnecessary information
Servlet Engine/Web Container		PI81052	JSF portlets may not be able to obtain a session ID
	✓	PI88642	Information disclosure in WebSphere Application Server (CVE-2017-1681)
Virtual Member Manager (VMM)		PI79223	In Liberty VMM user registry cannot get groups for user from LDAP
		PI81923	LDAPRegistry contextPool defaults do not match documentation
		PI81954	LDAPRegistry attributesCache and searchResultsCache default timeout set too low
		PI85208	LDAP registry cache is not used in some cases to retrieve cached attributes
		PI85213	Federated repository may not use UniqueGroupIdMapping outputProperty when calling userRegistry.getUniqueGroupID
		PI85214	Federated repository passes internal properties to customRepository implementations
		PI86719	The LDAPRegistry contextPool timeout setting does not timeout after the configured time
		PI87461	Federated Repositories is returning principal name instead of unique name for getUserSecurityName
		PI87466	ArrayIndexOutOfBoundsException is thrown when groupMemberIdMap inside ldapRegistry is empty
Web Container		PI83141	WebContainer performance issue when under high load
Web Services (JAX-WS, JAX-RS)		PI64462	NullPointerException in org.apache.cxf.jaxrs.impl.tl.ThreadLocalProviders.getContextResolver()
		PI86914	Correct Mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
Web Services Security		PI62735	The groupId(s) get lost in id_token and introspection
		PI68809	WebSphere Application Server XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
		PI78760	OIDC IDToken updates to the "sub" field do not take effect
		PI80166	OIDC provider does not recognize custom realmname from token
		PI80689	Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
		PI80741	OpenID Connect (OIDC) cookie not fully removed
		PI80963	Refresh tokens are issued unconditionally even for clients that do not require them
		PI94351	Secure flag is not set on the Liberty WASOidcCode cookie
WebSphere Compute Grid		PI72923	CDI injection of Java batch jobcontext fails with npe in the absence of an active job on the current thread
		PI81200	StepListner.afterStep cannot catch an exception thrown by ItemProcessor.processItem
		PI84639	batchManagerZos not available after minified server is extracted
		PI86175	Prevent job start and restart of the same job from occurring simultaneously
		PI86193	Support message delay/priority for Liberty Java Batch

Fix pack 17.0.0.2
Fix release date: 13 June 2017 Last modified: 13 June 2017 Status: Superseded Download Fix pack 17.0.0.2

Component	Security APAR	APAR	Description
Channel Framework		PI85709	Add watchdog timer to write waits on closing
Contexts and Dependency Injection (CDI)		PI72811	Allow excluded alternatives
		PI77286	Vetoed EJBs throw NullPointerException
		PI77514	CDI observer for @initialized(applicationscoped.class) is not called inside jar
		PI79787	Prevent WebSphere internal packages from being exposed to applications
		PI80901	Version numbers in symbolic names are too fine grained and can cause failover to fail between different versions of Liberty.
		PI82020	WeldTerminalListener is not registered
Database Access, Connection Management, Merant/DataDirect drivers		PI80335	DSRA8020E Error is thrown when using IBM i Toolbox JDBC driver with WebSphere Liberty
EJB Container		PI77856	EJB 3.x Stub class throws RemoteException for communication failure
EJB Container		PI79261	Deadlock with persistent EJB timers for Singleton beans
General		PI71956	CWWKE0108I is written to stdout
		PI74918	The umask values is not shown in the server logs
		PI75258	The CICS Link server abends when unable to write to a TS Queue
		PI75280	Attributes missing from the element httpOptions and throws warning message
		PI75512	Cleanup up websocket connection when outbound connection attempt fails at the app server
		PI75590	Corrections are needed to the documentation in the Knowledge Center
		PI77605	JAXRS Client APIs do not use configured SSL settings
		PI77615	JAXRS application start fails with ClassNotFoundException when JSPs are specified in web.xml
		PI77976	ConstraintViolationException when using @Valid annotation
		PI78177	When a websocket connection is closed while reading data an object leak might occur
		PI78260	Liberty jaxb-2.2 feature does not expose some xlxp2 packages
		PI78738	Loop while closing an SSL connection
		PI79260	ProductInsights reports incorrect product version and host name
		PI79275	JAX-RS 2.0 Client calls fail when ssl-1.0 feature is enabled without any SSL configuration.
		PI79391	ContainerRequestContext.hasEntity() returns true for a GET request.
		PI79987	Endpoint MBean information does not update when server.xml <httpEndpoint> is modified
		PI80082	JAX-RS 2.0 OPTIONS methods are not invoked when used in sub-resource locator classes
		PI80256	AccessControlException thrown when finding resources if Java 2 security is enabled
		PI80285	For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
		PI80314	Support for product insights in embedded server
		PI80315	The productInsights-1.0 does not support BASE ILAN edition
		PI80514	A jndiEntry config element with a value of "0" is parsed as a java.lang.String but should be a java.lang.Integer
		PI80631	Access Log file and ELK time stamps are not the same
		PI80632	Messages with digits in prefix of message ID have a blank messageId field in logstashCollector
		PI80719	Websocket race condition on writing data while closing can hang a thread
		PI81082	java.lang.ClassFormatError: JVMCFRE074 no Code attribute specified; is thrown
		PI81086	NullPointerException thrown when using a JAX-RS provider class without a public constructor
		PI81396	Unable to register a liberty server with product insights though an authentication required proxy
Intelligent Management Component		PI80237	Null return codes for health actions cause NullPointerException
Java 2 Connectivity (J2C)		PI78463	After configuring a connection factory for CICS RAR, the server issues J2CA8501E
		PI80357	JMS connection factories defined through annotations can fail to allocate connections
		PI81549	When using SQLJ context caching, auto commit and/or transaction isolation level become inconsistent
		PI81717	The WaitTime provided by the ConnectionPoolStats MBean is in nanoseconds when it should be (and is documented) in milliseconds
		PI81840	Bean Validation 1.1 @DecimalMin and @DecimalMax constraints inclusive property not working
Java Persistence API (JPA)		PI76834	Unable to use DB2 XML data type with EclipseLink JPA; Null pointer produced
		PI76902	NoSuchMethodException when a program is using CONCAT function
		PI78643	Eclipselink JPA/Auditing capablity in EE Environment fails with JNDI name parameter type
		PI79397	org.omg.CORBA.BAD_OPERATION when running a select SQL statement
		PI81076	ServerSession numberOfNonPooledConnectionsUsed can become invalid when Exception is thrown connecting
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI79562	Leading '/' in JSF context param-value throws StringIndexOutOfBoundsException
		PI80535	ClassNotFoundException due to classes not being exported to the thread context
JavaServer Pages (JSP)		PI79800	The JSP Engine is not processing EL expressions correctly when they are in large blocks of character data
JavaServer Pages (JSP)		PI80319	Failure to parse tag library when the taglib is defined in the application
Liberty Application Services		PI66702	Multi-address corbaname URLs do not fail over to the second address when the first address server is down
Liberty Application Services		PI81297	Application fails to initialize at startup with error CWWKZ0021E
Liberty Debug and Tracing		PI80225	JUL Traces do not show up in logstash collector / bluemix log collector when binary logging is enabled
Liberty Debug and Tracing		PI80844	Failure if running binaryLog view serverName from wlp/usr/servers directory
Liberty Kernel		PI78072	A server start may receive a java.util.MissingResourceException if started with a disabled command port
		PI78444	The server schema incorrectly includes some internal configuration attributes
		PI79123	ConfigUtility command line tool loosing equals sign on parameters ending with equals sign
		PI79878	Server create command (using Java 8) overwrites server.env file
		PI80744	SPI class, PathUtils is not normalizing leading double slashes
Liberty Log Analytics and Monitoring		PI80363	Allow configurable maxFieldLength in the logstashCollector
Liberty z/OS		PI77988	Update needed in module BBGZAFSM
		PI78510	.pid directory created with wrong permission settings
		PI78787	WOLA ACEE copied from CICS invalid for TSS
		PI78970	When the z/OS connect EE server is stopped and restarted, CICS issues an abend at the time of the WOLA rebind
		PI80072	Message CWWKB0392W is issued when the OTMA client name is specified in the zosLocalAdapters connection factory properties
		PI80252	The size of the Java heap grows over time when using the MSGLOG DD
		PI80650	Memory leak in SP132 KEY8 causes OUTOFMEMORY in Liberty
		PI80988	WebSphere OLA(WOLA) service request issues return code=8, reason code=96 when called from an IMS CCTL region
		PI82088	Prevent error loop when TDQ is unavailable for write
Performance Monitoring Tools		PI79203	The monitor-1.0 feature may not be able to monitor user runtime components
		PI80861	The Japanese translated message for TRAS0115W is incorrect
Security		PI72472	WSCredTokenCallbackImpl returns null even when token exists
		PI75111	Admin center does not work with AccessControlException after enabling Java2 security
		PI77129	MYFACES-3415 - [UI:REPEAT] Field value disappears if validation error exists on current site
	✓	PI77770	Potential cross-site request forgery with WebSphere Application Server enabled with OAuth (CVE-2017-1194)
		PI78245	An authData element without an ID causes a NullPointerException in the logs
		PI78445	CWWKS9580E message might be logged after modifying the CSIv2 configuration
		PI78730	Intermittent CWWKS9520E message issued when CSIv2 is enabled
		PI79444	AccessControlException when using the servlet log method
		PI95544	NPE thrown in method authorizeEJB()
Sessions and Session Management		PI73188	Session activeCount shows a negative value
Sessions and Session Management		PI81007	Incorrect messages were thrown at System output console when using JMX connector
Systems Management Functions		PI66988	Running collective command in z/OS results in FSUM7332 syntax error
		PI78497	When trace is enabled extra information is being included in the controller's trace file
		PI80320	apiDiscovery urls may not update properly on Liberty Admin Center
Virtual Member Manager (VMM)		PI78192	UserRegistry methods that throw RuntimeExceptions can cause federated repository failures
		PI79888	An sslRef on an LDAPRegistry without matching ssl config causes security init failure
		PI80547	Federated Repository's participatingBaseEntry element does not allow name attribute to be empty string
		PI81519	In WebSphere Liberty, the context pool timeout value is not honored on the LDAP Registry
		PI81555	The ldapRegistry feature does not properly process LDAP entities with RDN values that contain characters that need escaping
		PM76997	VMM certificate authentication fails when DN contains non-default X509Certificate attributes
Web Container		PI75166	TAI cannot obtain the SSL endpoint information using direct connection
		PI76699	Provide an option to override the default values for the ESI properties in the plugin-cfg.xml
		PI76891	Exception from com.ibm.ws.webcontainer.osgi.mbeans.PluginGenerator during server stop
		PI77629	NullPointerException if login is required to access a servlet which uses a ReadListener.
		PI78193	Returned default html error page has extra closing tags
		PI78633	Access control exception due to read permission of a property from Cookie class
		PI79334	Unexpected error when an application is initializing during server stop
		PI80313	Enable Post Data to be read multiple times.
		PI80668	ServletException when creating a servlet, filter or listener from a ServletContextListener with Java2Security enabled
		PI81688	Plugin config file generation fails after a configuration update is made to a Liberty server when it is running
Web Services (JAX-WS, JAX-RS)		PI77438	JAXB context creation is very slow in Liberty during Web service load test
Web Services Security		PI76629	Add authentication option to JWK endpoint invocation
		PI78760	OIDC IDToken updates to the "sub" field do not take effect
		PI80166	OIDC provider does not recognize custom realmname from token
		PI80689	Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
		PI80741	OpenID Connect (OIDC) cookie not fully removed
		PI81403	An error may occur if the string representation of a subject includes an ID token that contains a claim with a non-string list
WebSphere Compute Grid		PI78436	Using batch injection in joblistener results in NullPointerException
		PI79686	Slow response when using batchpersistence in Liberty
		PI80634	When trying to stop an already completed job the error message does not return with the correct jobInstanceId
		PI80635	CDI implementation does not support batch artifact loading via batch.xml

