IBM Support

Fix list for IBM WebSphere Application Server Liberty

Product Readmes


Abstract

Fixes for WebSphere Application Server Liberty are delivered in fix packs periodically.  This is a complete listing of all the fixes for Liberty with the latest fixes at the top.

New fix pack numbering is introduced. Fix pack 16.0.0.2 for WebSphere Application Server Liberty is the first of a series of common Liberty levels that apply to both Version 8.5 and Version 9.0 of WebSphere Application Server on all supported platforms.

Content

Release Date
Total number of APARs
Total number of Security APARs
Total number of Open Liberty Release Fixes
8 October 2021
4
2
14
10 September 2021
3
0
11
13 August 2021
1
0
7
15 July 2021
4
1
14
18 June 2021
2
0
11
21 May 2021
4
0
19
23 April 2021
3
2
12
26 March 2021
2
0
18
26 February 2021
3
0
12
29 January 2021
2
0
24
27 November 2020
5
0
15
30 October 2020
2
1
12
2 October 2020
6
1
11
4 September 2020
4
0
10
7 August 2020
2
0
10
9 July 2020
2
0
14
12 June 2020
4
0
15
15 May 2020
3
2
14
17 April 2020
6
1
19
20 March 2020
6
1
18
21 February 2020
11
2
29
24 January 2020
2
1
23
Fix pack 19.0.0.12 13 December 2019 1 1 13
Fix pack 19.0.0.11 15 November 2019 8 2 19
Fix pack 19.0.0.10 18 October 2019 8 2 18
Fix pack 19.0.0.9 20 September 2019 6 1 9
Fix pack 19.0.0.8 23 August 2019 6 0 19
Fix pack 19.0.0.7 25 July 2019 4 1 14
Fix pack 19.0.0.6 28 June 2019 5 0 8
Fix pack 19.0.0.5 31 May 2019 3 0 8
3 May 2019
4
1
15
5 April 2019
10
1
25
8 March 2019
9
0
18
8 February 2019 11 1 24
14 December 2018
29
3
50
21 September 2018
31
5
38
29 June 2018
45
1
29
16 March 2018
32
3
84
21 December 2017
54
2
17 October 2017
109
3
13 June 2017
115
1
14 March 2017
90
0
13 December 2016
103
1
16 September 2016
107
7
24 June 2016
121
5
18 March 2016
141
2
11 December 2015
78
2
11 September 2015
26 June 2015
13 March 2015
8 December 2014
18 August 2014
28 April 2014
11 November 2013
14 June 2013
Fix pack 21.0.0.10
Fix release date: 8 October 2021
Last modified: 8 October 2021
Status: Recommended

Download Fix pack 21.0.0.10
Component Security APAR APAR Description
Liberty Kernel PH39418 Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517 CVSS 5.5, CVE-2021-36090 CVSS 7.5)
PH40489 SPNEGO fails with 403 error on Java 11 at 21.0.0.9
Liberty System Management PH39935 CWWKE0701E at Liberty startup reports a ConcurrentModificationException in the APIProviderAggregator class
Virtual Member Manager (VMM) PH38929 WebSphere Application Server is vulnerable to Information Disclosure (CVE-2021-29842 CVSS 3.7)
Open Liberty Release fixes
Issue/PR Description
17155 Multiple entries may be added to the Authentication Cache for a custom cache key hashtable login
17489 IllegalStateException is thrown when Liberty tries to update a readOnly subject
17950 Fix SRVE8501E Warning
18281 Possible Bug with deferServletRequestListenerDestroyOnError
18282 Bug: AdminCenter SRVE0190E: File not found: /images/tools/wasdev_142x142.png
18348 ContainerRequestContext.getAcceptableLanguages() - fails with IllegalArgumentException when invalid locales are specified in the Accept-Language header.
18404 Create PluginGenerator Lock to to Address FileNotFoundExceptions
18430 saml web sso sp initiated login flow resulting in buildup of WASSamlReq_xx cookies
18437 JSF throws ClassNotFoundException for o.a.m.el.convert.ValueExpressionToValueBinding
18475 Servlet ReadListener does not receive all HTTP request data
18503 RuntimeCodebase cannot be located on collocated call
18530 Startup hang caused by plugin-cfg generator changes
18552 JAX-RS 2.0 and 2.1 implementation is executing resource method when Content-Type or Accept header contains invalid values
18663

NullPointerException in JaxRsFactoryImplicitBeanCDICustomizer
Fix pack 21.0.0.9
Fix release date: 10 September 2021
Last modified: 10 September 2021
Status: Superseded

Download Fix pack 21.0.0.9
Component Security APAR APAR Description
JavaServer Faces (JSF) Apache MyFaces implementation PH40182 JSF faces-config parser throws NPE when XML namespace missing
JavaServer Pages (JSP) PH38133 Incorrect Expression Language (EL) Method Matching with Varargs
Liberty z/OS PH39946 Liberty logging hideMessage= parameter should also stop messages being written to messageLogDD=MSGLOG
Open Liberty Release fixes
Issue/PR Description
16700 Improve featureUtility performance with remote repository
17444 Pull in BZ 65358 -- Varargs Method Matching (EL Patch)
17591 IdentifyException accidentally externalized as unusable top level config element
17682 Exception stack trace is exposed in error returns from JMX REST apis
17912 Bump netty dependencies to 4.1.66.Final
18002 `@Schema(multipleOf = )` validation check is wrong in `mpOpenAPI-2.0` feature
18009 Wrong char count in ServletOutputStream with non-ASCII characters skips content
18091 Remove system from code
18155 JSF faces-config parser throws NPE when namespace missing
18213 IOException FFDC logged after HTTP/2 stream is closed by client
18237 Unexpectd FFDC from Jackson
Fix pack 21.0.0.8
Fix release date: 13 August 2021
Last modified: 13 August 2021
Status: Superseded

Download Fix pack 21.0.0.8
 
Component Security APAR APAR Description
JavaServer Faces (JSF) Apache MyFaces implementation PH38339 StringIndexOutOfBoundsException Occurs When Creating a Resource
Open Liberty Release fixes
Issue/PR Description
16700 Improve featureUtility performance with remote repository
16994 Dynamic reconfig of discovery endpoint not updating endpoints in all cases
17313 ubuntu upgrade re-enabled openliberty@defaultServer
17678 Port MYFACES-4065/MYFACES-4187 to JSF 2.2
17757 Passivating remote EJB Stub fails when rmicCompatible=true
17799 gRPC monitoring requires the enablement of both grpc-1.0 and grpcClient-1.0
17828 Update JSP Logic to Avoid Race Condition Regarding trackDependencies
17904 grpcClient-1.0 dynamic enablement unexpected behavior
Fix pack 21.0.0.7
Fix release date: 15 July 2021
Last modified: 15 July 2021
Status: Superseded

Download Fix pack 21.0.0.7
 
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH37788 Use first found ejbDescriptor for MD
General PH35877 Session ActiveCount shows a negative value
PH34906 XML External Entity Injection (XXE) in WebSphere Application Server Java Batch (CVE-2021-20492 CVSS 6.5)
PH38224 Invalid command line optional parameters with "featureUtility help installFeature"
Open Liberty Release fixes
Issue/PR Description
14575 OAuth client registration: Client IDs with GB18030 characters do not work
15726 Re-introduce change reverted from 14248
16282 Nullpointer exception during authorization using OidcLogic
17235 FeatureUtility should return RC=20 when invalid action name is specified
17299 Allow multiple version of singleton feature with featureUtility installFeature command
17344 OIDC RP may fail to login if clientSecret is not configured TS005720300
17437 NPE in com.ibm.tx.jta.util.logging.TxTr.initTrace
17478 Invalid command line optional parameters are shown with "featureUtility help installFeature" and "featureUtility help installServerFeatures"
17482 Unexpected results with JSP trackDependencies in the extended document root
17489 IllegalStateException is thrown when Liberty tries to update a readOnly subject
17576 OIDC Update the description for disableIssChecking
17593 EJB Singleton Lifecycle Deadlock
17635 Bump gRPC dependencies to 1.38.1
17658 ConcurrencyPolicy loses queue slots when managed executor deactivates and erroneously cancels tasks of other executors
17666 JavaMail tries to use a resource file that only exists in the implementation
Fix pack 21.0.0.6
Fix release date: 18 June 2021
Last modified: 18 June 2021
Status: Superseded

Download Fix pack 21.0.0.6
Component Security APAR APAR Description
JavaServer Pages (JSP) PH36923 java.lang.NullPointerException caused by PH34711
Liberty Kernel PH37460 Setting 'AutoExpand' to true causes the 'UseJandex' setting to be ignored
Open Liberty Release fixes
Issue/PR Description
12778 mpJWT-1.1 configured by using jwksUri results in CWWKS5523E at the first jwt token presented to the server
15023 WASReqURLOidc cookie encodes the request url but doesn't decoded it upon successful redirection
16598 ServletContainerInitializer is passed invalid @HandlesTypes classes
16743 Pull in MyFaces 2.3.9
17040 Revision to httpOption maxKeepAliveRequest default value
17047 PluginGenerator FFDC: BundleContext is no longer valid
17117 Test Failure: Failover1ServerCoordinatedPollingTest.testMultipleInstancesCompeteToRunManyLateTasksPC
17177 Failed to locate DataSource, null Resourcefactory
17203 ORB.init() called simultaneously on two threads during server start
17268 APAR PH37460 useJandex is ignored when autoExpand is set
17294 java.io.IOException might be thrown during AsyncContext.complete()

Fix pack 21.0.0.5
Fix release date: 21 May 2021
Last modified: 21 May 2021
Status: Superseded

Download Fix pack 21.0.0.5
 
Component Security APAR APAR Description
Liberty OSGi Applications PH28781 CWWKZ0404E: An exception was generated when trying to resolve the contents of the application
Liberty z/OS PH35442 Smf120 subtype 11 records sometimes missing values when a servlet request takes an error path
PH35542 Abend 0C4 in ntv_registerserver reported on Websphere Liberty z/OS 20.0.0.12 (wlp-1.0.47.cl201220201111-0736)
PH36576 CWWKB0086E seen in angel in fix pack 21.0.0.3
 Open Liberty Release fixes
Issue/PR Description
13522 Publish the WebContainer property enableMultiReadOfPostData
14174 The WebContainer properties may not be updated accordingly.
14345 ServletContext getContextPath() does not end with forward slash.
15216 JDBC kerberos problems on IBM JDK 8
16203 IllegalStateException when calling CDI bean with @Transactional(Transactional.TxType.NEVER) from websocketEndpoint
16307 Update Liberty to not block use of Oracle 21c JDBC driver with IBM Java 8 and kerberos authentication.
16428 Remove Internal From setHtmlContentTypeOnError
16495 Rename plugin-cfg File Using Files#Move
16524 Fix issue with spanning an audit record across audit logs when signing and encrypting of audit logs is enabled
16539 SESSION ACTIVECOUNT SHOWS A NEGATIVE VALUE
16637 Authorization failure occurs when LDAP or basic user attempts login in SAF federated registry
16661 microprofile-config.properties is not loaded in OASFilter
16694 Avoid virtual host missing warning if server is in the process of shutting down
16764 Deploying two applications with mpOpenApi-2.0 enabled can cause IllegalStateException: SROAP00001: Model already initialized.
16772 [JPA 2.1] EclipseLink: Deliver Bug #573094
16774 PostgreSQL session table check missing qualifier name
16793 Include RelayState in the logout response to IdP initiated slo requests
16808 Issue16807 support new java policy location per open jdk 9
16843 Cleanup request thread data
Fix pack 21.0.0.4
Fix release date: 23 April 2021
Last modified: 23 April 2021
Status: Superseded

Download Fix pack 21.0.0.4
Component Security APAR APAR Description
Administrative Console PH34122
Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258 CVSS Score 7.5)
Java 2 Connectivity (J2C) PH33683 EJB timer service does not adjust for daylight savings time
JavaServer Faces (JSF) Apache MyFaces implementation PH34711
Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296 CVSS 8.8)
Open Liberty Release fixes
Issue/PR Description
15336 Replace DNS lookup with regular expression to get the domain name in SSO Cookie Domain function
15989 MyFaces Update State Saving
16054 HSTS Header not added on responses with 404 status
16113 Shared Class Cache not generated on Windows
16118 Create setHtmlContentTypeOnError Webcontainer Property
16160 HTTP/2 ClassCastException during error handling
16184 EJB timer service does not adjust for daylight savings time during fall adjustment
16301 LDAP and Database Identity Stores fail to reprocess deferred EL expressions
16353 Bump netty dependencies to 4.1.62.Final
16364 Premature response completion in Async Servlets
16410 Improve messaging in ldapRegistry-3.0 when userFilter and groupFilter do not contain an AVA with %v
16416 Java 2 Security exception when adding custom principal to the subject for Jaspic
Fix pack 21.0.0.3
Fix release date: 26 March 2021
Last modified: 26 March 2021
Status: Superseded

Download Fix pack 21.0.0.3
Component Security APAR APAR Description
Liberty z/OS PH33563
SAFPasswordUtilityFactory.getInstance().passwordChange results ioException: exception in opening zip file after multiple calls
PH34338 ABEND0C4 during Liberty server shutdown
Open Liberty Release fixes
Issue/PR Description
5470 NLS message CWWKE0031E is inaccurate when emitted from server script
11249 JAXRS leaks memory when applications do not close their Client references
12606 server.bat script does not read path of jvm.options correctly as documented
14926 Bean Validation 1.1 NullPointerException from ValidationReleasableFactoryImpl
15646 Issue15644ProperMergingOfJava2Permissions
15744 Pull in MyFaces 2.3.8
15799 Plugin Generator can cause server shutdown delay
15822 LDAP group members may be ignored when the member's RDN starts with cn (and possibly other attribute names).
15853 Bump netty dependencies from 4.1.52.Final to 4.1.59.Final
15857 EJB client intermittently throws BAD_PARAM after server restart
15869 MP Config AppPropertiesTrackingComponent synchronization
15878 JAX-RS requests that don't specify the port fail with SSL
15927 Can't inject optional list with mpConfig-1.x
15943 Merge multi-homed environment related changes into Liberty
15975 Create a UDP connection using the selected outbound interface
15985 Threads backing up during transaction processing due to use of Dictionary
16037 Separating ciphers with two spaces results in unspecified behaviour
16060 Eclipselink bundles lack javax.mail.internet
Fix pack 21.0.0.2
Fix release date: 26 February 2021
Last modified: 26 February 2021
Status: Superseded

Download Fix pack 21.0.0.2
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH33219
AdminCenter web app is not updating status after an operation concludes
Install PH33517 Issue with <INCLUDE LOCATION> tag on Liberty 20.0.0.9 failed to support the WLP_USER_DIR in already built fixes
Java 2 Connectivity (J2C) PH31875 J2CA0079E: getManagedConnection internal illegal state state = state_inactive mcw
Open Liberty Release fixes
Issue/PR Description
11777 prepareJSPThreadCount is not documented in Open Liberty - Investigate if any issues using it and document
12490 IOExceptions thrown after HTTP/2 stream is closed by client
12694 EclipseLink: Deliver Bug #538296
14109 Update gRPC dependencies to 1.35
14175 Expression Language 3.0 value lookup performance improvement
14248 Update WC property suppressHtmlRecursiveErrorOutput
14934 JAX-RS client creates a new SSLSocketFactory for every request
15040 ClassCastException might happen when serving a static resource
15433 System WABs may come online with the web container after server reports started
15550 NullPointerException in HttpServletRequest or HttpServletResponse context proxies
15698
FeatureUtility not parsing Liberty custom environment variables
Fix pack 21.0.0.1
Fix release date: 29 January 2021
Last modified: 29 January 2021
Status: Superseded

Download Fix pack 21.0.0.1
Component Security APAR APAR Description
Install PH32961 InstallUtility and FeatureUtility are working when the variable is a directory, but not part of a file name
Intelligent Management Component PH31732 Restricting IP access in ssh keys in authorized_keys, results in ssh key being appended when collective member is restarted
Open Liberty Release fixes
Issue/PR Description
10000 HttpServletResponse.sendRedirect(String location) builds absolute URL including protocoll and server-name
12095 PluginGenerator: BundleContext is no longer valid
12417 Fix java.lang.IllegalStateException: jstl facade bundle can not be located
13515 Add addstricttransportsecurityheader WebContainer prop to metatype
14532 Plugin Generator can cause server shutdown delay
14815 Recovery race
14925 OAuth user registry lookups may use incorrect custom cache key
14928 EclipseLink: Deliver Bug #514486
14936 Issue when deploying Open Liberty application to Openshift
14950 Pull MyFaces 2.3.7 into Open Liberty
14975 OIDC RP: creating a subject with allowCustomCachKey=false results in a subject that includes a cache key
15174 Include tag on windows not parsing correctly
15216

JDBC kerberos problems on IBM JDK 8
15220 Add HTTP/2 IOException for misbehaving client error case
15237 Clear federated repository specific information from AuditManager thread
15242 Stop the ACME Certificate Checker Task when the server is stopping
15263 HTTP TRACE method requests are rejected with a 403, and `enableTraceRequests="true"` does not help
15305 Pull in CXF-8278
15315 Enable server shutdown on recovery log failure
15337 Dynacache initialization issue when ID is missing
15342 CONTAINER_NAME env variable is not reflected in logstashCollector-1.0
15388 Include tag file name unable to be parsed for featureUtility
15390 Various thread safety issues in the Liberty scheduled executor
15550

NullPointerException in HttpServletRequest or HttpServletResponse context proxies

 
Fix pack 20.0.0.12
Fix release date: 27 November 2020
Last modified: 27 November 2020
Status: Superseded

Download Fix pack 20.0.0.12
Component Security APAR APAR Description
General PH30714 PortOpenRetries needs to do retries for hostname lookup failures
PH30744 Increased CPU can occur after moving to Liberty version 19.0.0.7 or higher
Install PH32363 InstallUtility and featureUtility ignores included config files on Windows
Intelligent Management Component PH31277 Health policies do not trigger
Systems Management Functions PH30558 Do not store Leader ID when server is stopping
Open Liberty Release fixes
Issue/PR Description
14426 EclipseLink: Deliver Bug #463350
14457 EclipseLink: ClassCastException for Boolean-Typed JPS-Query
14540 com.ibm.wsspi.cache.getProperties() returns empty map.
14542 Java 15: IllegalAccessError when using MP Rest Client
14555 TCP: add retry logic to hostname loookup when opening ports
14582 Prevent jsonp-1.0 and jsonpContainer-1.1 from both starting.
14597 Increased CPU when moving from Liberty 19.0.0.6 to newer releases.
14650 MP GraphQL does not scan JARs in WEB-INF/lib for GraphQL components
14655 Move participatingBaseEntry check to avoid inaccurate logging of CWIMK0004E message
14657 Fix connection manager deadlock for purgePolicy=FailingConnectionOnly
14735 Fix the Logging metatype description message for hideMessage
14743 Variables in include files not recognized after config update
14781 Wrong FailureScopeController used in peer recovery
14826 Allow Spring Boot app with embedded launcher script to deploy
14828 server stop hang
Fix pack 20.0.0.11
Fix release date: 30 October 2020
Last modified: 30 October 2020
Status: Superseded

Download Fix pack 20.0.0.11
Component Security APAR APAR Description
General PH30494 NullPointerException is received when using the PasswordChange API with more than one UserRegistry
Java 2 Connectivity (J2C) PH29942 Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693 CVSS 5.3)
Open Liberty Release fixes
Issue/PR Description
7056 HTTP/1.1 and HTTP/2 behave differently when a non-standard HTTP method is used
12312 Update to commons daemon breaks windows servicel
12724 Unable to Override JAX-RS SecurityContext in ContainerRequestFilter
13073 FFDC raised when fallback method or handler throws exception
13830 Federated repositories returns the string "null" instead of the value null for several methods
13861 Getting ManagedThreadFactory from JNDI is failing in 20.0.0.9
13908 Liberty java security function does not honor JDK's java.policy file.
14003 Test Failure: com.ibm.ws.microprofile.health20.fat.ApplicationStateHealthCheckTest.testPreLoadedApplicationsHealthCheckTest_mpHealth-3.0
14183 Need an option to load a custom JaasLoginModule without going through com.ibm.ws.kernel.boot.security.LoginModuleProxy
14192 Eclipselink: Wrong month is returned if OffsetDateTime is used in JPA 2.2 code
14377 Server.xml config sources do not respect config_ordinal
14421 EJB persistent timer may attempt to run after server stop issued
Fix pack 20.0.0.10
Fix release date: 2 October 2020
Last modified: 2 October 2020
Status: Superseded

Download Fix pack 20.0.0.10
 
Component Security APAR APAR Description
Asynchronous Beans PH29578 CWWKE0701E: Frameworkevent error org.osgi.framework.serviceExcception
Liberty Kernel PH27428 NullPointerException because wsJarUrlStreamHandler creates unusable input stream
PH27908 Unconverted adapt to web annotations from com.ibm.ws.openApi.internal.annotationScanner
PH28816 During server startup, the warning "Unconverted adapt to web annotations" appears in server logs
Liberty z/OS PH28141 Out of memory in cell pool using 500 connections
Web Services Security PH29368 WebSphere Liberty running oauth-2.0 or openidConnectServer-1.0 features is vulnerable to a denial of service attack (CVE-2020-4590 CVSS 5.3)
Open Liberty Release fixes
 
Issue/PR Description
11646 Concurent Login Issue
11722 mpHealth - readiness check reports UP when application fails to start
11847 Add support for traditional websphere property: com.ibm.ws.webcontainer.suppresslastzerobytepackage
12613 Enabling openTracing with no tracer class configured impacts performance
12790 Need to limit how many times an OIDC refresh token can be used to get new tokens
13404 Kafka connector can report failure for acknowledgements which eventually succeed
13551 NullPointerException when starting an EJB module during server stop
13569 Federated basicRegistry returns inconsistent results for case insensitive direct user lookups in scim-1.0
13613 Support IIOP transmission of Supplemental Multilingual Plane characters (such as emoji) in (wide) Strings
13681

Getting ManagedThreadFactory from JNDI is failing in 20.0.0.9
13817 PostgreSQL tables are not automatically generated for transaction recovery
 
Fix pack 20.0.0.9
Fix release date: 4 September 2020
Last modified: 4 September 2020
Status: Superseded

Download Fix pack 20.0.0.9
Component Security APAR APAR Description
EJB Container PH27497 CNTR5010E,CNTR0075E Errors after migrating from WebSphere V8.5.5.X TO V9.0.5.X
PH27912 CNTR5104E OR CNTR5102E occurs at EJB start after upgrading WebSphere to V8.5.5.16, V9.0.5.0, V9.0.5.1, OR V9.0.5.2
Install PH30219 <INCLUDE> Tag not being considered when installing server.xml
Java Persistence API (JPA) PH26967 OpenJPA's class transformer needs to respect app classloader concurrency
PH28547 JPA persistence activator retains classloader references, potentially leading to OutOfMemory condition
 Open Liberty Release fixes
Issue/PR
 Description
11504 Occasional ArrayIndexOutOfBoundsException in JaspiServiceImpl.getDescription during Arquillian Tests
11556 Connection leak when XAResource.recover fails
12832 Bean Validation should consider @ValidateOnExecution when CDI is not enabled.
13027 Jaxrs security not getting SSL Socket Factory updates
13036 mpGraphql Exception allowlist not working. NullPointerException is thrown by mpConfig
13138 tag not being considered when installing server.xml
13170 MDB method restricted from being private final for no methods listener
13309 Application with EJB 2.x local interface that extends java.rmi.Remote fails to start
13331 ignore extra ffdc when application fail to start due to vhost already removed by stop app
13447 Http/2 -clean up connection on error
14183

Need an option to load a custom JaasLoginModule without going through com.ibm.ws.kernel.boot.security.LoginModuleProxy
Fix pack 20.0.0.8
Fix release date: 7 August 2020
Last modified: 7 August 2020
Status: Superseded

Download Fix pack 20.0.0.8
Component Security APAR APAR Description
Systems Management Functions PH27639 Stopped application may show as started in collective controller.
Security PH34376

RACF RACMAP filter fails to properly match on realm
Open Liberty Release fixes
Issue/PR Description
12074 Webcontainer property decodeUrlPlusSign issue
12312

Update to commons daemon breaeks windows service
12450 Batch: Fixes for remote partition job logs
12523 Failed to parse Created TimeStamp in UsernameTokenValidator
12613

Enabling openTracing with no tracer class configured impacts performance

12695 JAX-RS Application Proxy should override getProperties()
12780 CWMRX1001W seen in messages.log
12865 spring-cloud-starter causes ApplicationStarted event to be fired before the ModuleStarted events for Spring Boot web apps
12967 "peer not authenticated" failures in RP to OP communication on some versions of Java 11
13094 MDB message listener method name restricted from starting with "ejb"
Fix pack 20.0.0.7
Fix release date: 9 July 2020
Last modified: 9 July 2020
Status: Superseded

Download Fix pack 20.0.0.7
Component Security APAR APAR Description
Liberty System Management PH26177 API Discovery UI fails
z/OS PH23733 Unexpected Transaction CPLT ABEND ASIB when transaction is rolled back
Open Liberty Release fixes
Issue/PR Description
8048 Unable to write multipart data in Jax-Rs
12032 Configuration for sslSessionTimeout is ignored at runtime
12067 PluginUtility currently looks in the workarea for com.ibm.ws.jmx.local.address but should look in the logs/state directory
12352 Correct spelling mistake in com.ibm.ws.jsp.jstl.facade/bnd.bnd
12375 IllegalArgumentException occurs when processing SOAP response containing SOAP Fault
12399 HTTP/2 read window not updated
12516 Changes to SSL Session Timeout
12537 H2 NPE HttpOutputStreamImpl.flushHeaders
12545 syncQueryTimeoutWithTransactionTimeout="true" with totalTranLifetimeTimeout="0" results in SQLTimeoutException
12567 Fault Tolerance 2.1: org.eclipse.microprofile.faulttolerance cannot be resolved
12599 HTTP/2 connection termination performance
12708 Entry and exit trace is missing when using OpenJDK with OpenJ9 version 8.
12715 JAX-RS @Context injection into ContextResolver failing with NPE
 