Fix pack 17.0.0.1
Fix release date: 14 March 2017 Last modified: 14 March 2017 Status: Superseded Download Fix pack 17.0.0.1

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PI35470	Message bean instances injected with the CDI @New annotations are not @PostConstruct'ed
		PI55406	IllegalAccessException is emitted from InvocationContextImpl
		PI62583	IllegalArgumentException in CreationalContextImpl only when trace is enabled
		PI73139	CDI would not inject classes from a war file into an ear lib in single classloader mode
		PI75915	CDI failover does not work if bundles have different OSGI qualifiers
Database Access, Connection Management, Merant/DataDirect drivers		PI73351	DSRA0080E refers to original exception message {0} instead of actual message
		PI76168	After global transaction ends, the reported auto commit value can be inconsistent with the Oracle JDBC driver
General		PI68233	SSLSessionTimeout is not recognized as a valid attribute for sslOptions element
		PI71616	configUtility find or install throws a NoClassDefFoundError when using local repository
		PI73277	EclipseLink 2.6.3 does not support JPA-convertor for primitive data types
		PI74721	Errant timeout can occur with async sends in WebSockets
		PI75015	Memory leak in JAX-RS client.
		PI75022	Failure to parse a java.util.Date object when creating a new javax.ws.rs.ServiceUnavailableException.
		PI76688	Private lifecycle methods in JAX-RS resources are not invoked
Java 2 Connectivity (J2C)		PI60146	Connection sharing cannot be controlled in Liberty when using direct lookup
		PI71092	java.lang.UnsupportedOperationException when accessing a tested data source
		PI73350	Connection manager settings not honored
		PI74533	Setting an agedTimeout value of 0 on a connection manager results in J2CA8011E
		PI75426	Connection manager configuration intermittently ignored for application defined data source
Java Persistence API (JPA)		PI74104	EclipseLink might add unused table in generated query
Java Persistence API (JPA)		PI74284	The JPA Container calls EntityManager.clear() instead of EntityManager.close() on cleanup
JavaServer Pages (JSP)		PI72709	Asynchronous dispatch to a JSP file under the WEB-INF directory fails.
JavaServer Pages (JSP)		PI73022	JSP comments containing "%>" might throw a StringIndexOutOfBoundsException.
Liberty Application Services		PI74321	After upgrade to 16.0.0.4. NamingException and ClassCastException occur on JNDI lookup on IBM i
		PI75284	Intermittent NullPointerException from ApplicationStateMachineImpl when trace enabled or logging information in response to a failure
		PI75389	OSGi Applications can take significantly longer to startup after upgrading Liberty
		PI76368	A class that is both Remote and Serializable is mis-categorized during marshalling
Liberty Debug and Tracing		PI62350	Some server startup and early messages are not collected by logstachCollector-1.0 feature.
		PI74051	Transaction trace lacks PropertyPermission to read system property "com.ibm.tx.tracer"
		PI74318	Incorrect message IDs appearing on dashboard when using the Bluemix log collector
		PI76200	Stack trace is not included in the message field of liberty_message type
		PI76620	Filter tags in logstashCollector & bluemixLogCollector to avoid tags with special characters displaying oddly on dashboard
		PI76621	New message IDs need to be assigned to a few existing TRAS messages.
Liberty Kernel		PI72686	Removing and adding a feature can result in a warning message about duplicate metatype definitions
		PI73807	Some Liberty message IDs conflict with traditional WebSphere Application Server
		PI74527	Error CWWKZ0404E can occur when starting an application on Liberty
		PI74586	Liberty server does not start if jvm.options file contains spaces, after upgrade to 16.0.0.4
		PI74792	java.lang.NullPointerException when starting an .ear application with autoExpand="true" in server.xml
		PI76013	Resolution error for optional server config include should not create an exception
		PI76432	Exception could be thrown and logged during a server shutdown if listeners timeout during quiesce
		PI76607	Features that cannot be loaded because of Java version dependencies may still be reported as being loaded
		PI76755	Liberty metatype registry problem - metatype extension duration changed from LONG to STRING in 16.0.0.4
Liberty z/OS		PI50828	WLM support is ignored when running z/OS Connect in async mode
		PI66375	SPI for MVS MODIFY command support is documented to be externally available, but in fact is not available
		PI72065	Loop in Liberty z/OS server when AsyncIO is enabled
		PI72566	ABEND0C4 at BBGZSCFM+377E occurs during client bind
		PI72776	When WLP_ZOS_PROCEDURE is set the foreground JVM uses the full set of JVM options
		PI73559	WOLA service BBOA1URG fails with RC=12 RSN=240.
		PI73752	Suppress FFDC for com.ibm.io.async.AsyncSocketChannel 453
		PI74564	WebSocket-1.1 feature does not work in Liberty imbedded in CICS TS 5.3
		PI74875	Liberty Server hang in termination after a hard failure on z/OS
		PI74878	WOLA feature not started for 16.0.0.4 server using a version 4 Angel
		PI76238	Message CWWKB0392W contains no message text in messages.log.
Performance Monitoring Tools		PI75368	Slow memory leak might lead to OutOfMemory in Liberty
Performance Monitoring Tools		PI76212	Monitor capability breaks when different thread pool name is speicified other than "Dafault Executor".
Security		PI72135	An AccessControlException is issued when restoring the security context using the ContextService APIs
		PI72653	Web filters need to receive the AuthModule wrapped request or response when using JASPIC
		PI73266	AccessControlException issued even when permission was granted in the permissions.xml file
		PI76359	Process default SSL Setting not getting reset on a file update
		PI76408	The method signature for java.security.SecureRandom.nextBytes() is no longer synchronized.
Session Initiation Protocol (SIP) Container		PI76614	SIP Router is initialized more than once.
Session Initiation Protocol (SIP) Container		PI76615	Order of OSGI bundle could cause a class not found exception.
Systems Management Functions		PI74526	A collective name sporadically changes between its given name and the default name
Systems Management Functions		PI75433	Liberty collective member status becomes stale at the controller.
Web Container		PI71999	XML transformer factory changed during server start
		PI72223	The pluginUtility displays an untranslated message when using the merge action to merge plugin-cfg.xml files in a directory.
		PI72514	Application start fails to add context root in Virtual Host map
		PI72710	Response committed on return from Forward even when async is started.
		PI74499	Server quiesce not cleaned properly when write during close of upgraded connection goes asynchronous.
		PI75475	The WebContainer 'enableMultiReadOfPostData' config property was visible but not implemented.
		PI75528	The maxRequestSize optional attribute for MultipartConfig is ignored.
		PI76195	When the plugin configuration is generated it may not have one of the ports
		PI76271	CORS does not handle requests with PATCH methods correctly
		PI76351	ServletRequest.getRequestURI() returns inconsistent results after AsyncContext.start().
		PI76364	isFinished() could incorrectly return false in some scenarios
Web Services (JAX-WS, JAX-RS)		PI70234	Custom HTTP header blocks SOAPAction header
		PI76616	HTTP servlet requests could be matched to incorrect cross-origin resource sharing (CORS) configuration
Web Services Security		PI72558	OIDC client cookie is not removed after it is used
WebSphere Compute Grid		PI73040	Batch job log REST URLs are incorrect for a failed job execution
		PI73249	The ddlGen script may produce an empty file when run against a server with the Java Batch feature configured
		PI74813	When using the batchManagerZos 'status' and 'listJobs' commands, the usage of --instanceId and --jobInstanceId are not universal.
		PI74924	Job with Java batch COMPLETED status moves to STOPPING status after shutdown in executor.
		PI76622	Provide V2 and V3 versions of existing Batch REST APIs
		PI76632	Job executions REST API syntax is misleading
		PI76701	Java Batch purge command fails after a job execution did not initialize correctly
		PI76702	Java Batch jobs store JES job name and JES job ID with trailing spaces
WMQ messaging providers		PI61885	postCallWithException throws java.lang.IllegalStateException
		PI71691	BundleException happens when adding a feature to a running server causing a bundle to be reinstalled
		PI72136	Server startup fails with CWRLS0009E error due to failure in the transaction manager's recovery log service
z/OS		PI61450	Apache Wink does not remove quotes from the boundary value Content-type: multipart/mixed; boundary="simple boundary"