Fix pack 20.0.0.6
Fix release date: 12 June 2020
Last modified: 12 June 2020
Status: Superseded

Download Fix pack 20.0.0.6
Component Security APAR APAR Description
Administrative Console PH25475 After logging in to admin center console, in the web browser console role is getting exposed
General PH25479 JAXRS resource not injecting objects via CDI constructor injection
Liberty z/OS PH25650 Message CWWKO0230I is issued even if the Asynchronous I/O support was not activated
Virtual Member Manager (VMM) PH24423 With SCIM-1.0 feature and LDAP registry, SCIM queries for group members do not deliver the display name for group members
Open Liberty Release fixes
Issue/PR Description
9157 Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
10067 Update JPA to fix EclipseLink bug 618
10236 Update JPA to fix EclipseLink bug 558283
10240 Update JPA to fix EclipseLink bug 558414
10812 Update printSessionManagerConfigForDebug method to include cookieHttpOnly
11773 [openidConnectServer-1.0] incorrect http status code for error response invalid_grant
11795 EclipseLink: Deliver Bug #561664
11882 Missing FunctionMapper
11927 Include user name in CWWKS1773E error message TS003412433
11977 May get an NPE in URLEncoder.encode when OAuth provder gets bad clientId TS003459997
11984 JNDI lookup fails with org.osgi.framework.ServiceException
12019 Application MBean status is not updated when application fails to start
12024 The JCA SharedPool can leak MCWrapper objects
12212 Cached configuration not used in some circumstances
12297 Correct JSP 2.3. Feature File
Fix pack 20.0.0.5
Fix release date: 15 May 2020
Last modified: 15 May 2020
Status: Superseded

Download Fix pack 20.0.0.5
Component Security APAR APAR Description
Liberty z/OS PH24366 Liberty fails to remove the client address space level RESMGRs when cleaning up Liberty's client structures
Web Container PH20847 Information disclosure in WebSphere Application Server (CVE-2020-4329 4.3)
Web Services Security PH24154 Identify spoofing in WebSphere Application Server (CVE-2020-4421 5.0)
Open Liberty Release fixes
Issue/PR Description
11475 CWWKG0090E seen when using include that worked in previous version
11550 SSL Channel: double release of WsByteBuffer race condition
11582 NPE in OpentracingUtils.lookupAppName()
11590 MetricProducer provides a simple timer and concurrent gauge with the wrong MetricType
11595 SAML SP should use 401 instead of 403 when redirects user to IdP
11682 Social login feature cookies may not use dynamically updated web app security config
11696 Exception during UserTransaction thwarts @Fallback on @Asynchronous method
11716

Changes for issue 11646
11746 Unable to create logger error in server startWinService when WLP_OUTPUT_DIR set in server.env
11750 Correct redirect location.
11755 Update Weld3 to 3.1.4
11767 Lock contention acquiring applicationTracersLock in OpentracingTracerManager.ensureTracer()
11785 intermittent h2 timing test failure
11870 H2 NPE check modification
Fix pack 20.0.0.4
Fix release date: 17 April 2020
Last modified: 17 April 2020
Status: Superseded

Download Fix pack 20.0.0.4
Component Security APAR APAR Description
General PH23757 EJB persistent timer/deserialized context fails with CWWKC1004E (unavailable context) after mpContextpropagation-1.0 disabled
Install V8 and above PH23517 zosConsoleCommandDisplayWork-1.0 as an auto-feature is not installed
Liberty Archive Install PH23233 NullPointerException when installing the required WLP server's features from local repository
Liberty z/OS PH22112 Display work with zosRequestLogging feature does not count servlet requests
PH23817 gpf in liberty server during shutdown
Web Services Security PH22080 Cross-site scripting vulnerability in samlWeb-2.0 (CVE-2020-4303, CVE-2020-4304)
 Open Liberty Release fixes
Issue/PR Description
4040 Make RC consistent for starting liberty as a Windows Service
4873 Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
8933 Authentication cache fails to find existing Subjects, slowing performance.
9692 Non-English characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9986 Application fails to start because of java.lang.IllegalStateException: Configuration pid com.ibm.ws.app.manager_23 was deleted
10707 Thread safety problem in JSON logging field name mapping code
10986 Invalid JSON data passed to @Path resource method(@Valid MyPojo) yields H500 instead of H400
11043 java.security.AccessControlException: Access denied ('java.util.PropertyPermission' 'org.osgi.framework.bootdelegation' 'read')
11044 custom-login-configuration not honored in java:comp/env bindings without binding-name
11108 mpRestClient-1.3 ignoring hostnameVerifier configuration
11199 EJB Persistent Timer/deserialized context fails with unavailable mp.cleared.context.provider after mpContextPropagation-1.0 disabled
11289 ConcurrentModificationException during JSF application startup
11445 The JarFileClassLoader throws an IllegalArgumentException when defining package com.ibm.websphere.ras.annotation
11454 Remove lock contention and other perf improvements for starting multiple applications
11478 Minor code issue in LdapHelper.getRDN in com.ibm.ws.security.wim.adapter.ldap
11510 Timing window where server loses the ability to run a persistent timer if config update to disable execution overlaps a poll
11534 Async implementation of MP rest client returns CompletionStage of Collection of HashMap but expected CompletionStage of Collection of a user defined type
11535 AdapterUtil.createXAException utility method garbles message parameters
11543 PH22080
Fix pack 20.0.0.3
Fix release date: 20 March 2020
Last modified: 20 March 2020
Status: Superseded

Download Fix pack 20.0.0.3
Component Security APAR APAR Description
Liberty log analytics and monitoring PH22677 Logstash error when parsing json
Liberty z/OS PH21809 Liberty on z/OS message routing to msglog dd stops unexpectedly
PH21956 JVM crash in zosLoggingBundleActivator.ntv_writeFile()
PH22759 Abend on the z/OS Hard failure Cleanup Thread during server stop processing
Virtual Member Manager (VMM) PH21704 SCIM fails to search when quotation marks are included in search filter
Web Services (JAX-WS, JAX-RS) PH22079 Vulnerability in Apache CXF affects WebSphere Application Server Liberty (CVE-2019-17573)
 Open Liberty Release fixes
Issue/PR Description
8547 Oracle connectionProperties being traced
9588 Fix JWKS behavior that returns cached JWK despite the JWK not having right KID
10310 EclipseLink: Deliver Bug #347987
10510 Thread fails to complete during the quiesce period
10552 Webcontainer Bundle Deactivation causes IO Exceptions for the Cached Plugin-cfg File
10697 LDAP registry and URBridge are not un-escaping double quotation and apostrophes from the XPATH search expression
10712 AsyncResponseImpl.initContinuation() throws NPE when Continuation is null
10730 Javadoc of ConnectionManagerMBean.getJndiName is not accurate
10732 Context-root attribute for server.xml web-ext element ignored
10762 Missing warning when a server element is not present
10867 German translation for 'Logout' incorrect for OIDC applications
10961

Request URL mismatch between scheme and port
10981 Yoko ORB shutdown thread hangs
10996 Error parsing JSON when using ELK with logstashCollector-1.0
11052 Basic registry throws PatternSyntaxException when search for users or groups includes braces
11105 HTTP/2 stream initialization race conditions
11123 Enhance NCSA access log 'enabled' attribute documentation
Fix pack 20.0.0.2
Fix release date: 21 February 2020
Last modified: 21 February 2020
Status: Superseded

Download Fix pack 20.0.0.2
 
Component Security APAR APAR Description
General PH10461 When using BYO SSH keys, starting a collective controller keeps appending the ssh key to the authorized_keys file
PH11895 PI81056 did not fully resolve the issue resulting in msg CWWKO0224E (hostname resolution error) during server startup
PH19384 Liberty for z/OS server using optimized local adapters abends in method WOLANativeUtils.ntv_getClientService on shutdown
PH19528 Denial of Service in WebSphere Application Server (CVE-2019-4720)
PH19989 Denial of Service in WebSphere Application Server (CVE-2019-12406)
PH20816 Install of common Java SDK for Liberty on z/OS fails with CRIMA1161E
PH20912 Unable to set samesite cookie option with response.addHeader
PH21213 Unable to install WebSphere Application Server Liberty V8.5 version 20.0.0.1 using IBM Installation Manager
PH21281 Warnings showing the text "Unconverted adapt" appears in server logs
PH21564 java.lang.SecurityException possible from messaging component calls to System.getProperty("line.separator")
PI93822 EJB auto-link fails for java:global with beanName provided
Open Liberty Release fixes
 
Issue/PR Description
8015  Delay TCP Port starts until server is initiailized
9085 ServletCacheEngine ignore cache for App using default context root
9157

Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
9512 OIDC RP does not reject requests that match more than one filter
10067

EclipseLink: Deliver Bug #618

10142  Installing mpHealth 1.0 and 2.0 features together causes NullPointerException
10189 Fault Tolerance reports an internal error when an asynchronous method returns null
10196 H2 close with error produces invalid state
10236

EclipseLink: Deliver Bug #558283
10238 Default logging format not being set when using an invalid console/message logging format
10240

EclipseLink: Deliver Bug #558414
10243 Pull in MYFACES-4311 and add a FAT
10248 JsonB provider not found when loaded from library
10293 Test Failure: com.ibm.ws.testing.opentracing.test.FATOpentracing.testImmediate
10310  EclipseLink: Deliver Bug #347987
10337 Java Batch: Error reported when JMS job dispatch message is redelivered
10384 Support for SameSite attribute in Set-Cookie header is needed
10393 PersistentTimerCoreTest.testDisabledLateTimerMessage FFDC indciates missing doPriv on abort
10397 Retry port opening according to configurable number of retries
10426 requestTiming-1.0: servletTiming server configuration does not work with servlet-4.0
10461 Basic registry throws PatternSyntaxException when search filter contains paren
10462 LDAP registry throws InvalidSearchFilterException when principalName search filter contains paren
10508 Avoid using System.getProperty("line.separator") in messaging code
10559 Need to quit warning about strange cookies sent from IBM ID
10578 oidcclient doesn't expand ID attribute after 19.011
10582 JAX-RS 2.0 ExceptionMapper is ignored when using mpOpenTracing
10587 Yoko ORB shutdown thread hangs
10604 Wrong encoding for special characters (Swedish language)
10702 Decompression Ratio Support
Fix pack 20.0.0.1
Fix release date: 24 January 2020
Last modified: 24 January 2020
Status: Superseded

Download Fix pack 20.0.0.1
Component Security APAR APAR Description
Liberty System Management PH20161 OpenAPI Swagger UI vulnerability (CVE-2019-17495)
Web Services (JAX-WS, JAX-RS) PH18762 Add support for gzip encoding
 Open Liberty Release fixes
Issue/PR Description
6956 Liberty depends on the ps command during shutdown
8563 Pull in MyFaces 2.3.6
8773 OIDC Client Requests Tokens with the same auth code
9281 auditUtility command/script file not found in /bin directory.
9307 Error message when MP Open Tracing feature is enabled but not in use
9441 Auto-features which depend on kernel features do not get installed
9943  Map the Spring Boot application's context root to the application's welcome page (index)
9516 Unfriendly user error message displayed and user is blocked from signing in to their application when their liberty session expires
9602 H2 Synchronization problem with tests that are sending duplicate frames
9679 H2 intermittent error when upgrade fails
9708 For a batch job with partitioned step, the PartitionReducer's afterPartitionedStepCompletion gets ROLLBACK on normal completion.
9798 Handling logging out of mp jwt flow introduces an error
9824  Cannot distinguish opaque token that contains two dots from JWT
9848 Resource adapters might fail to start with Bean Validation 1.1 and CDI 1.2 enabled.
9886 Unresolved module com.ibm.ws.rest.handler.validator.jca
9904 javax.servlet.ServletRequest.getParameterValues returns null in Jaxrs applications
10006 service.ranking can be removed from com.ibm.ws.persistence defaultInstances.xml
10030 H2 connection error causes server timeout
10144 Add additional support for range attributes on Active Directory Ldap searches
10165 Fault Tolerance messages not output
10178 Resource leak when installing features through Gradle on Windows
10215 CXF cannot process a gzip encoded SOAP response
10228  Rest Client for MicroProfile loses entity on POST requests with status code 202 response

Fix pack 19.0.0.12
Fix release date: 13 December 2019
Last modified: 13 December 2019
Status: Superseded