Fix pack 16.0.0.4
Fix release date: 13 December 2016 Last modified: 13 December 2016 Status: Superseded Download Fix pack 16.0.0.4

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PI69193	ContextNotActiveException in SessionScoped bean preDestroy()
		PI70614	Clean up all resources on an application startup failure on cdi-1.0 feature
		PI71104	@Inject Principal does not work in mutli-threaded environment.
		PI71667	Application fails with WELD-001408: Unsatisfied dependencies for type Validator with qualifiers @Default
		PI71734	Failover does not work with CDI 1.2
Database Access, Connection Management, Merant/DataDirect drivers		PI68418	Purge policy ValidateAllConnections does not properly validate connections
		PI71587	Data source is not autodetecting MariaDB.
DynaCache		PI68741	HTTP status code 200 is returned to a client when the servlet or JSP throws an exception
DynaCache		PI71752	Plugging in an external cache provider does not work with the distributedMap-1.0 feature.
EJB Container		PI66621	ReferenceContextImpl caching empty list of targets for JSP classes
		PI67942	javax.servlet.HttpServletRequest.getRequestURI() might return a decoded value after dispatching
		PI69642	NullPointerException deleting stateful EJB
General		PI42673	Extra information in logs with Datasource custom properties
		PI67034	Access was denied for property org.apache.jasper.constants.jsp_servlet_base.
		PI67099	Provide option to add STS response header for HTTPs request
		PI68432	When user applications are using Websocket Decoders a slow memory leak can occur.
		PI69737	Errors are not logged when tasks submitted to managed executors fail
		PI70332	System property to enable SSL Channel timeoutValueInSSLClosingHandshake property
		PI71359	FFDC is produced for a NullPointerException in com.ibm.ws.tcpchannel.internal.SocketRWChannelSelector.updateSelector
Install V8 and above		PI68915	Default server.xml is incorrect
Install V8 and above		PI69133	Disk space validator returns NullPointerException.
Java 2 Connectivity (J2C)		PI68163	MQJCA1011: Failed to allocate a JMS connection
		PI68257	Connection manager might remain active after transaction manager has been disabled.
		PI69122	J2C pretest being used despite FailingConnectionOnly option
		PI69887	FFDC logged for resource adapter config property with getter that is named with "is" rather than "get"
		PI69957	Destination ID erroneously used for JCA 1.7 destinationLookup instead of JNDI name.
		PI70224	The value of ConnectionHandleCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
		PI71193	Illegal State Exception when transaction timeout occurs and abort is used
Java Persistence API (JPA)		PI65593	The database schema name cannot be configured with openjpa.jdbc.SchemaFactory
		PI66770	JPA returns incorrect results when using a native query and @SqlResultSetMapping
		PI67234	ServerPlatformException Server platform class is not valid: null occurs with JPA 2.1
		PI67790	java.lang.ClassCastException using JPA
		PI68028	EclipseLink throws ValidationException when using nested embeddables with the same attribute name
		PI68805	Potential leak of org.apache.bval.cdi.BValExtension$Releasable objects when using JAX-RS, CDI 1.2, and Bean Validation 1.1.
		PI70680	Deployment of persistence unit fails with DescriptorException
		PI70841	OpenJPA's ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException
		PI75607	javax.persistence.PessimisticLockException when javax.persistence.lock.timeout set to 0
		PI75608	Add EclipseLink support for Java 2 Security
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI67525	inputFile tag is not working properly on Liberty
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI70441	FlowBuilderFactoryBean Concurrency Issue
JavaServer Pages (JSP)		PI67257	An escaped EL expression is being run if an escaped dollar sign precedes the former expression
		PI69028	Null CodeSource location for classes loaded by JSPExtensionClassLoader
		PI69942	JSP property useJDKCompiler does not work in Liberty
		PI71436	A debugger does not stop at a breakpoint in a JavaSever Page (JSP).
Liberty Application Services		PI70600	Auto extracted web app files have incorrect timestamp.
		PI70848	When application autoExpand is enabled changes to an ear file are not detected by the Liberty server
		PI70870	ConcurrentModificationException in AppClassLoader when using the global library
		PI71116	When certain features are enabled the application property autoStart has no effect
Liberty Kernel		PI68170	Users of Liberty's OSGI EventAdmin service cannot change the topics of interest for a registered EventHandler
		PI70104	Starting a Web Application Bundle (WAB) can result in a deadlock sometimes when the WAB is installed and started dynamically
		PI70637	RuntimeException: Invalid call to WsByteBuffer occurs during shutdown
		PI71457	NullPointerException after a failure to bind an IIOP transport port
		PI71607	Schema for resource adapters contains an unused attribute.
Liberty System Management		PI69561	REST API Discovery missing APIs in web applications with multiple JAX-RS application classes
Liberty z/OS		PI67718	z/OS Connect is unresponsive to the STOP command from the z/OS Console
		PI69625	Liberty server at 16.0.0.3 may fail to start when using AsyncIO
		PI69886	When using the zosLocalAdapters-1.0 feature to talk to CICS, the CICS container LinkTaskRspContID already exists.
		PI70090	WebSphere Liberty "server" and native launcher handle a # in the middle of a JVM property inconsistently
		PI70896	Liberty Server hang in termination after a hard failure on z/OS
		PI71417	Startup time for Liberty for z/OS is unnecessarily slow.
Messaging Providers		PI62816	Allow more than one address to be specified in the remoteServerAddress field
Messaging Providers		PI70961	Corrections to messages in JMS Messaging
Performance Monitoring Tools		PI70900	Events get lost when the logstashCollector config gets updated
Security		PI62070	Full chain created in PKCS12 but not for JKS key store
	✓	PI62375	Potential code execution vulnerablity in WebSphere Application Server (CVE-2016-5983)
		PI69141	Make sure HTTPS URL connection default is set at the same time SSLContext is set.
		PI69161	Constrained delegation works only when Liberty trace is enabled
		PI69277	Java 2 Security permissions are not granted to a shared library when using the file element instead of a fileset
		PI69629	CWWKX8136W: Cannot validate the server identity
		PI69840	A NoClassDefFoundError or NoSuchMethodError may be thrown when accessing Swagger annotations.
		PI69870	IllegalAccessException on EL expression that processes isLast() of object referencing varStatus in JSTL for-each tag
		PI71525	NullPointerException when registering a Custom User Registry that returns a null realm name
		PI71585	NullPointerException when null password is passed into WSCallBackHandlerFactory
		PI71751	Provide better message when bad SSL configuration is used by CSIv2.
		PI71789	.InvalidNameException: Validation of the Collective DN failed. 0th element type was not dc
Systems Management Functions		PI69286	Non-ASCII names used in remote operations from a collective controller may become corrupted.
		PI69741	Remove extra information from trace file
		PI71792	New files added to a controller's configDropins/defaults directory are not replicated to other controllers in the collective.
Virtual Member Manager (VMM)		PI71825	CWWKS3006E error message seen during server shutdown.
Web Container		PI64898	AsyncListener onError not being called correctly
		PI65762	DestroyJavaVM() method call hangs and JVM fails to shut down when asynch servlet work has been performed
		PI67393	Polish the ReadListener
		PI68061	Option to display customized text for some server errors
		PI69220	A plugin-cfg.xml is generated with missing applications and future auto-generation fails.
		PI69803	A java.lang.NoClassDefFoundError error can occur when using the pluginUtility merge action.
		PI70063	A decrease in throughput can occur when many concurrent requests for JSP pages that make use of tag libraries.
		PI70184	WebSocket not working if application flushes without obtaining any outputStream or writer
		PI70873	java.lang.NullPointerException might occur during a request's cleanup.
		PI71851	Missing apostrophes in French and Italian pluginUtility text
Web Services (JAX-WS, JAX-RS)		PI70196	PI70196: ibm rest servlet cannot be mapped to two different urls:
		PI70313	Swagger API Explorer ignores protocol schemes for operations
		PI71238	IllegalArgumentException when getHours() is called
		PI71887	JAX-RS Client fails when running in OSGi bundles
Web Services Security		PI68101	JSON bits are missing from a URL when SAML authentication redirects a request
		PI68809	WSAS XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
		PI69415	Support configurable context root for OIDC client redirect url
WebSphere Compute Grid		PI70886	Java Batch REST: STOP request may not return JobNotRunningException even when the job batch status returns as COMPLETED.
		PI70887	An exception in the batch executor may cause a message to roll-back onto queue (and get re-delivered) instead of consumed.
		PI71718	Attempting to purge multiple job instances fails when their executions are not on the same endpoint
		PI71719	Batch REST request for job instance job log links fails with remote executions
WMQ messaging providers		PI68664	Record-level sharing (rls) is miscalculating the amount of data to be written to partner logs
		PI69183	APAR PI18414 may result in the recovery log service using incorrect sequence numbers.
		PI69314	ELException, Can not find @Transactional annotation
		PI69328	CWWKZ0403E error message occurs due to error Unable to acquire the global write lock in time.

Fix pack 16.0.0.3
Fix release date: 16 September 2016 Last modified: 16 September 2016 Status: Superseded Download Fix pack 16.0.0.3

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PI38270	NullPointerException in InvocationContextImpl.configureTarget when destroying an already destroyed bean
		PI42311	EJB interceptors not called intermittently
		PI48614	NullPointerExceptions from CDI code
		PI51620	NullPointerException when doing injection with com.ibm.ws.cdi.immediate.ejb.start set to true
		PI58669	CDI javax.decorator.decorator annotation not working as expected
		PI61397	Ensure application scoped context is initalized properly and active during bean preDestroy
		PI64374	Race condition with session scoped contexts
		PI64812	Application ClassLoader leaked during application restart from CDI's RuntimeFactory
		PI65337	Use of CDI interceptors in stateless EJBs causes exceptions to be wrapped in WeldException
		PI66866	Memory leak occurs when an application is restarted
		PI67388	Move up Weld level to 2.3.4.Final from 2.2.16.Final.
Database Access, Connection Management, Merant/DataDirect drivers		PI66423	OraclePreparedStatement.getReturnResultSet and OracleCallableStatement.getCursor fail after unwrapping statement
EJB Container		PI60567	New system property to configure the EJB pool wait timeout
		PI62639	NullPointerException in CDIEJBManagedObjectFactoryImpl.getEjbDescriptor when creating EJB instance to pre-load the bean pool
		PI63571	AccessControlException: "accessDeclaredMembers" from com.ibm.wsspi.injectionengine.MethodMap.getMethods.
		PI63709	Application exception thrown from EJB constructor lost when @AroundConstruct interceptors present
		PI63821	Resource reference names starting with java:comp/env are ignored in ibm-ejb-jar-bnd.xml
		PI65205	FFDC for TransactionRolledbackException when using UserTransaction in stateful bean ejbRemove method
		PI66565	com.ibm.wsspi.resource.ResourceInfo not provided to ResourceFactory for <resource-env-ref> XML elements
		PI67070	Customer can get EJBExceptions related to non-persistent EJB Timers during server shutdown
General		PI60893	Deadlock caused by SIP Subscribe
	✓	PI61548	Potential Denial of Service in WebSphere Application Server if using SIP services (CVE-2016-2960)
		PI63871	NullPointerException in MemoryPersistenceManager
		PI64472	Automatically determine whether a submit or restart should be issued from the batchManager and batchManagerZos utilities.
		PI65456	Issuing "job.ended" CWWKY0010I message instead of "job.failed" CWWKY0011W message, upon job failure.
Install V8 and above		PI65506	Display proper asset list when embedded asset repo is missing during IM modify_add flow
Intelligent Management Component		PI59258	Dynamic Routing fails to recognize the application until Collective Controllers are restarted
		PI63212	Reload of web server with Intelligent Management causes CWWKV0008W messages on a Liberty collective controller
		PI66993	Health condition is not set to the Liberty server in the Docker container.
		PI67392	DynamicRouting does not have route information for Liberty Docker on initial deployment
Java 2 Connectivity (J2C)		PI63520	Parked connection created by PoolManager results in setting a pre-existing client ID to a MQ connection
		PI66424	J2CA7002E is logged when server is stopped while in the process of installing a resource adapter.
		PI67186	The value of FreeConnectionCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
Java Persistence API (JPA)		PI58114	ClassCastException when an equals comparison query is run on an entity with a composite @EmbeddedId
		PI64129	CDI applications that inject Validator or ValidatorFactory beans cannot be failed over in a cluster
		PI67305	EclipseLink assigns the same object instance to multiple embedded fields
JavaServer Faces (JSF) SunRI implementation		PI64899	When using the jsf-2.2 and beanValidation-1.1 features an OSGI warning message can be seen.
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI63135	Custom type conversion is sometimes bypassed in EL 3.0
		PI63633	Thread-safety issue in the underlying (Apache) JSF 2.0 code causes WebContainer threads to hang
		PI64195	@PreDestroy methods are not invoked on session invalidation for JavaServer Faces (JSF) javax.faces.bean.ViewScoped beans.
		PI64714	JSF message severities always set to ERROR after ValidatorException
		PI64718	Validators are not called when using selectManyCheckbox
JavaServer Pages (JSP)		PI64004	The scratchdir JSP attribute is not documented on Liberty
JavaServer Pages (JSP)		PI65333	A JSP error "unresolved compilation problem" is thrown during runtime
Liberty Application Services		PI62861	Server stop runs before the ServletContextListener implementation completes
		PI63542	ArrayIndexOutOfBoundsException may occur when doing a JNDI-lookup to a remote EJB that is located in another cell
		PI64494	Timing window in generation of Type Code objects from class TypeDescriptors, causes performance problems during JNDI lookup
		PI64806	java.lang.StackOverflowError on WAR
		PI65244	EJB connection helpers are both null
		PI65637	Starting an OSGi Application intermittently causes an endless loop.
		PI66570	IllegalStateException thrown on server shutdown
		PI67028	AccessControlExceptionthrown from AppClassLoader.getResources() call
		PI67672	Extended use of remote EJB may cause error mentioning Phaser parties.
		PI67674	Restarting ORB may cause socket bind exception
		PI67719	AccessControlException from JTMThreadFactory, JNDI lookup, and JmsManagedConnectionFactoryImpl
		PI67739	Configuring a non-default ORB may interfere with application client.
Liberty Archive Install		PI66992	z/OS IM offering failed to modify asset due to error 'Failed to load bundle com.ibm.was.determine.job.type'
Liberty Kernel		PI62609	When coreThreads and maxThreads are the same value, CWWKE1200W messages, which indicate a hung thread, may appear erroneously
		PI63436	Embeddable Liberty command wlp/bin/server fails to run on old bourn shell used by Solaris 5.10
		PI64318	Product validation error when running installUtility install
		PI67017	Apache Commons Compress was incorrectly added to Liberty's JVM classpath
		PI67231	Inconsistent installUtility/feature error messages when installing features or depending features not found on repository
		PI67665	Path normalization of configuration variables can cause unwanted modifications
Liberty z/OS		PI61412	HTTP access logs are not tagged on z/OS.
		PI61645	CWWKF0015I and CWWKF0014W messages are misleading
		PI63930	WEBSOCKET-1.1 feature does not work in Liberty Imbedded in CICS TS 5.3
		PI64823	zosRequestLogging-1.0 feature does record the SAF mapped user ID in SMF 120 subtype 11 records.
		PI65658	Liberty z/OS unauthenticated ID experiences ICH408I calling HttpServletRequest.login with syncToOSThread enabled
		PI65709	Storage leak in subpool 249 key 2 when using the zosLocalAdapters-1.0 feature.
		PI66150	Liberty server processes the start of WOLA workload to slowly
Security		PI60769	IIOP sslRef mismatch not clear in error message
		PI61592	Security context not propagated into JCA resource adapter
		PI62626	jacc-1.5 feature does not package a separate API jar file even though it exposes the API.
		PI62722	Attempting to start or stop a member from the Liberty Admin Center running in a collector on z/OS results in CWWKS2910E
	✓	PI63929	Potential open redirect security vulnerability in WebSphere Application Server Liberty CVE-2016-3040
		PI63949	When auth-method tag is not used in Liberty a NullPointerException is thrown
		PI64065	CWWKS9112W: Invalid run-as configuration for security-role name ApplicationRoleName in the application ApplicationName
	✓	PI64790	Cross-site scripting vulnerability in OpenID Connect client CVE-2016-3042
		PI65716	configUtility and collective command line utilities do not support the custom password encryption
		PI66628	The message when the custom password encryption is not available is not acculate.
		PI67237	AccessControlException issued when an API tries to obtain an internal OSGi service via the kernel service SPIs.
		PI67467	An intermittent MalformedURLException is issued during the server shutdown when Java 6 is used and there are permissions defined
Sessions and Session Management	✓	PI60026	Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)
Systems Management Functions		PI62640	Collective utility help text for --keystorePassword is incorrect.
		PI66520	A collective controller shared configuration file is removed after it is renamed.
		PI66522	A deploy rule without a defined restart command produces an exception during a deploy operation.
		PI66523	The --createConfigFile option of the collective utility allows the config file to be in the configDropins/defaults directory
		PI66524	The collective utility writes an unnecessary request to edit server.xml.
		PI67220	Liberty member in a Docker container ignores metadata defined in the admin-metadata.xml file included in the container.
		PI67221	Docker registry commands in the Docker deploy rule mistakenly prepend the repository with the user name.
Virtual Member Manager (VMM)		PI62392	Login failure if userFilter contains userAccountControl attribute
Virtual Member Manager (VMM)		PI63471	getUserDisplayName returning null when basicRegistry is configured
Web Container	✓	PI54459	Information Disclosure in WebSphere Application Server Liberty CVE-2016-0378
		PI58875	Application is started even though there has been a listener exception during application start up
		PI61651	An uncaught exception in javax.servlet.AsyncListener.onComplete() might cause threads to hang
		PI63193	SRVE8094W might happen even if invokeFlushAfterServiceForStaticFile=false
	✓	PI65853	WebSphere Application Server Web Container affected by Apache Struts vulnerability (CVE-2016-3092)
	✓	PI67093	Information disclosure in IBM WebSphere Application Server CVE-2016-5986
		PI67470	ConcurrentModificationException thrown on getServletWrapper when serveServletsByClassname is enabled
		PI67832	FFDC created when a feature is removed from server.xml.
Web Services (JAX-WS, JAX-RS)		PI64462	NullPointerException in org.apache.cxf.jaxrs.impl.tl.ThreadLocal Providers.getContextResolver()
		PI67586	ConcurrentModificationException in org.apache.cxf.jaxrs.JAXRSServiceFactoryBean
Web Services Security		PI66148	OIDC Client Service is not thread safe
Web Services Security		PI66354	OAuth provider does not encode non-ASCII characters properly
WMQ messaging providers		PI45254	Collect more serviceability data for transaction log service
		PI65127	Deadlock issue in tranlog database
		PI65412	Transaction service may fail to log data correctly when its logs are stored in a database and connection failure occurs

Fix pack 16.0.0.2
Fix release date: 24 June 2016 Last modified: 24 June 2016 Status: Superseded Download Fix pack 16.0.0.2