Download Fix pack 19.0.0.12
Component Security APAR APAR Description
Liberty Administrative Center PH18799 WebSphere Liberty is vulnerable to a Cross-site scripting vulnerability in the Admin Center  (CVE-2019-4663)
 Open Liberty Release fixes
Issue/PR Description
8395 Remove obsolete com.ibm.ws.webcontainer.channelwritetype from Liberty's metadata and web container properties
9228 LDAP registry returns error code 21 when updating boolean values
9293 Opentracing can cause jaxrs exceptions to not be logged
9386 NullPointerException when using dynamic filter to add mapping for servlet name
9455 HTTP/2 malformed requests should cause stream reset
9499 FFDC when Exception thrown by user code proxied using ContextService
9545 Test Failure: junit.framework.TestSuite.com.ibm.ws.cdi12.fat.tests.SessionDestroyTests
9596 Relax criteria for calling out an FFDC when dealing with the Selector logic
9607 NPE in the SIP Container when a Digest challenge does not contain the `algorithm` field
9625 Unable to load LibertySSLSocketFactory during transaction recovery
9676 Class transformers can fail if a class is loaded from the shared classes cache
9692

Non english characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9825 JNDI literals parsing too verbose
Fix pack 19.0.0.11
Fix release date: 15 November 2019
Last modified: 15 November 2019
Status: Superseded

Download Fix pack 19.0.0.11
Component Security APAR APAR Description
General PH11427 Service call by service.Create() does not time out in 30 seconds
PH17678 Man in the middle vulnerability in OpenSAML (CVE-2014-3603)
PH18113 Add Apache HttpClient library
PH18282 SCIM API fails to retrieve a group or user with a forward slash in the DN
JavaServer Pages (JSP) PH13983 Information disclosure in WebSphere Application Server (CVE-2019-4441)
Liberty z/OS PH18715 java.lang.StringIndexOutOfBoundsException exception in com.ibm.ws.zos.registration.internal.ProductManager.start
Security PH18751 Exceptions when using keystore ID="defaultkeystore" after upgrading to fix pack 19.0.0.9 on z/OS
PH29291 NullPointerException might be thrown during EJB invocation on 19.0.0.9
 Open Liberty Release fixes 
Issue/PR Description
4387 Runnable JAR execution fails when WLP_USER_DIR env var is set to "other" location with CWWKE0005E
7701 Pull in MyFaces 2.3.4
8152 TAI negotiateValidateandEstablishTrust called twice during authentication.
8196 7234-TRACENPE COMMIT1
8404 Confidential for Security Integrity fix CVE-2014-3603
8860 jwkRetriever should not require an sslSocketFactory if using http
8899 federatedRegistry-1.0 group membership may use a repository that does not participate in the realm
9085 ServletCacheEngine ignore cache for App using default context root
9122 Remove additional ; in WebApp.java
9129 Update Commons BeanUtils to 1.9.4
9130 Header Key retrieval fix for case sensitivity
9132 correct certain JSP messages
9143 NullPointerException might be thrown when the security audit is enabled for ejb.
9380 IllegalStateException in JMX Connector RESTHandler from call to getWriter
9416 Add Apache HttpClient v3.1 library
9436 RACF SDBM LDAP registries may encounter OperationNotSupportedException
9437 Test Failure (20180702-1422): com.ibm.ws.jdbc.fat.v41.JDBC41Test.testTransactionTimeoutAbort
9441 Auto-features which depend on kernel features do not get installed
9451 Fix Intermittent NullPointerException on TCP trace during shutdown
9472 H2 Intermittent NPE in HttpOutputStreamImpl.flushHeaders()
Fix pack 19.0.0.10
Fix release date: 18 October 2019
Last modified: 18 October 2019
Status: Superseded

Download Fix pack 19.0.0.10
 
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH05014 Null CDI Bean results in a NullPointerException thrown in Apache WebBeans code
General PH16611 Multiple vulnerabilities in HTTP/2 implementation used by WebSphere Application Server Liberty
Intelligent Management Component PH16337 Liberty OIDC is not working with dynamic routing plug-in
Liberty z/OS PH14100 Out of storage condition caused by a leak in LSCL causing rc12 Reason Code 24 from BBOA1CNG
PH16940 Liberty servers abend with an ABENDSEC3 RSN=20000800 when a Liberty server is shutdown using force or similar
Security PH15518 Multiple vulnerabilities in WebSphere Application Server Liberty (CVE-2019-4304, CVE-2019-4305)
WebSphere Compute Grid PH13367 Job Partitions reported failing due to a deadlock on Java Batch Job Repository tables
WMQ messaging providers PH13286

Provide mechanism to disable 1PC optimization
Open Liberty Release fixes 
Issue/PR Description
7767 Expose JSF MyFaces Implementation classes as third-party
7849 The JWK retriever does not remove stale JWK from cache
8532 Deadlock issue when using persistence batch framework
8597 Federation of a custom UserRegistry (CUR) results in different behavior than when stand-alone
8612 export jsf-2.3 impl classes as third-party
8614 export jsf-2.2 impl classes as third-party
8736 Case TS001514963: requestTiming doesn't show all SQL queries
8808 OIDC RP does notHTTP Auth header as containing a valid OIDC id_token
8840 CWIML0514W occurs using uppercase group DN on getGroups
8863 Failure to parse multiple comma separated links in an HTTP Link header on a Jaxrs Response object
8886 GA Fault Tolerance - Metrics 2.0 integration
8903 When JACC is enabled, annotated role mapping is not enforced properly.
8951 OperationNotSupportedException: [LDAP: error code 53 - R000128 Filter is not supported (sdbm_search:1413)]
8979 requestTiming-1.0 feature does not work in OpenLiberty
9021 JSF File Descriptor leak in DefaultFaceletFactory
9033 Erroneous CWWKL0058W warning when multiple JARs in library have META-INF/services
9069 Web Admin Security Updates
9079 Terminate misbehaving HTTP/2 connections
 
Fix pack 19.0.0.9
Fix release date: 20 September 2019
Last modified: 20 September 2019
Status: Superseded

Download Fix pack 19.0.0.9
Component Security APAR APAR Description
Liberty Debug and Tracing PH15280 Leak of RACF ACEE control blocks in Liberty server
Liberty Kernel PH17088  Apache Commons Compress denial of service vulnerability (CVE-2019-12402)
PH17796 ConfigHash value in plugin-config.xml causing parsing issues
Liberty z/OS PH15877 Angel stops without detecting active Liberty servers
Security PH15505 Collectives keystore mismatch
WebSphere Compute Grid PH10566 Issues with remote partition restart if server crashes
 Open Liberty Release fixes 
Issue/PR Description
7600 social login linkedin flow is broken and needs updating
8169 ProfileManager.getImpl call ignores realm allowOpIfRepoDown setting
8219 Support direct HTTP/2
8473 webAppSecurity overrideHttpAuthMethod set to BASIC or FORM does not function
8546 HTTP/2 trailer improvements
8561 CWIML4564I informational message lists wrong LDAP server.
8647 java.lang.IllegalStateException when running Liberty wlp-webProfile7 19.0.0.8
8761 Java Batch: Remote JVM partitions not restartable after executor shutdown
8793 Custom fields not logging when using LogRecordContext and field names contain underscores
Fix pack 19.0.0.8
Fix release date: 23 August 2019
Last modified: 23 August 2019
Status: Superseded

Download Fix pack 19.0.0.8
Component Security APAR APAR Description
Database Access, Connection Management, Merant/DataDirect drivers PH15281 Postgres SQL Large Object API blocked
Liberty z/OS PH13341 The --clean action is ignored when WLP_ZOS_JOBNAME is set
Security PH15089 A login might be required for unprotected resources when none of TAIs processed a request
Sessions and Session Management PH13932 "Using collection QEJBASSN for session persistence." is always output with startup of Liberty servers
Virtual Member Manager (VMM) PH14786 Using non ASCII characters (ex. Chinese) in an SCIM filter fails
Web Container PH14619 ServletContext.getRealPath() shouldn't return null for nonexistent files
Open Liberty Release fixes 
Issue/PR Description
5035 Update ServletContext.getRealPath() behavior
7521 Call Class.forName() within doPrivileged block from WASURLObjectFactoryFinder
8085 HttpServletMapping.getPattern is not correct for /* mapping
8128 Clean up URIMatcher40 and ServletWrapper
8141 Adding mpConfig-1.3 feature while the server is running doesn't install the configuration feature properly
8250 OIDC discovery endpoint doesn't emit the revocation endpoint
8252 Eclipselink: Fix bug 547173
8274 WSOC: fix a read during close timing window.
8277 login process is carried out for unprotected resources even TAI does not intercepts a request
8304 Loose application with MP Health not picking up changes after recompile - GM 19.0.0.7
8307 Error on edit for OAuth client with no secret
8339 openidconnect emits httpclient spurious log warnings for certain cookies
8346 Liberty 19.0.0.7 Blocks *all* Large Object API functions for Postgres
8401 Add doPrivileged block in WASInitialContextFactoryBuilder for class look up
8449 content-length header should not be required for HTTP/2 requests
8458 Channel framework chains not closing down before timeout
8460 8458 - Loop until cfw chain is closed
8474 PushBuilder should ignore headers with null values
8482 URBridgeEntity uses NLS message key, REQUIRED_IDENTIFIERS_MISSING, which is not defined
Fix pack 19.0.0.7
Fix release date: 25 July 2019
Last modified: 25 July 2019
Status: Superseded

Download Fix pack 19.0.0.7
Component Security APAR APAR Description
Liberty Administrative Center PH13994 Clickjacking vulnerability in Liberty Admin Center (CVE-2019-4285)
Security PH13970 After updating to 19.0.0.4, SESN0008E errors started occurring
Systems Management Functions PH13649 Invalid command line optional parameter (--hostName) with "collective help addReplica"
Virtual Member Manager (VMM) PH13757 SCIM 1.0 returns HTTP 404 return code for user search
Open Liberty Release fixes 
Issue/PR Description
5337 NullPointerException in BridgeUtils seperateIDAndRealm(...)
6158 Pull in MyFaces 2.3.3 once it is released
7539 Federated Repositories LoginBridge doesn't handle output property mappings that are multi-valued
7552 JPAContainer incorrectly sets App Classloader as the CCL
7612 Scrub error response for unwanted characters
7670 IllegalArgumentException in MP Metrics from timing issue
7854 WSLogManager static fields not properly initialized in jdk7
7871 Fix NPE in WebAppSecurityCollaboratorImpl when invoking web resource using custom HTTP method
7888 socialLogin needs to produce choice menu with one provider and localAuth enabled
7920 WASReqURL cookie path is not set when the context root of an application is set to root
7984 When Auditing function is enabled, it is potential that SRVE0777E error is logged
7986 Memory leak when stopping applications
8034 NullPointerException in UniqueNameHelper.getValidDN
8096 After updating to 19.0.0.4, SESN0008E errors started occurring
Fix pack 19.0.0.6
Fix release date: 28 June 2019
Last modified: 28 June 2019
Status: Superseded

Download Fix pack 19.0.0.6
Component Security APAR APAR Description
Channel Framework PH13269 Delay ALPN init until required and free ALPN resources on connection errors to prevent OutOfMemory
Liberty Debug and Tracing PH11759 Performance drops when writing a large amount of log entries to Liberty console log
Liberty z/OS PH12644 Keys are not stored in ICSF with triple-length PCICC format
Security PH07530 A NullPointerException is thrown during SAFKeyRingNotificationMbeanImpl initialization
Web Services Security PH11031 OAuth runtime emits error when adding EXTENDEDFIELDS column many times
Open Liberty Release fixes 
Issue/PR Description
6317 JAX-RS request context modified after client request
7207 EclipseLink: Deliver Bug #421056
7433 Avoid inferring caller in LogRecord.getSourceClassName and getSourceMethodName when processing System.out calls
7440 Investigate possible difference in values between Prometheus and JSON format metrics
7632 EclipseLink: Deliver Bug #421056 pt2
7634 Session time based write option not honor small time interval
7695 java.sql.Connection's network timeout not getting set to the correct value
7831 Timing issue between deleted configuration and configuration store

Fix pack 19.0.0.5
Fix release date: 31 May 2019
Last modified: 31 May 2019
Status: Superseded

Download Fix pack 19.0.0.5
Component Security APAR APAR Description
General PH11801 Liberty 19.0.0.3 cannot start Java health center starting with IBM JDK 8.0.5.31
Security PH08972 Liberty on z/OS message CWWKS2934E issued during initialization is confusing when it does not reflect final status
Systems Management Functions PH11844 Joining a member to a back level controller fails when the collective uses a collective-wide ssh key
Open Liberty Release fixes 
Issue/PR Description
6095 Ability to extend the size of the log buffer beyond 8k on WebSphere Application Server Liberty Profile
6391 Building .tar.gz server package fails on Windows
7307 redirectcontextroot=true and redirected secure page causes null
7332 remoteIp "proxies" Default Regex Adjustment
7407 Better handle private headers during message deserialization
7434 NullPointerException in MethodAttribUtils.getXMLCMCLockAccessTimeout
7441 NullPointerException in AppDefinedResourceFactory
7448 NPE in LTPAConfigurationImpl.loadConfig
Fix pack 19.0.0.4
Fix release date: 3 May 2019
Last modified: 3 May 2019
Status: superseded