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PI58316	Changes to JSP in EAR or WAR not picked up if CDI-1.2 feature enabled
Contexts and Dependency Injection (CDI)		PI61971	CDI forces a creation of an extra session, which causes memory usage issues.
DynaCache		PI59818	Servlet and Object Cache services are initialized multiple times during Liberty startup causing delays and exceptions
EJB Container		PI58029	Classloader leak associated with PCRegistry
EJB Container		PI59443	A method named ejbCreate on a managed bean may be treated as a post construct interceptor method
General		PI52696	WebSphere Application Server proxy - Too many open files
		PI53321	Using WOLA with CICS version 5.3 causes BBOX abend
		PI54666	NullPointerException when using IPv4/IPv6 loopback addresses
		PI55413	CICS BBO (WebSphere) link server abends with WRITEQ TSQ BBO* error eibresp: 16 eibresp2: 0
		PI57228	The HTTP Channel consumes additional memory, in specific circumstances, when processing inbound data.
		PI58457	Quotes are automatically added to the cookie Path attribute on version 1 cookies
		PI58692	NullPointerException when using batchManager to purge and no arguments specified
		PI58800	High CPU utilization can occur for WebSocket sessions that expire using a non-default MaxIdleTimeout value
	✓	PI58918	Response Splitting Vulnerability using a specific API CVE-2016-0359
		PI59273	A job instance with zero executions cannot be stopped or restarted.
		PI61321	Serviceability changes for batch feature
		PI61621	The persistent user data and metric values are invalid when a job fails in the middle of a chunk step
		PI62053	HTTP Channel Access Log does not properly record how much is written to the file
		PI64247	For Double Byte languages an FFDC IllegalArgumentException can occur for a WebSocket connection that closes due to an error
Intelligent Management Component		PI61807	Web Server SSL certificate created by the Liberty dynamicRouting feature needs updating
Java Persistence API (JPA)		PI47094	ClassCastException using a shared JPA module on JPA 2.1
		PI55889	JPA Merge fails intermittently with FOREIGN KEY constraint error
		PI58092	Delay in application startup on Liberty
		PI58523	When using jpa-2.1 with Bean Validation, XML constraints are not recognized
		PI59004	Criteria Modelgen API is not included for the EclipseLink provider
		PI59757	JPA PersistenceUnitUtil.getIdentifier() fails for nested EmbeddedId
		PI59782	Eclipselink on Liberty is missing javax.json imports
		PI59999	OpenJPA custom plugins can cause Classloader leaks
		PI62022	Bean validation interceptor is invoked twice
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI57255	MyFaces CDI support is disabled if non-CDI application is loaded first
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI59422	Flow beans are destroyed before the flow is finalized
JavaServer Pages (JSP)	✓	PI56811	XXE and RCE via XSL extension in JSTL XML parse and transform tags
		PI59436	NullPointerException when using EL expressions returning null
		PI60837	A StackOverflowError can occur when com.ibm.ws.el.reuseEvaluationContext is set to true
		PI61400	There are unused message properties files packaged in the Expression Language (EL) 3.0 bundle.
Liberty Administrative Center		PI58080	Admin Center toolbox cannot save bookmarks with Explore search results which search on tags
Liberty Administrative Center	✓	PI62052	Potential security vulnerability in Admin Center for Liberty CVE-2016-0389
Liberty Application Services		PI53419	Liberty server z/OS: Deadlock adding WABs to web container
		PI58841	An OSGi web app using JSP and JSTL by default currently needs to explicitly import the JSTL spec packages.
		PI59010	CWWKC2259E: "Unexpected child element defaultDatasource" in WebSphere Liberty for EJB 2.1
		PI60496	EBA fails to resolve when blueprint-1.0 is active
		PI60749	Common shared library classes return null when calling getProtectionDomain().getCodeSource().getLocation()
		PI61468	Application classloaders are leaked by transaction monitoring threads.
		PI61906	Classloading trace does not contain details of classpath being traversed.
		PI62078	ClassLoader leak in CDI's RuntimeFactory
		PI62240	ClastCastException doing a JNDI lookup
		PI62385	Classloading perfomance of the Liberty ORB has been slightly improved.
Liberty Archive Install		PI60256	Failed to testConnection against wlp-feature-8559.zip
Liberty Archive Install		PI62355	License jar upgrade returns a confusing message when it fails due to invalid edition.
Liberty Debug and Tracing		PI57488	Null characters added to logs when truncated by user
		PI58309	NullPointerException seen with logstashCollector-1.0 feature when access log source is enabled
		PI58310	logstashCollector-1.0 feature reports a NullPointerException during server shutdown operation
		PI58311	TRAS0120W message reports incorrect lost events
		PI58386	Duplicate FFDC records are sent for the same failure by logstashCollector-1.0 feature.
		PI60821	NullPointerException when eventLogging feature is removed
		PI61051	Removal of ISADC script
		PI61371	High Performance Extensible Logging (HPEL) binarylog view does not sort by time stamp
		PI62013	Warning message should be issued when wrong source is specified.
		PI62015	Unexpected null pointer exception appearing in FFDC logs with logstash collector whenever updating the source
Liberty Kernel		PI48971	ActiveMQ properties not being honored in JMSActivationSpec in Liberty
		PI59235	Problems with serialization code
		PI59906	Server command help is missing the --os option description
		PI60941	When installUtility install serverName is run, the server logs and workarea were not created under WLP_OUTPUT_DIR
		PI61175	During startup the application manager can cause an FFDC with a ConcurentModificationException causing no applications to start.
		PI61177	Spurious error may be logged when bundle starts and immediately stops.
		PI61178	Dynamically configuring one or more features from zero features delays starting applications by 30 seconds
		PI61319	The help for the productInfo command line tool reports an error rather than provide the help text.
		PI61320	Missing attribute message is confusing
		PI61324	Server package zips when unpacked lack file permissions for scripts in bin folder.
		PI61451	installUtility command may fail with a SocketException: "Too many open files"
Liberty System Management		PI57567	Merged plugin-cfg.xml generated by ClusterManager mbean generateClusterPluginConfig operation contains dup elements
		PI58426	Collective create always treats --keystorePassword as a required argument
		PI61176	Using the IBM JMX REST client from Liberty requires setting too many properties
		PI61895	Swagger document and UI in apiDiscovery-1.0 did not show non-ASCII characters properly.
Liberty z/OS		PI50018	linkTaskChanID property does not work when used with z/OS Connect service provider
		PI52665	z/OS WOLA CICS BBOC control transaction cannot support long command strings from the console
		PI54756	z/OS Connect JSON Parse Error message missing JSON payload.
		PI56919	IllegalArgumentException: com.ibm.ws.security.saf.SAFException: CWWKS2910E: SAF service IRRSIA00_CREATE did not succeed
		PI57546	UserRegistry.getUsersForGroup() is not implemented in Liberty server
		PI58016	Asian characters in UTF-8 encoded payloads are converted to escaped unicode characters
		PI58155	Liberty server takes ABENDEC6 RC0000FD1D due to CPU time limit exceeded
		PI58468	WOLA fails to reconnet to CICS TS after previous executions have succeeded
		PI59320	ABEND 0C4 RSN=00000004 or a CICS ASRA ABEND when you have more than 128 WOLA connections in an address space
		PI61322	CICS programs called over WOLA are being passed an incorrect channel or container name.
		PI61323	An ABENDDC2/ABENDSDC2 occurs in program BBOATRUE when CICS is configured to use an embedded Liberty server.
Performance Monitoring Tools		PI60781	NullPointerException being thrown from requestTiming feature if any exception occured
Security		PI55373	Collective framework needs to support certificates signed by third party signers
		PI59813	Improve the exception generated when client does not trust the server.
		PI61090	NullPointerException from FeatureWebSecurityCollaboratorImpl
		PI61204	NullpointerException when using ibm_securitylogout in Liberty
		PI61253	OAuth or OpenID Connect response does not contain state parameter
		PI61622	The French help text of the PasswordUtility command line utility contains typographical errors.
Systems Management Functions		PI58664	Liberty collective member status is incorrect
Systems Management Functions		PI62453	When making a JMX Connection to a collective member, the JVM default for HTTPs connections is updated
Virtual Member Manager (VMM)		PI54746	Federated repository does not allow a user login with Turkish characters
Virtual Member Manager (VMM)		PI56819	User login failure when uniqueUserIdMapping inputProperty set to non default values
Web Container		PI51122	Webcontainer intermittently generates a 500 error with StringIndexOutOfBoundsException
		PI56833	WebContainer is setting the Content-Language
		PI57951	Line feed code disappears when data is uploaded with enctype="multipart/form-data" in an HTML form
		PI58920	Dispatcher type obtained from HttpServletRequest is not updated on post processes
		PI59415	Development version of servlet SPI bundle does not match with runtime webcontainer bundle.
		PI60797	Enable POST only for a form login
		PI61594	AsyncContext.dispatch() might dispatch to an incorrect URI if using different versions of ServletRequest.startAsync()
		PI61628	A 404 error might be generated when using redirectToWelcomeFile
Web Services (JAX-WS, JAX-RS)		PI53319	ClassNotFoundException on WebSecurityHelper
		PI56315	JAX-RS MessageBodyWriter is not run
		PI56374	ClassCastException: java.util.TreeMap incompatible with javax.ws.rs.core.MultivaluedMap
		PI58097	HTTP Response header with invalid Date string is added to the response on a WebServices request
		PI58779	JAX-RS 2.0 @Context injection from client side provider reports NullPointerException
		PI58799	IllegalArgumentException inJAX-RS InjectionUtils.java code
		PI59519	Update product.json model to match recent changes in API Connect
		PI59633	When using JPA to persist an object, the JAX-RS engine does not correctly catch any exceptions that are thrown
		PI59640	Security definition is missing from the filtered Swagger document returned by API Discovery Framework
		PI59643	Using @Context to get the HttpServletRequest and changeSessionId() always returns null
	✓	PI61936	Information disclosure in JAX-RS API
		PI62155	Suppress SOAP FAULT error message
	✓	PI62450	Swagger processor may allow weaker than expected security
Web Services Security		PI59665	OIDC Relying party auth flow fails with 401 error when security trace is enabled
		PI59677	OIDC relying party authentication failure due to CWWKS1704E error
		PI62735	The groupId(s) get lost in id_token and introspection
WMQ messaging providers		PI59123	WS-AtomicTransaction participant recovery after a server crash may never complete
WMQ messaging providers		PI60966	Problem distributing transaction between WSAS traditional and Liberty using WS-AtomicTransaction.

Fix pack 8.5.5.9
Fix release date: 18 March 2016 Last modified: 18 March 2016 Status: Superseded Download Fix pack 8.5.5.9

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PI50291	Beans searched for through instance interface are not found
		PI51134	NullPointerException if all interceptors are on methods overriden, defined at class level or defined in a different method
		PI51508	Reduce contention in AbstractOwbBean.equals use
		PI52391	BeanManger.equals cannot distingiush between two BeanManagers for the same module after a restart
		PI52756	CDI is activated and generates error with no existence of beans.xml
		PI52765	Provide a fix for Weld bug in CDI 1.2
		PI57976	Objects of class NullInjectionPointImpl are visible in applicaiton code
		PI58021	ClassNotFoundException if application contains a jar which contains other archives
Database Access, Connection Management, Merant/DataDirect drivers		PI57239	Error when multiple threads attempt to authenticate to Mongo at the same time
EJB Container		PI49639	CWWKC2259E: "Unexpected child element" in Liberty profile for EJB 2.1
		PI50806	NullPointerException in AbstractEJBRuntime.bindAllRemoteInterfacesToContextRoot when using ejbRemote-3.2 feature
		PI53807	Improve message text when EJB SessionContext fails to serialize
		PI55049	Non-persistent EJB Timer created while application is stopping may not be removed
General		PI48725	Initial TLSv1.0 application data packet read into the wrong buffer by the SSL channel
		PI49508	At startup end users requests routed with HTTP 404 response
		PI49566	WebSockets might not close the connection if sessionIdleTimeout is set
		PI51523	HTTP Channel getCookieValue throws ArrayIndexOutOfBoundsException when cookie is only one-digit double quote "
		PI51552	Unwanted CWWKC1556W warning when application starting or server shutting down
		PI51740	The HTTP Channel could cause the Operating System to send an RST packet when the connection is closed
		PI52417	Host name resolution with collectives on z/OS may not resolve properly
		PI52845	SSL handshake fails due to a java.lang.IllegalArgumentException.
		PI54212	Update one class in Apache Commons
		PI55344	The job logs are producing a date such as 2016-12-28 as opposed to 2015-12-28 during the last week of the year
		PI55874	Jobs containing split-flow may continue executing the (split-flow) even after the job is stopped.
		PI56019	The com.ibm.websphere.appserver.api.mediaServerControl.1.0_1.0.11.jar file in the dev/api/ibm directory is empty.
		PI56057	The MediaServerControl Javadoc provided contains accessibility issues.
		PI56076	Batch job logs do not contain the exception stack trace on step or job failures.
		PI57100	Remote partition wrongly ends in COMPLETED state when job is stopped, wrongly bypassing partition execution on restart.
		PI57542	IOExceptions is not thrown on inbound connections
		PI58014	Message's address is null in SipUdpConnLink
		PI58049	The exitStatus after the restart of an executor is not properly being rolled back to the correct value.
Install V8 and above		PI51130	Updating Liberty using group-mode Installation Manager does not set group-write bits
Install V8 and above		PI55969	An update to the licenses in IBM WebSphere Application Server Liberty V8.5.5.9 is required.
Intelligent Management Component		PI53304	Auto scaling does not fully scale in to the minimum number of servers or scale out to the maximum number of servers
		PI57006	A scaling controller might not register a scaling member correctly when the member starts.
		PI57007	ConcurrentModificationException in com.ibm.ws.scaling.controller.topology.RepositoryMonitor$UpdateHandler
		PI57982	In a Liberty collective, not all instances of an application are used when routing with Intelligent Management for Web Servers.
Java 2 Connectivity (J2C)		PI53120	Datasource connection pool minimumPoolSize to be 0 by default for newly created datasources
Java 2 Connectivity (J2C)		PI54230	ClassNotFoundException when using generic RA in Liberty
Java Persistence API (JPA)		PI46699	A null value is returned when trying to use OpenJPA's DelegatingConnection's unwrap()
		PI47094	ClassCastException using a shared JPA module on JPA 2.1
		PI47144	Merging an unmanaged entity multiple (3) times leads to an exception.
		PI50341	Using java.sql.Timestamp data type for entity version value requests current timestamp from wrong SYSIBM table on DB2
		PI50694	ClassCastException is thrown in JPA when QueryCache is enabled
		PI51878	ddlGen script is shipped in ASCII instead of EBCDIC in Liberty 8.5.5.7
		PI52209	EntityNotFoundException in OpenJPA
		PI53589	OpenJPA fastpath broken on Java 8
		PI56340	OutOfMemoryError from org.apache.bval.cdi.BValExtension$Releasable objects not being released.
		PI56499	AbstractMethodError occurs when using JPA with beanvalidation-1.1 feature
		PI58001	NullPointerException from org.eclipse.persistence.queries.ReadObjectQuery under heavy loads
		PI58005	With a Liberty image consisting of only EE7 features, importing javax.persistence 2.1 with WDT requires an internal attribute.
JavaServer Faces (JSF) SunRI implementation		PI46218	DeploymentException occurs if different web modules in an enterprise application have CDI beans with the same name
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI45044	JSF problem in a Portlet environment: Form inputs inside a data table lose their values if validation fails
		PI47885	h:selectManyCheckbox and h:selectOneRadio components do not support f:ajax tags.
		PI49486	MyFaces leaking file descriptors when reading stylesheet files
		PI50108	JSF component binding with ViewScope beans does not work and causes an exception
		PI51038	Fix EL 3.0 ImportHandler support in JSF 2.2
		PI53555	JSF ViewScope implicit objects are not resolved in JSP pages
		PI54702	Null renderer-type tag causes custom TagLib xml parse error
JavaServer Pages (JSP)		PI52851	Changing JavaServer Pages (JSP) features between requests can result in a java.lang.NullPointerException.
Liberty Application Services		PI51184	CWWKG0031E is received after commenting out a JNDI element and then adding it back at runtime
		PI51375	Application Manager change to make time waiting for apps at startup configurable
		PI52936	Application classes provides incorrect values when calling getProtectionDomain().getCodeSource().getLocation()
		PI54707	Intermittent ConcurrentModificationException thrown on startup when two Liberty apps use a privateLibraryRef.
		PI55383	Client container application fails to run
		PI55891	SPI classes under com.ibm.ws.container.service reference some non-SPI classes
		PI56452	NullPointerException in WABInstaller.java results in "Unable to install bundle" message
		PI56644	SPI classes under com.ibm.ws.javaee.dd reference some non-SPI types
		PI56831	Classloader.getResource("") does not return url to WEB-INF/classes
Liberty Debug and Tracing		PI51841	Request timing can accidently remove an executing request from the active request list