Download Fix pack 19.0.0.4
Component Security APAR APAR Description
Liberty z/OS PH10537 SMF 120 subtype 11 and 12 records should report the value of cvtzcbp
PH10538 The RCVTID is not available to Java applications deployed in Liberty
Messaging Providers PH06340 Potential denial of service vulnerability in WebSphere Application Server (CVE-2019-4046)
Security PI91146 Liberty runs unnecessary authentication logic when TAI is configured
Open Liberty Release fixes
Issue/PR Description
1338 invokeForUnprotectedURI triggers unnecessary authentication
5376 LdapConnection getAttributesByUniqueName() throws EntityNotFoundException for existing user
6756 Initial requests with custom method (including PATCH) fail with HTTP/2
6982 JAX-RS 2.1 Performance
6987 Redirect Scheme and Port Mismatch
7044 Externalize ThrowIOEForInboundConnections httpOptions
7052 mpFT 2.0: Circuit Breaker metrics updated incorrectly when non-failure exception thrown
7071 Outbound SSL Connection IOException
7080 FT 2.0: Circuit breaker doesn't correctly restrict executions when in half-open state
7083 Using Automatic WorkQueue for Async JAX-RS responses
7102 Improve BNF Header Storage
7171 inherited templated transient views raising "unable to create views" exceptions
7184 Test Failure: EEConcurrencySpecTest.testListenerInvokeAnyWithTimeout Future.get interrupted during taskDone with CWWKC1120E
7211 getManagedConnection: illegal state exception. State = STATE_INACTIVE after abort due to transaction timeout
7260 Problems with resolution of environment variables
Fix pack 19.0.0.3
Fix release date: 5 April 2019
Last modified: 5 April 2019
Status: Superseded

Download Fix pack 19.0.0.3
 
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH09834 java.lang.VerifyError on OpenWebBeans with Java 8 update 11 and 7 update 65
EJB Container PH08828 OutOfMemory in InjectionEngine cache
General PH09657 Usage Metering discards metrics on HTTP 500 response from metering service
PH12825 TransactionScoped observers do not fire
Java Message Service (JMS) PH07036 Potential Spoofing vulnerability in WebSphere Application Server (CVE-2018-1902)
Liberty Administrative Center PH06250 Accessability section 508 compliance for admin center
Liberty z/OS PH09140 Liberty server request failures after the angel process is canceled
Web Container PH08872 The servletRequeset.getContextPath() might return a different context path when using with OIDC client application.
Web Services (JAX-WS, JAX-RS) PH09634 The policy-attachments-server.xml file under WEB-INF is not processed
Web Services Security PH09651 OpenID Connect client authzParameter and tokenParameter values not updated when dynamically removed from server configuration
 Open Liberty Release fixes
Issue/PR Description
4300 DefaultExtensionProcessor file.not.found message does not contain default message that takes a parameter
6019 ApplicationManager startTimeout blocks startup when app is missing
6129 Fix Java 2 Security issues with JSPs
6246 Apply "useAuthenticationDataForUnprotectedResource" to jwtSso cookie
6255 jsonp-1.1 API dependencies incorrect
6295 ClassCastException when using binaryLog with --monitor
6317 JAX-RS request context modified after client request
6360 Filter out embedded server dependencies for Spring Boot 2.1.x
6407 Test Failure (20190101-0221): com.ibm.ws.kernel.boot.ServerStartAsServiceTest.testWinServiceLifeCycle
6521 Generic types are lost in MP Rest Client and JAX-RS clients due to bug in JsonBProvider
6527 Stack overflow scheduling new ManagedScheduledExecutor task from task
6573 Application exceptions should not be wrapped in EJBException
6628 Command line variables aren't working on windows
6641 ClassNotFoundException thrown during sessionPostInvoke
6659 ServletRequest.getContextPath() might return wrong value when OIDC app is in used
6668 Externalize maxOpenConnections tcpOptions
6725 Using slash slash comment in JSP expression spanning lines can get JSP error
6727 JSP slash slash comment fix
6761 Custom JAX-RS ParamConverter doesn't work for collection and array types
6768 Using slash slash comment in JSP expression spanning lines can get JSP error, Java7 compatible
6790 Loading classes from multi-release jars does not work
6812 HTTP request header "If-Modified-Since" parsing fails with IllegalArgumentException if default Locale isn't US
6822 Automatic EJB Timer creation skipped if database tables do not exist
6868 WebContainer: make code more service deactivate aware
6951 ClassNotFoundException during JSF initialization
6953 Tolerate missing ps
Fix pack 19.0.0.2
Fix release date: 8 March 2019
Last modified: 8 March 2019
Status: Superseded

Download Fix pack 19.0.0.2
Component Security APAR APAR Description
General PH07896 Liberty server start hangs on "CWWKZ0018I: Starting application" when thread pool max size is set
Liberty z/OS PH08209 Add support for CICS 5.5 for WebSphere Optimized Local Adapters
PH08497 Message ICH408I is not generated when user lacks access to profile prefix in appl class
PH08753 Ship assembler DSECT that maps SMF 120 subtype 11 z/OS connect user data
Security PH08030 Changes needed in the SAFAuthorizationService API
Virtual Member Manager (VMM) PH08428 NullPointerException is thrown when creating a SCIM user with missing name
Web Services Security PH06141 Multipart/related SOAP part Content-Type issue
PH08466 OAuth introspect endpoint does not return correct issuer if OpenID Connect provider configures issuerIdentifier
PH09706 Liberty OIDC message numbers CWWKS1754 through CWWKS1759 are duplicated
Open Liberty Release fixes
 
Issue/PR Description
4975 Destroy of aborted connections and removal from the pool
5094 Fix NPE in servlet cleanup for WebSocket request
5833 The federatedRepositry-->primaryRealm-->defaultParents element should support multiple occurences in the server.xml
6017 Auto plugin generation is inconsistent with OSGI applications
6183 Incomplete SRVE0279E message
6273 JAX-RS clearing RuntimeContext for server side message when resource invokes a client
6287 Add default value to the remoteIp "proxies" attribute in the metatype.xml of the HTTP Channel
6298 Update WebContainer.getCacheManager() to avoid NullPointerException
6323 Invalid archive files no longer prevent apps from starting
6348 Fix 500 error when servletPath is NULL
6371 Handle exception on call to connection.abort
6381 WLP 18.0.0.4 fails to rotate trace log on Windows
6408 Fix for connection wait timeout message not being translated.
6427 Connection wait time does not dynamically change to 0
6452 showPoolContents waiting connection requests value is incorrect
6490 Test Failure (20190203-0423): PolicyExecutorTest.testConcurrentUpdateMaxWaitForEnqueue
6518 Redundant log file in workarea after sever start with errror: java.lang.IllegalArgumentException: The property 'osgi.configuration.area' ... is being overriden ...
6524 SSL Channel throws NullPointerException during stress
Fix pack 19.0.0.1
Fix release date: 8 February 2019
Last modified: 8 February 2019
Status: Superseded

Download Fix pack 19.0.0.1
 
Component Security APAR APAR Description
General PH02684 Add an openIDConnectClient configuration option to allow token reuse
PH07247 Unnecessary HttpHostConnectException FFDC logged for usage metering
JavaServer MyFaces (JSF) Apache MyFaces implementation PH06135 JSF 2.0 throws a NullPointerException during server shutdown
PH06389 JSF can leak JarFiles causing problems with application removal
Liberty z/OS PH05262 Calling request.login() from a servlet does not sync the ID to the thread
PH07190 It is difficult to debug problems when the Liberty server connects to a earlier angel process
PH07213 Ship assembler dsects for smf120 subtype 11 and subtype 12 records
PH07486 Liberty generic MODIFY HELP output is too verbose
Web Container PI80786 Http 500 is returned from a request with too many parent directories (forward slashes) in the url
PH05787 ConcurrentModificationException
Web Services Security PH07297 Denial of Service vulnerability in Guava (CVE-2018-10237)
Open Liberty Release fixes
Issue/PR
Description
3553 Set 400 status code for invalid URI
3645 User ID is not synced to the thread during HttpServletRequest.login()
4809 Remove internal designation/updates for servletPathForDefaultMapping/make servlet-4.0 default / tests
5077 3645 sync user during login
5341 Modify default ldapRegistry-3.0 read timeout to be 1 minute
5772 AppClassLoader does not correctly handle null response from ClassFileTransformers
5785 CWWKS9582E: The [defaultSSLConfig] sslRef attributes required by the orb element with the defaultOrb ID have not been resolved within 10 seconds.
5798 H2: Separate Continuation Frame Checking Between Read And Write
5862 ConcurrentModificationException happens when a web application receives a large number of requests immediately after it starts.
5963 DataSourceDefinition, ConnectionFactoryDefinition, and AdministeredObject properties should not be path normalized
5970 trackLoggedOutSSOCookies setting causing multiple login failure
5976 ConcurrentModificationException from ReferenceContext starting web application
5983 5785-orbssltimeout2-commit1
5992 JarFiles never released by JSF
6020 Fix Open Liberty Windows Service name in server.bat
6036 PollingDynamicConfig tasks can be leaked
6042 Hot update broken in 18.0.0.4
6058 Invalid connection pool Prometheus metric format (monitor, mpMetrics)
6073 OL 18.0.0.4 server package does not package loose application as war
6113 Pull MYFACES-4251 to JSF 2.3
6123 Trace Specification logging level "off" doesn't work
6152 NamingException masked when listing entries in a JNDI context
Fix pack 18.0.0.4
Fix release date: 14 December 2018
Last modified: 14 December 2018
Status: Superseded

Download Fix pack 18.0.0.4

Component Security APAR APAR Description
DynaCache PH02049 Cross-site scripting vulnerability in cache monitor (CVE-2018-1767)
General PH02212 Application with CDI 1.2 in Liberty 18.0.0.2 fail to start
PH02361 WebSphere Liberty OIDC client implementation is proxy-unaware
PH02742 NPE when doing direct forward operation
PH02750 java.lang.classCastException occurs in OidcClientImpl.logout
PH03409 Seemingly erratic thread pool growth during low or no-load situations after upgrading to 18.0.0.1
PH04652 WebSphere Application Server Liberty for z/OS provides no metrics for usageMetering-1.0
PH04653 Updated CPU limit (--cpus) not recognized by usage metering feature
PH05071 JVM hang when calling GarbageCollectorMXBean.getLastGcInfo for usageMetering-1.0
PH06256 CWWKS1739E: A signing key required by signature algorithm [RS256] was not available when upgrading to 18.0.0.3
PI97786 eclipselink throws "argument type mismatch" for jpql case expression
PI99263 ServletContext.getRealPath() returns null for resource in extended document root
Install V8 and above PH03040 Fixpack 18.0.0.3 cannot be installed on IBM i
PH04137 Updating WebSphere Liberty for z/OS to fix pack 18.0.0.3 fails with NullPointerException
JavaServer Pages (JSP) PH02063 Potential security bypass in WebSphere Application Server with Expression Language library (CVE-2014-7810)
Liberty z/OS PH02955 Unable to use SAF Keyring for collective SSH communication
PH03549 When the zosWlm-1.0 feature is enabled. the health indicator of the server is only ever set to 2 percent
PH03768 EntryNotFoundException SAFGRP is not a valid group
PH04243 EC3 abend reason code 20F00600 occurs after a 422 abend
PH04282 Error authenticating when Liberty server tries to connect to a back-level angel process
PH05100 OutOfMemory failure in Liberty under CICS when connected to an angel process
Messaging Providers PH00027 After migrating to WebSphere Application Server V9, the CWSID0046E error is seen in the logs
Systems Management Functions PH03232 Incorrect server state reported in a multicontroller collective
Virtual Member Manager (VMM) PH02811 Privilege escalation vulnerability in WebSphere Application Server (CVE-2018-1901)
PH04136 Attempt to create user in SCIM returns 500 HTTP status code with DefaultParentNotFoundException message
PH04147 Attempt to update user ID in SCIM returns 500 HTTP status code with IllegalArgumentException message
Web Services (JAX-WS, JAX-RS) PH02234 Issue when processing the caller token for UsernameToken
PH03014 A property is set in the RequestContext but the interceptor does not read this property resulting in a NullPointerException
Web Services Security PH03004 CWWKS1721E: The resource server received an error it was attempting to validate the access token z/OS Connect EE
PH05414 OpenIdConnect client subject might not contain Id Token
WebSphere Compute Grid PI87244 Firewall prevents the Liberty Java batch tool from displaying job logs

 Open Liberty Release fixes

Issue/PR
Description
1438 JAAS login module shared library is missing protection domain
3113 ArrayIndexOutOfBounds in LdapConfigManager.setFilters()
3919 Future does not return immediately when timeout fires when using timeout with Async
4132 full tmp dir prevents server from reading server.env during startup
4135 Pull in MyFaces 2.3.2 once released
4202 Migration of JMS delivery delay.
4332 Need to fix first line of output from Liberty JSON log format to actually be JSON
4535 LogRecordContext API is missing from /wlp/dev/api/ibm jars
4760 Expose a couple of packages to the thread-context in jsf-2.3
4792 Fix BundleContext is no longer valid error on server shutdown
4853 Provision compatible javax.annotations API for SpringBoot applications
4873 Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
4898 H2: fix some HTTP/2 code and test issues uncovered by further parallel stream stress testing
4912 Fix missing doPriv in unwrap
4913 JSR375: When JASPIC is enabled, a login panel pops up even EVERYONE role is assigned
4955 Externalize multiple httpOptions
4960 Faces servlet mappings defined in web-fragment.xml do not work - jsf-2.2
5045 Add a recursion counter for messagehandlers into BaseTraceService
5076 NullPointerException in ClassLoadingServiceImpl
5088 SpringBoot applications fail to start when a non jar file is in the library directory
5094

Fix NPE in servlet service which may happen when WebSocket is used
5114 Test Failure (Liberty - Mac EBC - 20180915-0112): PolicyExecutorTest.testStartTimeout
5126 HTTP/2 engine must tolerate priority frames received in any state and better handle flow control problems
5149 update openidconnect client way of sending credentials to userinfo endpoint
5154 Flush queued actions when an app is removed
5164 /metrics output got truncated on Japanese locale
5244 MYFACES-4252 Classpath._searchDir can throw NullPointerException
5277 Fix Java 2 Security access issue in kernel DefaultFileStreamFactory
5293 Deadlock in ZipFileArtifactNotifierImpl
5339 H2: Fix race condition in multi-stream writing logic
5345 Improve our serviceability around page search and chasing referrals for Ldap
5363 MP Rest Client does not honor MP Config-specified providers
5383 Occasional HTTP/2 MessageSentException: Message already sent
5395 SSL config not used by RestClient
5425 JAX-RS Client does not pool HTTPS connections
5428 Fix bug in server package server-root command
5441 JMSContextInjectionBean uses deprecated CDI method
5453 Microprofile appProperties element not showing up in schema
5465 Pull MYFACES-4260 to both jsf-2.2 and jsf-2.3 features
5483 release bug: implement PH02361 in development stream
5498 When using advanced connection manager property numConnectionsPerThreadLocal and connection fail during cleanup, the connection managers connection pool may fail to remove failing connections resulting in no connections being available.
5510 Deliver fix for CVE-2014-7810
5557 OpenId Connect clients might exhibit a thread leak
5560 MessageSentException intermittently during flushBuffers
5585 EJB timer ScheduleExpression serialization incompatibility
5590 Failed to createMinimumEscapeHandler for unknown jaxb class
5637 Expose jsf 2.3 org.apache.myfaces.push.cdi to thread context class loader
5647 Fix --include default to have /usr for server and shared folder
5779 Too many threads during low-load operation
6002 CWWKS1739E error may occur when using OpenID Connect in 18.0.0.3
Fix pack 18.0.0.3
Fix release date: 21 September 2018
Last modified: 21 September 2018
Status: Superseded

Download Fix pack 18.0.0.3
Component Security APAR APAR Description
General PH00304 The maximum connections setting of a data source's connection pool is not  always honored
PH01447 Improvement to SSL Closing Handshake
PH01499 APAR for OLGH4402
PH01610 Application fails to start due to JAXBEXCEPTION after upgrading to 18.0.0.2
PI99176 Information disclosure in WebSphere Application Server Liberty (CVE-2018-1683)
PI99600 AccessControlException thrown when connecting to Health Center with Java 2 Security enabled
PI99672 Remove the first_rows hint from Oracle V10+ pagination queries
Intelligent Management Component PH00735 Null Pointer Exception when HTTP or HTTPS ports blank in server.xml
Java Persistence API (JPA) PH01681 Then and else expressions should be case result instead of case operand type
Liberty z/OS PH01179 Duplicate entries of the BBGZSCFM module are listed in the output of IPCS LPAMAP
PI96910 ICH error messages are not issued during Liberty startup when checking for access to BBG.SECPFX.* and APPLl profiles
PI97659 Display memlimit value and source as well as region information in Liberty log at startup
PI98758 Setting enablefailover to false for the safregistry can produce misleading messages if authorized services are not available
PI99411 The Liberty message log DD is not configurable
Security
PH01295 Information disclosure in WebSphere Application Server Liberty (CVE-2018-1755)
PI97676 Message CWWKS1100A may be misleading
PI99285 User login fails when configuring zOS mapDistributedIdentities
Systems Management Functions PH00435 Collective controller logs NoSuchElementException from LivenessMontiorV2
PH00566 Member should fail over after continuous 2 minutes sendHeartBeat failure
PH00730 The unnecessary information should not be generated in repository dump file
PH00926 Collective repository dump should include non-sensitive host and jmx auth information to help diagnose issues
Virtual Member Manager (VMM) PH00881 SCIM does not return paged results for requests that don't include the 'count' parameter
PH01668 SCIM incorrectly returns 500 on MaxSearchResultsExceeded
PH01863 SCIM updates to users can result in attributes being marked for deletion that were not designated for deletion by the request
PI99257 Requests to SCIM to retrieve a resource by ID that don't include an ID result in an 500 HTTP status code
PI99317 Request to SCIM "groups/{ID}" endpoint specifying "members" attribute does not return the group members
Web Container PH00448 A CWWKE0702E message is printed when the webCache-1.0 feature is enabled
Web Services (JAX-WS, JAX-RS)
PH00401 Potential man-in-the-middle attack in WebSphere Application Server Liberty for JAXWS(CVE-2018-8039)
PH01221 Potential man-in-the-middle attack in WebSphere Application Server for JAXRS (CVE-2018-8039)
Web Services Security PH12959
OAuth provider does not update settings in the consent cache
PH03418 Code execution vulnerability with OpenID connect in WebSphere Application Server Liberty (CVE-2018-1851)
PI95405 Liberty may not find key in JWK by x5t
WebSphere Compute Grid PH02256 File access exceptions when running a Java Batch application with syncToOSThread enabled

Open Liberty Release fixes

Issue/PR
Description
2489 Global error when there are no registries available (Ldap,etc) for VMMService
2659 Capture security context from Java Batch thread when syncToOSThread is enabled
3422 Check for override of default configuration and ignore
3489 MP Rest Client does not use Liberty SSL config when making outbound requests
3522 Update Xalan library
3853 basicRegistry-1.0's 'ignoreCaseForAuthentication' attribute does not apply to getUsers(...) method
3952 Add global error when user registry is not found
4002 Incorrect CWWKZ0022W messages printed with VirtualHost Usage
4016 Quiesce should not be blocked by application start
4028 Liberty 18.0.0.1 startup issues with Arabic locale
4040 Make RC consistent for starting liberty as a Windows Service
4044 Server failure before framework startup can leave JVM running
4158 Need to squelch "Could not obtain lock" errors appropriately
4186 Need to improve config dropins processing
4203 In 18.0.0.2 an IllegalArgumentException can occur when "maxParamPerRequest="-1"
4211 Java 2 security issue in org.apache.cxf.transport.https.HttpsURLConnectionFactory
4244 Add global error when user registry is not found
4272 When a thread is interrupted waiting for a connection from the connection manager, maximum connections will be decremented.
4275 NPE in JAXRS client when OpenTracing is included
4310 Spring boot application deployment in Liberty throwing Class cast exception
4341 PageControl's 'startIndex' is not honored when 'size' is greater than results
4345 Add doPrivileged code for InetAddress related activity in messaging
4346 Add doPrivileged code for InetAddress related activity in IIOP
4368 ConcurrentModificationException when a JAXRS API has multiple consume and/or produce MediaTypes
4392 Fix server hang issue when bootstrap.properties variable is incorrectly specified
4402 Format problem with logs when traceFilename=stdout and traceFormat=ENHANCED / BASIC
4462 NonPersistent EJB timer dying if timeout throws exception on last retry
4465 RejectedExecutionException: Trigger.getNextRunTime: null creating EJB timer
4505 SSL Closing handshake improvement
4521 Install kernel does not throw exception if already installed features are specified again with a different capitalization
4530 Install kernel map installs features without wlp/bin and wlp/dev contents
4531 ManagedScheduledExecutor tries to run tasks during server shutdown
4550 Injection race condition in JAX-RS during startup
4609 Maven features should provide transitive dependencies for stable API, third-party API
4619 PersonAccount's and Group's get(String), isSet(String), and unset(String) methods may throw NullPointerExceptions
4666 Correct getServletPath for default mapping
4712 release bug: mpjwt JsonWebToken.getAudience() return type noncompliant with spec when no audiences present.
4717 Update Yoko to favour CSI endpoints
Fix pack 18.0.0.2
Fix release date: 29 June 2018
Last modified: 29 June 2018
Status: Recommended

Download Fix pack 18.0.0.2
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI92477 WELD-2447 ClientProxy serialization support should be container agnostic
PI95074

WELD-2466 null pointer exception in webservice calls
DynaCache PI94514 NullPointerException occurs using a MetaDataGenerator
EJB Container PI95215 MessageEndpoints are notProperly released
General PI95821 StabilizeProduct Insights Enablement
PI96187 Update bluemixUtility command for data sovereignty regulations
PI96735 Access log "maxfiles" attribute not working as intended with value of 0
PI97234 APAR for OLGH2631
PI99031 Garbage collection events not captured by logstashCollector-1.0 for IBM Java 8 SR 5 FP 6 and above
Intelligent Management Component PI92330 CWWKS2910 error when using dynamic routing in Liberty on z/OS with SAF security
Java Persistence API (JPA) PI92847 JPQL with trim is not handledProperly and it results in DatabaseException
PI93064 EclipseLink throws ORA-00932 for CLOB fields in an ElementCollection
PI94027 EclipseLink JPQL generation for nested arrays with 'in' expression
PI95283 EclipseLink InsertObjectQuery concurrency failure
PI95766 db representation of boolean values withPostgres is incorrect
PI97483

Eclipselink re-sorts insert and removes statements within a transaction
PI97786 Eclipselink throws "argument type mismatch" for JPQL case expression
JavaServer MyFaces (JSF) Apache MyFaces implementation PI93972 Classloader issues in JSFExtensionFactory can cause NPE
PI94947 Update of composite component within ui:repeat does not work
Liberty Administrative Center PI98574 If Liberty Admin Center was accessed via reverseProxy,the Liberty server made an unnecessary request back to theProxy server
Liberty z/OS PI82554 WebSphere Liberty AngelProcess does not identify its version and fix pack level during start-up
PI90719 Command line script to detect if commandPort is enabled, for use duringPause/resume request
PI93922 SMF120-11 timeused and starttime is only set for a forwarded servlet
PI95864 Specifying an angel name of "" for the server does not register server to default angelProcess
PI96813 It is difficult to automate WebSphere Liberty from messages on the z/OS console
PI96954 Liberty on z/OS memory leak in 64bitPrivate due to native DirectByteBuffer support
PI97611 ABEND0C1 in ntv_getAngelVersion with WebSphere Liberty version 18.0.0.1
Security PI89624 CWWKS4106E: LTPA configuration error in Liberty
PI95717 suppressUncoveredHttpMethodWarning configuration does not work
PI96014 Authfilter in Liberty not matching when multiplePaths are defined
PI96597 There is an issue with the cache
Systems Management Functions PI95994 Deploying docker container as liberty collective member failed with error "already appears to be a member."
PI97924 Improve the error handling of a Collective join command using sshPrivateKey option
Virtual Member Manager (VMM) PI96814 SCIM returns HTTP status code 500 whenPassed an invalid filter
Web Container PI93226 SRVE0266E : Error occured while initializing servlets:java.util.ConcurrentModificationException
Web Services (JAX-WS, JAX-RS) PI97288 Attachments behavior change in Liberty after migrating from tWAS
Web Services Security PI94599 Intermittent NPE in SocialLogin feature when a running server is reconfigured
PI96012 Client authentication JWTS require "sub" claim
PI96884 Information disclosure in WebSphere Application Server Liberty (CVE-2018-1553)
WebSphere Compute Grid PI90716 Liberty z/OS CWWKY0035I: An exception occurred while trying toPersist job java.lang.IllegalStateException: no match found
PI90961 Liberty on z/OS: Batch JMS dispatcher change to lazy access of connection factory
PI93514 JobPurge request deletes the batch db records even when the executor JVM is stopped
PI98247 After batch events config change,atchManagerZos hangs waiting for job completion; batch job log events notPublished correctly
PI98295 The dispatch (JMS) message for a stopped job can, if later consumed, cause a later restart execution of that job to fail.
PI99138 Repeated delivery of Batch job dispatch JMS message resulting in ClassCastException each time