		PI52003	New "JSON" format added to binarylog command
		PI54917	ConcurrentModificationException in collector manager
		PI55910	Logging in InvocationContextImpl outputs array IDs instead of array contents
Liberty Kernel		PI51988	Invoking productInfo with valid command but bad option does not give errors
		PI52309	WebSphere Liberty default executor auto-tuning is disabled when an embedder overrides the default ThreadFactory.
		PI53867	ScheduledExecutorService can temporarily leak classloaders for canceled tasks.
		PI54458	Wrong charset returned in page-not-found error when incorrect context root is requested.
		PI55031	Fix defect in Equinox framework to incorporate in Liberty
		PI55670	Liberty File URLs contain incorrect number of '/' characters
		PI56645	Configuration conflict warning message needs improvement
		PI56678	FileNotFoundException when application start-up fails.
		PI57314	JSP classloading ignores the application parent-last classloader setting
		PI57974	OSGi applications may be able to get access to OSGi services provided by Liberty feature bundles which are not considered API.
		PI57975	Deadlock may occur when creating a Java util logging Logger
		PI57980	Improper error when running Liberty scripts with unsupported Java version.
		PI57981	Changing SSLDefault may still require unnecessary configuration of defaultKeystore
		PI58006	Feature updates are less likely to result in unnecessary component activation and deactivation
		PI58035	When installing features using the installUtility jaccWeb-1.5 and ejbComponentMetadataDecorator-1.0 are not installed
Liberty System Management		PI53219	Wrong locale in the content when calling REST API to generate schema
Liberty z/OS		PI50915	More details is provided for some failures in WOLA connections via Liberty
		PI51171	Allow WOLA client to re-connect after a Liberty server failure or recycle
		PI51329	Default JAVA not read from java.env when server is started with a PROC.
		PI53339	Liberty on z/OS fails to route messages to MSGLOG DD card
		PI53469	z/OS Connect does not preserve JSON payload element ordering as shown in copybook files.
		PI53842	Basic authentication not working z/OS Connect dynamic services
		PI54855	Liberty on z/OS does not pick up the IFAUSAGE properties file in the product extension directory
		PI54886	When starting a Liberty server that has zoslocaladapters configured the sever abends with a System 106.
		PI55029	Liberty started task does not expand @WLP_INSTALL_DIR@ when used in the path specified by WLP_DEFAULT_JAVA_HOME in java.env.
		PI56289	Calls to WOLA services BBOA1* may hang when Liberty server is cancelled or ABENDs
		PI56385	Message CWWKB0101I does not provide enough information to diagnose problems connecting to an Angel process.
		PI56987	WLP_SKIP_UMASK=true is not working when Liberty server is started from a started task on z/OS
Messaging Providers		PI47483	[WARNING ] CWWKG0032W: Unexpected value specified for property
Performance Monitoring Tools		PI55077	Monitor group filter does not work with the component which are not using the code intstrumentation.
Security		PI50399	NullPointerException thrown at com.ibm.ws.transport.iiop.security in Liberty profile
		PI51188	Login fails with mixed-case password phrase on z/OS.
		PI52181	Liberty incorrectly displays warning message aboutWSGUEST user missing the RESTRICTED attribute
		PI52566	Incorrectly returning CWWKS4306E when application URI is unprotected and Liberty receives an expired LtpaToken
		PI57413	CWWKE0702E: Could not resolve module: com.ibm.ws.management.security is logged when zosSecurity-1.0 is enabled.
		PI57668	Collective member certificate login fails with LDAP or Federated user registry
Sessions and Session Management		PI53220	Session attribute not stored with Oracle as database session persistence and MultiRowSchema=true
Systems Management Functions		PI58002	Collective replica restart may fail
Virtual Member Manager (VMM)		PI48674	LDAP binary attribut handling in VMM
Web Container		PI42598	Filter with only WebFilter annotation does not get invoked
		PI43752	AsyncContext.dispatch() dispatches to an incorrect URI
		PI52414	While using an upgrade request the quiesce operation did not complete
		PI52415	isFinished on a stream can return true before the stream is fully read
		PI53854	Unable to retrieve the REMOTE_USER from the WSRU header without using any security in Liberty
		PI54235	A redirect using an URI relative to the current request URL redirects to the wrong URL
		PI54414	Managed thread factory not available in ServletContextListener.contextInitialized
		PI54701	The Servlet SPI was refactored to provide a complete set of SPI classes.
		PI57884	Blocking write is not allowed once WriteListener is enabled.
		PI58013	If an error occurs during a request with a ReadListener and is upgraded, a quiesce operation may not complete properly
Web Services (JAX-WS, JAX-RS)		PI48389	@PreDestory method invoked twice when @RequestScoped annotated on resource class and no @Context field in the class
		PI50692	Data conversion issue for Multi-part MIME on mainframe (z/OS)
		PI51798	Liberty JAX-RS implementation may throw NullPointerException
		PI52014	User customized provider life cycle annotation @PostConstruct @PreDestroy not work or throw NullPoint Exception when stop server
		PI54152	Liberty profile JAX-RS 2.0 Client Side Built-in Providers Installation Performance Issue
		PI55038	Injection on implementation of ParamConverterProvider in JAX-RS 2.0 fails with NullPointerException
		PI55547	Customized EJB ExceptionMapper cannot be mapped to user defined Exception in more than two JAX-RS 2.0 Applications
		PI56455	ClassNotFoundException loading the jaxws-2.2 and appSecurity-2.0 features
Web Services Security	✓	PI49272	Cross site scripting vulnerability in Oauth Service Provider CVE-2015-7417
		PI57265	Add OpenID Connect relying party (RP) config option to specify whether to do client side redirect
	✓	PI58003	Cross-site scripting vulnerablility in OIDC client web application
WMQ messaging providers		PI43413	Deadlock in controller due to timing window in the recovery log service; servant times out
		PI53471	Extended Unit of Work API may not throw errors back to the application when they occur during transaction end processing.
		PI53472	Thread safety defect in Unit of Work manager initialisation
		PI53661	When inside an @Transactional declarative transaction, an error is thrown upon entering an @TransactionScoped context.
		PI54151	Unable to find the @Transactional annotation
		PI56465	@TransactionScoped bean instances do not have their @PreDestroy-annotated destructors called.
		PI56466	Access to UserTransaction methods is not correctly disabled within nested @Transactional annotations
		PI56467	@Transactional rollBackOn/do not RollbackOn scans the exception class hierarchy in the wrong direction
		PI56529	@Transactional annotation processing code emits FFDC when encountering RuntimeExceptions in the dontRollBackOn list