Open Liberty Release fixes

Issue/PR
Description
1261 LDAP registry with global class mapping in groupMemberIdMap adds "objectclass=*" to Group searches
2792 On restart of a Java Batch job, deserialization fails when checkpoint objects contain array type fields
2877 JSP engine unable to find tag files within loose JAR file
3045 Send and receive Strings in SIB messages using strict UTF8
3102 In 18.0.0.1, the minify option is not making the runnable JAR package any smaller
3103 Access Log "maxFiles" attribute not working as intended with value of 0
3106 Kernel Service MBeans not properly exposed
3127 Federated repositories doesn't restrict the names of extended properties
3132 Package `com.ibm.websphere.kernel.server` is not exposed as IBM-API
3140 Default app classloader ProtectionDomain set by common libraries
3160 AsyncIO native direct ByteBuffer leak
3198 Avoid full deserialization within ObjectMessage.toString()
3226 NullPointerException from EJSContainer.postInvoke() method
3233 Close streams for repositories represented by a single JSON file
3248 Add mapping of all JSP files in web module into the generated_web.xml
3280 Test Failure (20180420-0319): LoadTest.testCommitAndRollback RuntimePermission denied for WSJdbcTracer invoking newProxyInstance
3383 ldapRegistry-3.0 does not configure a read timeout for JNDI connections
3490 PI96086 - Nested EJB Async method calls not honoring nested get(timeout, unit) timeouts
3520 suppressUncoveredHttpMethodWarning does not work
3533 Redeploying WABs leads to OutOfMemoryError
3577 JAXRSClientImpl.target(UriBuilder) fails with IllegalArgumentException when client built with input containing a template variable
3578 Batch runtime should only transition to InstanceState.JMS_CONSUMED from JMS_QUEUED state.
3700 java.sql.SQLFeatureNotSupportedException: Method org.postgresql.jdbc.PgPreparedStatement.getLargeUpdateCount is not yet implemented.
3739 Failure to load JPA PersistenceServiceUnit used by Batch feature using V2 version of JobInstance entity.
3752 Connection leak if failure occurs while managed connection is being constructed
3779 Update EclipseLink binaries from 2.6.6.WAS-3e5c71a to 2.6.6.WAS-0ab4033
3785 Security exceptions thrown when trying to use IIOP with Java 2 security
3851 JAX-RS Client APIs fail when attempting PATCH method over HTTPS on IBM JDK
3889 Validate paths within WAR files

Fix pack 18.0.0.1
Fix release date: 16 March 2018
Last modified: 16 March 2018
Status: Superseded

Download Fix pack 18.0.0.1

Component
Security APAR
APAR
Description
General PI93106 Product insights attempts to send usage after failed registration
Java Persistence API (JPA) PI92398 Under certain conditions OpenJPA can insert an embeddable into the Datacache map
PI95871 Wrong context Classloader in org.apache.openjpa.enhance.pc
JavaServer MyFaces (JSF) Apache MyFaces implementation PI87954 Hung thread issue in MyFaces _getMetaDataTarget
PI90391 Fix bug MyFaces-4045 in IBM myfaces implementation
Liberty Administrative Center PI93411 Saving changes to member's configuration files via Admin Center's Server Config tool will get applied to the controller instead
Liberty Kernel PI94763 Fileupload causes NullPointerException on getHeader() call
PI94116 Open Liberty rollup for 18.0.0.1
Liberty OSGi Application PI88291 Slow start of the web services and error during the startup of the services
Liberty System Management PI92311 Memory leak in liberty swagger library during application stop/start
Liberty z/OS PI91275 Add an informational message to WebSphere Application Server Liberty on z/OS logs to indicate which angel process is used
PI91511 SMF 120-11 UserData added from a filter does not show up in the final SMF record
PI92070 WebSphere Application Server Liberty on z/OS WOLA CICS link server fixes for RTXSYS and RTX parameters
PI92171 An intermittent performance degradation is observed with CICS v5.4 and Liberty 17.0.0.3 compared to Liberty 17.0.0.1
PI92868 WebSphere Application Server Liberty on z/OS crash in CICS BBOATRUE during shutdown when embedded Liberty servers are at a mix of 16.0.0.3 and 17.0.0.3
Security PI86784 Enable the function of enforcing URL hostname verification as an attribute on the ssl element of server.xml
PI90980 Potential spoofing vulnerability in WebSphere Application Server (CVE-2017-1788)
PI91500 GetUserPrincipal().getName() returns garbled user ID on 17.0.0.3
PI92764 Message CWWKS3005E issued when a Federated repository is configured
PI94094 SAF API doc missing from Javadoc package in Liberty
Sessions PI93474 Remove SessionManager instance when application is stopped
Systems Management Functions PI92781 A Liberty collective controller sometimes logs a NullPointerException
PI92828 Liberty collective intelligent management features may fail to function correctly intermittently
Web Container
PI90804 Security vulnerability in Apache Commons FileUpload used by WebSphere Application Server (CVE-2016-1000031)
PI92334 Application class loader is not set correctly in a thread during an async operation
Web Services (JAX-WS, JAX-RS)
PI92494 Potential denial of Service in WebSphere Application Server Liberty for JAXWS(CVE-2017-12624)
PI92886 Policy attachments not working as expected
Web Services Engine PI92386 High CPU usage on Liberty when using IBM JDK
Web Services Security PI88321 Liberty always honors RelayState during IdP-initiated SAMLWeb SSO
PI93303 CICS_REGION_BUT_API_DISALLOWED surfaces using OAuth-2.0 feature
PI93579 exp' is earlier than the 'iat' in OIDC token
PI96273 Some 404 and 500 errors in OAuth or OpenID Connect might expose configuration information


Open Liberty Release fixes

Issue/PR Description
Add stop command to readme file
Informative error message for collision with reserved resource adapter ids
Challenge when using request.authenticate with BasicAuthenticationMechanismDefinition
LDAP paging failure recovery reuses cookie when switching failover servers
Improve CDI performance by not loading too many classes
Readd ability for hot replace for trace injection for IBM Java 8.0.0.6+
MyFaces-4045 JSF 2.2 flow reentrancy fix
RememberMe cookieName needs to support EL expressions
Corrections to AnnotationTargetsImpl_Targets.isInstanceOf
Fix Java 2 Security problems with Bean Validation 2.0 code
Pull in MyFaces-4177 to JSF 2.3
Fix for resetting autocommit for non transactional datasources
Grant Hibernate validator accessPrivateMembers permission by default
Channel.ssl FFDCs thrown during server shutdown
Description of runIfQueueFull should refer to relation with maxPolicy
Pull in MyFaces-4066 to JSF 2.3
Fix and test issue where a connection error occurs on a free connection
Fix JPA 2.2 Bindings Files
Bean Validation CDI extension fixes
Pull in MyFaces-4176 - Search expression fails to resolve component outside of form
PI91306: UriInfo.getMatchedResources() does not return resource class information
Update EL handling in database and LDAP identity stores
PI87504: JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
Release JACC policy context in post invoke
Try to remove an existing SAF map before adding one
Update Bean Validation 2.0 descriptions to mention providers used
Thread context propagation for managed completable future
In beans.xml, element causes ProcessAnnotatedType<> events to not fire
Cannot register a second (synchronized) handler with an already active logging source
ConcurrentModificationException when both Console and Message JSON handlers are configured
If the command port is disabled when issuing a pause or resume request from the server script, issue a message saying so
Fix Java 2 Security errors in LogUtils by ensuring getClassLoader calls are in doPriv
Improve synchronization mechanism between BaseTraceService and MessageLogHandler
Property com.ibm.ws.jaxrs.client.disableCNCheck not honored
Fix NPE that may occur when multiple CDI-injected servlets are specified in the web.xml for a JAXRS application with load-on-startup specified
Fix IOException not closing socket
Fix JSF _ComponentAttributesMap performance issue
Address CVE-2017-1000208 vulnerability in Swagger Parser for MicroProfile OpenApi
Improve performance when JAX-RS applications are updated
Web binding overrides are not properly recognized with autoExpand apps is enabled
Fix exception when parsing faces-config-extension element
Cannot use app-defined for Bean Validation
SQLServer JDBC driver not recognized when defining a dataSource on
Fix for JDBC getClass().getInterfaces() method calls
Fix NPE in EJBAsyncRuntimeImpl.modified when updating asynchronous config
Fix BundleException Cannot connect region 'system.bundle' to itself
ServerEndpointControlMbean returns true when isPaused is called with an empty target
Resource.getRequestPath returns incorrect path in JSF 2.3
JDBC pool manager must avoid caching values obtained from the managed connection factory
Fixed JASPIC error and exception messages
Fix Java 2 Security errors related to JAX-RS getServiceReferences() and getService() methods
Fix context class loader in servlet async dispatch or runnable
Make consoleLogLevel default to an env variable setting first
Fix NPE that could occur during MyFaces validation
AccessControlException from JAX-RS 2.0 when servlet filter is used
No longer WARN on 404 Not Found
Fix writing of single-file-repositories
PushBuilder.push error conditions updated
AccessControlException from the EL API when using JSF 2.3
Java 2 Security issues in batch-1.0 feature
WebSockets for non-secure BASIC_AUTH adhere to session invalidation
Avoid overwriting updates made to the session cache by another thread
Implement HttpServletResponse.getTrailerFields()
PI93226: ConcurrentModificationException during application startup
Fix Java 2 Security issue with package minify
Remove SessionManager instance when app is stopped
Update HttpServletResponse setTrailerFields error conditions
Ensure header names are non empty and accept empty header values
Retrieve all values on multi-valued LDAP properties
Return the correct HttpServletMapping during include, async and when using a named dispatcher
Fix org.apache.myfaces.flow.cdi.FlowScopeBeanHolder incompatible across versions
Handle null/empty contracts in JAX-RS Client.register(...) calls
Fix CWWKS4106E: LTPA CONFIGURATION ERROR IN LIBERTY when using PKCS11Impl provider 
Fix for garbled User Principal when binary data is retrieved from registry
Throw IllegalStateException in SseEventSink.send when SseEventSink is closed 
Fix batch runtime table version determination
Close JAX-RS sink on exception
Fix ConcurrentModificationException during app startup
Product information for replaced products should not be displayed
Issue warning message when it is determined security not present
Fix ConcurrentModificationException during app startup
Fix JSON output of JSON console (remove duplicate basic messages and abide by consoleloglevel)
Fix java.lang.NullPointerException in AccessLogger
Fix NPE that can occur with certain logging configurations

Fix pack 17.0.0.4
Fix release date: 21 December 2017
Last modified: 21 December 2017
Status: Superseded

Download Fix pack 17.0.0.4

Component
Security APAR
APAR
Description
EJB Container
PI89936 Vulnerability in Apache Commons affects EJB Embeddable Container and JPA Client (CVE-2015-7450)
General PI80333 Support CPU constraints in ProductInsights
PI82233 Non-daemon threads are created with remote EJB using the IIOP transport
PI82510 Liberty appserver automatically decompresses the bodies of incoming http-soap messages
PI82557 TCP Channel access lists not documented
PI84016 OpenJPA orm.xml default schema used over 'openjpa.jdbc.Schema' property
PI84349 Liberty Oauth 2.0 may encounter a SQL syntax error for the option "LIMIT" during cleanup
PI84428 ArrayIndexOutOfBoundsException from OpenJPA for query on EmbeddedId
PI85402 EclipseLink does not recognize Java 9 platform
PI86208 Cannot decode IOR due to ClassCastException
PI86321 Liberty OpenID Connect Relying Party does not handle large id_tokens in implicit logins
PI86840 Eclipselink generates sequence IDs incorrectly for @EmbeddedId classes that are shared across multiple entities
PI86914 Correct mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
PI87557 Null pointer exception when TAI returns NULL TAIResult
PI87565 OutOfMemory issues from webcontainer component WebComponentMetaDataImpl
PI88051 Application reload when a JSP file under WEB-INF is updated
PI88485 The groupProperties membershipAttribute does not work when filters exist
PI88618 CWPMI0010W was found in the messages.log
PI88620 Performance degredation when federating SAF registry
PI89003 Help tet for the BatchManager listJobs command is unclear
PI89041 FFDC java.lang.IllegalStateException: Module has been uninstalled. occurs when dynamically configuring Liberty
PI89278 Incorrect value of FreeConnectionCount
PI89446 Product Insights throws NullPointerException
PI89584 Certain early startup and product script messages are not properly translated into non-English languages
PI89672 OutOfMemoryError in ArrayList containing objects of type com.ibm.ws.logging.internal.impl.IntrospectionLevelMember
PI90013 30 second delays for remote EJB when running as a collective member
PI90154 BluemixUtility fails to create/delete instances of Watson Discovery service
PI90282 CWWKB015E IWMEJOIN return code 2,135 during servlet read listener
PI90699 ProductInsights errors after resuming from 'sleep' state
Java Persistence API (JPA) PI80863 Issue with the way OpenJPA caches and reuses query parameters for BETWEEN expressions when OpenJPA's QueryCache property enabled
PI81260 OpenJPA does not pass-through SSL connection properties that set using openjpa.ConnectionProperties when creating Db2 connection
JavaServer MyFaces (JSF) Apache MyFaces implementation PI88288 jsf-2.0 MyFaces error handling cannot be enabled in production project stage
PI88850 High CPU issues from org/apache/myfaces/
PI89168 Protected-view not working in Liberty 16.0.0.4
PI89363 ProtectedViewException for a protectedview access while checking the OriginJeader for appContextpath
PI90507 Instances of action listener in a FaceLet are not being removed until app shutdown
PI90509 Fix for MYFACES-3752
Liberty Application Services PI69483 Removing IBM-App-ForceRestart header causes applications not restarted
Liberty Kernel PI90930 Open Liberty Rollup for 17.0.0.4
Liberty z/OS PI86596 Removal of possibly misleading FFDC z/OS liberty Async Servlet support
PI90060 Messages occurring very early at startup are not printed to the MVS console when requested in the zosLogging configuration
PI90429 When starting a Liberty server as a started task on z/OS from the server script there is no option to specify a job name
Performance Monitoring Tools PI81367 java.lang.ClassNotFoundException dumped in the FFCD log file when PMI monitor feature is enabled
PI87599 ConnectionPoolStats MBean was not available if enabled the trace with com.ibm.websphere.monitor.*=all
Security PI88769 Liberty 17.0.0.2 is throwing ClassCastException when calling ibm_security_logout with Extreme Scale feature enabled
Session Initiation Protocol (SIP) Container PI78794 The SIP Container fails to parse a message when the size exceeds 2048 bytes and double CRLF is sent before the message
PI79119 With number.of.parse.errors.allowed set to -1 WebSphere drops well formed requests
Systems Management Functions PI81552 Application state becomes stale at the Liberty collective controller
PI83274 Incorrect collective member status shown in Admin Center
PI88296 Password protected ssh keys can't be used for remote host authentication
Web Services Security PI84359 OIDC WASReqURLOidcp cookie constantly grow when LTPA token expired
PI89103 OpenSAML used by WebSphere Liberty contains XML external entity (XXE) vulnerability (CVE-2013-6440)
PI89575 LTPA cookie is not created in certain single sign-on scenarios
WebSphere Compute Grid PI88583 In WebSphere Liberty 17.0.0.x Java batch executor fails with CWWKS0800E error