Fix pack 8.5.5.8
Fix release date: 11 December 2015 Last modified: 11 December 2015 Status: Superseded Download Fix pack 8.5.5.8

Component	Security APAR	APAR	Description
Contexts and Dependency Injection (CDI)		PI47250	Liberty Profile with CDI 1.2 and CDI enabled application has slow startup
		PI49410	Publish the Weld 3rd party version on the repackaged Bundle-Description
		PI49978	If CDI 1.2 is enabled then a BeanManager could be returned when resolving any JNDI value.
		PI50790	Turn off beans.xml validation by default.
		PI50802	ProcessInjectionTarget and ProcessInjectionPoint events are not fired when processing non-CDI Interceptors.
		PI52419	Export weld packages so that DeltaSpike Scheduler can be supported
EJB Container		PI47475	A NameNotFoundException occurs for injection of resource into ManagedBean in EJB module
EJB Container		PI48390	IllegalStateException thrown during server stop when j2eeManagement feature is installed
General		PI42523	Root not injected on URL containing query but omitted path
	✓	PI45266	HTTP response splitting vulnerability CVE-2015-2017
		PI47651	An OutOfMemory error can occur from a leak in WebSockets when websocket session timeout is set
		PI47954	Future.get can hang during ManagedTaskListener.taskStarting for repeating task
		PI48097	Cleanup of resources can be missed after Thread.run for threads created by a ManagedThreadFactory.
		PI48327	WLP does not handle requests successfully during shutdown
		PI48759	The TCP Channel's Host Name Include and Exclude lists are case sensitive
		PI50766	ExecutionException raised instead of AbortedException for aborted task
		PI51046	BATCHMANAGER SCRIPT WebSphere Application Server SHIPPED IN ASCII ENCODING ON z/OS INSTEAD OF EBCDIC ON LIBERTY 8.5.5.7
		PI51656	COMM_FAILURE exception raised during IIOP invocation due to IIOP connection being closed while in use
		PI52303	Duplicate IIOP request IDs lead to incorrectly parsed response (from incorrectly handled reply message).
Install V8 and above		PI51982	LIBERTY 8557 CANNOT ROLLBACK TO LIBERTY 8553 AND BELOW
Intelligent Management Component		PI49835	java.lang.IllegalStateException: The ScalingMemberReplacementService service is not available
JavaServer MyFaces (JSF) Apache MyFaces implementation		PI47095	A java.lang.ClassNotFoundException can occur during deserialization of the HTTP session
		PI47578	An UnsupportedOperationException is thrown with an eager ManagedBean containing a ManagedProperty in JSF 2.2
		PI47600	The "class" attribute cannot be set in a custom tag in JSF 2.2
JavaServer Pages (JSP)		PI43036	JspTranslationException when using a JSP tag containing another tag with deferred-attributes
		PI44611	JSP engine throwing an IllegalStateException when PageContext.findAttribute(string attributename) is called
		PI46827	Memory leak in javax.el.BeanELResolver caused by application restarts
Intelligent Management Component		PI52161	Liberty collective server status is not in sync with DataPower status query
Liberty Application Services		PI50370	Unnecessary IllegalStateException FFDC created during some server stops
Liberty Archive Install		PI50812	Some download error messages are shared with install error messages, but the content of the message only mentions install.
Liberty Debug and Tracing		PI49056	NullPointerException when updating traceSpecification programmatically.
		PI50369	NullPointer in MethodInfoImpl tracing
		PI51010	Liberty core dumps when -Xhealthcenter:level=inprocess jvm option is used with health center agent version 3.0.5 or above
Liberty Kernel		PI46358	Problem with notify call for updateTrigger="mbean"
		PI46856	Unused server.env file generated when creating client processes using Java 8
		PI47941	Liberty featureManager command may hang until killed
		PI48377	Unable to use wlp-featureRepo-8.5.5.7.zip as a directory based repository in WDT
		PI49759	When setting the trace file name to 'stdout', the distinction between error and general output messages is lost.
		PI49927	UPDATE TO COMMAND PRODUCTINFO VIEWLICENSEINFO
		PI50096	When Java security is enabled application class loaders may get access to internal packages contained in liberty profile
		PI50775	There needs to be a space character preceding the ellipses mark used in some install command line messages.
		PI51403	SSL support does not start properly
		PI52579	Errors after adding or configuring additional content to server when the server installation path contains unsafe characters
Liberty z/OS		PI46937	Security identity not propagated from batchManagerZos to batch exectuor in multi-server environment causes JobSecurityException
		PI47050	Unintall zosBundle addon fails if use Java7 to run Liberty installUtility
		PI47248	PERMISSION ERRORS ACCESSING RESOURCES IN THE SERVER'S WORKAREA DIRECTORY USING APPLICATION SYNCTOOSTHREAD WITH JSP INCLUDE TAG
		PI47476	CWWKT0022E IN LIBERTY SERVER WHEN USING DVIPA HOSTNAME DEFINED BY VIPARANGE
		PI47730	SERVICEABILITY ENHANCEMENTS TO ENABLE TRACING IN THE TOOLING THAT z/OS CONNECT USES

Tips

Fix list for IBM WebSphere Application Server Liberty

Product Readmes

Abstract

Content