Fix pack 17.0.0.3
Fix release date: 17 October 2017
Last modified: 17 October 2017
Status: Superseded

Download Fix pack 17.0.0.3

Component
Security APAR
APAR
Description
Dynamic Cache PI78148 SRVE0014E from servlet caching
PI78552 DYNA1064E is logged on some dynacache APIs when the underlying cacheprovider does not support disk caching
EJB Container PI87472 EJB remote injection fails with NPE if ORB not yet available
Federated Repositories PI05723 Handle long data type from VMM for extended properties
PI79440 NullPointerException in URBridgeXPathHelper.getExpression()
PI79452 NPE in LdapConfigManager.getSupportedProperties()
PI81497 When one base DN is the subset of another in a federated repository, LDAP failures occur
PM95697 LDAP contexts getting leaked after first connection exception
General PI77400 BBOA1INV Fails with RC = 8 RSN = 44, FFDC invalid group name returned
PI80363 Allow configurable maxFieldLength in the logstashCollector
PI80397 Remote EJB call with the same object in multiple arguments fails
PI80932 WSCredTokenCallbackImpl class is not visible to applications
PI81056 Liberty server needs to retry starting the TCP channel after error CWWKO0224E due to hostname resolution error
PI81124 Closing websocket session will throw NullPointerException
PI82101 Task retry not immediate after XAResource rollback
PI82109 Provide support for CICS 5.4 in WebSphere Optimized local Adapters
PI82218 JAX-RSResponses contain unnecessary Cxf-Content-Language header
PI82296 AsyncContext.comple() fails when called from a readListener
PI82327 java.lang.RuntimePermission error when destroying an upgradeHandler
PI82364 For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
PI82556 AppSecurity-2.0 does not include trustAssociation in Liberty
PI82672 productInsights does not register embedded WebSphere
PI82684 During server shutdown, if ProductInsights is trying to complete its first registration it may not cancel all of its tasks
PI82994 filenotificationmbean may not notify the listener
PI83111 Monitor function of AdminCenter does not display the correct value of "used connections"
PI83159 JAX-RS resource methods report as not found when using scientific notation as path parameters
PI83439 ClassCastException thrown when using remote EJBs in servlet with parent-last classloading
PI83516 Using reference-listener along with service factory causes TransactionManager errors
PI83682 ProductInsights not reporting used JVM memory correctly
PI83713 Path template variables in JAXRS 2.0 do not support scientific notation
PI83901 The context ClassLoader is not getting set properly when loading CDI extensions at app startup
PI84036 JAX-RS Client must access endpoints via authenticating proxy
PI84083 Usage data is not queued if connection to Bluemix Product Insights host fails
PI84327 WebSphere Application Server Product Insights does not send in group name translations
PI84487 Certificate login does not work with custom user registry on Liberty
PI84842 The application's classloader is leaked when restarting the app
PI85373 Open Liberty Rollup for 17.0.0.3
PI85490 Deadlock caused by WsLogManager and SIB trace code
PI85492 Commit of HTTP response in render_response(6)
PI85683 Register Windows service and start/stop service for Liberty fails if it is installed in directories names with a space
PI85783 Accumulation of org.apache.cxf.transport.http.osgi.HTTPTransportActivator objects
PI85910 OIDC does not recognize x5c tag in JWK
PI86198 Inconsistent aliasing between --jobParameterFile and --jobPropertiesFile in the batchManager and batchManagerZos CLI
PI86443 Use of the JAX-RS multipart media type results in a java.lang.ClassNotFoundException: javax.ws.rs.core.MediaType
PI87119 NullPointerException caused by external port component configuration
PI87467 CDI injection into JAX-RS classes is broken when using multiple apps and one app is not CDI-enabled
PI87504 JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
Install V8 and above PI88170 Block installUtility/featureManager install userFeature '--to=core'
Java 2 Connectivity (J2C) PI82859 Incorrect value of connectionPoolstats
PI86100 Intermittent sharing scope for data sources being created at the same time on two different threads
PI87470 Unable to install resource adapter using loose configuration file
Java Message Service (JMS) PI81329 NCSA access logs %B option output displays "-" instead of the size of the response in bytes
PI81864 ConcurrentLinkedList tailsequencenumberlock garbage collected
Java Persistence API (JPA) PI77555 Eclipselink scrollable cursor results in a ClassCastException
PI80863 OpenJPA caches and reuses the query parameters for BETWEEN expressions when OpenJPA's query cache is enabled
PI81260 OpenJPA does not honor SSL connection properties for DB2
Java SDK PI85250 Hung thread issue in myfaces _getMetadataTarget
PI86494 Messages returned from JSF APIS are in the incorrect order
JavaServer MyFaces (JSF) Apache MyFaces implementation PI82893 JAVAX.FACES.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL value affects display behaviour for required fields
PI87299 Information disclosure in Apache MyFaces affects WebSphere Application Server (CVE-2011-4343)
PI87300 Information Disclosure in WebSphere Application Server in JSF (CVE-2017-1583)
JavaServer Pages (JSP) PI82529 HTTP transport encoding CP943C will be used for JSTL params
PI83486 StackOverflowError generated due to the JSP TabLibraryCache recurses into loadWebInfMap with the value "/WEB-INF"
Liberty Application Services PI87139 Configuration updates blocked by application restart
PI87468 Schema lists invalid attributes for resource adapters and EJB applications
Liberty Debug and Tracing PI83872 NullPointerException in MultipleCriteriaFilter when retrieving logs from Liberty binary log
Liberty Kernel PI87138 Synchronization in ConcurrentServiceReferenceElement creates a performance bottleneck
PI87471 Potential NullPointerException ServerXMLConfiguration.parseDirectoryFiles
PI87480 AccessControlExceptions in Liberty kernel code
Liberty System Management PI85828 Correcting algorithm for collective deployment using a local file
Liberty z/OS PI78510 .pid directory created with wrong permission settings
PI78787 WOLA ACEE copied from CICS invalid for TSS
PI79017 z/OS connect cannot read request that came in with transfer-encoding=chunked
PI79034 For products that embed Liberty, some bootstrap.properties do not take effect at server startup
PI82088 Prevent Error loop when TDQ is unavailable for write
PI83503 WebSphere Liberty servers with zOS connect failing to start with abend 0c4 in wolanativeutils.ntv_activatewolaregistration
PI85520 Message CWWKO0229I is not issued when asynchronous I/O is configured
Messaging Providers PI83027 Default threadpoolstats data cannot be retrieved due to InstanceNotFoundException
Performance Monitoring Tools PI80861 The Japanese translated message for TRAS0115W is incorrect
Security PI73345 Distributed identity mapping not working in Liberty z/OS
PI84335 PasswordUtil API classes are not packaged in a separate PasswordUtil.jar file
PI84597 Liberty z/OS trace includes unnecessary information
Servlet Engine/Web Container PI81052 JSF portlets may not be able to obtain a session ID
PI88642 Information disclosure in WebSphere Application Server (CVE-2017-1681)
Virtual Member Manager (VMM) PI79223 In Liberty VMM user registry cannot get groups for user from LDAP
PI81923 LDAPRegistry contextPool defaults do not match documentation
PI81954 LDAPRegistry attributesCache and searchResultsCache default timeout set too low
PI85208 LDAP registry cache is not used in some cases to retrieve cached attributes
PI85213 Federated repository may not use UniqueGroupIdMapping outputProperty when calling userRegistry.getUniqueGroupID
PI85214 Federated repository passes internal properties to customRepository implementations
PI86719 The LDAPRegistry contextPool timeout setting does not timeout after the configured time
PI87461 Federated Repositories is returning principal name instead of unique name for getUserSecurityName
PI87466 ArrayIndexOutOfBoundsException is thrown when groupMemberIdMap inside ldapRegistry is empty
Web Container PI83141 WebContainer performance issue when under high load
Web Services (JAX-WS, JAX-RS) PI64462 NullPointerException in org.apache.cxf.jaxrs.impl.tl.ThreadLocalProviders.getContextResolver()
PI86914 Correct Mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
Web Services Security PI62735 The groupId(s) get lost in id_token and introspection
PI68809 WebSphere Application Server XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
PI78760 OIDC IDToken updates to the "sub" field do not take effect
PI80166 OIDC provider does not recognize custom realmname from token
PI80689 Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
PI80741 OpenID Connect (OIDC) cookie not fully removed
PI80963 Refresh tokens are issued unconditionally even for clients that do not require them
PI94351 Secure flag is not set on the Liberty WASOidcCode cookie
WebSphere Compute Grid PI72923 CDI injection of Java batch jobcontext fails with npe in the absence of an active job on the current thread
PI81200 StepListner.afterStep can't catch an exception thrown by ItemProcessor.processItem
PI84639 batchManagerZos not available after minified server is extracted
PI86175 Prevent job start and restart of the same job from occurring simultaneously
PI86193 Support message delay/priority for Liberty Java Batch

Fix pack 17.0.0.2
Fix release date: 13 June 2017
Last modified: 13 June 2017
Status: Superseded

Download Fix pack 17.0.0.2

Component
Security APAR
APAR
Description
Channel Framework PI85709 Add watchdog timer to write waits on closing
Contexts and Dependency Injection (CDI) PI72811 Allow excluded alternatives
PI77286 Vetoed EJBs throw NullPointerException
PI77514 CDI observer for @initialized(applicationscoped.class) is not called inside jar
PI79787 Prevent WebSphere internal packages from being exposed to applications
PI80901 Version numbers in symbolic names are too fine grained and can cause failover to fail between different versions of Liberty.
PI82020 WeldTerminalListener is not registered
Database Access, Connection Management, Merant/DataDirect drivers PI80335 DSRA8020E Error is thrown when using IBM i Toolbox JDBC driver with WebSphere Liberty
EJB Container PI77856 EJB 3.x Stub class throws RemoteException for communication failure
PI79261 Deadlock with persistent EJB timers for Singleton beans
General PI71956 CWWKE0108I is written to stdout
PI74918 The umask values is not shown in the server logs
PI75258 The CICS Link server abends when unable to write to a TS Queue
PI75280 Attributes missing from the element httpOptions and throws warning message
PI75512 Cleanup up websocket connection when outbound connection attempt fails at the app server
PI75590 Corrections are needed to the documentation in the Knowledge Center
PI77605 JAXRS Client APIs do not use configured SSL settings
PI77615 JAXRS application start fails with ClassNotFoundException when JSPs are specified in web.xml
PI77976 ConstraintViolationException when using @Valid annotation
PI78177 When a websocket connection is closed while reading data an object leak might occur
PI78260 Liberty jaxb-2.2 feature does not expose some xlxp2 packages
PI78738 Loop while closing an SSL connection
PI79260 ProductInsights reports incorrect product version and host name
PI79275 JAX-RS 2.0 Client calls fail when ssl-1.0 feature is enabled without any SSL configuration.
PI79391 ContainerRequestContext.hasEntity() returns true for a GET request.
PI79987 Endpoint MBean information doesn't update when server.xml <httpEndpoint> is modified
PI80082 JAX-RS 2.0 OPTIONS methods are not invoked when used in sub-resource locator classes
PI80256 AccessControlException thrown when finding resources if Java 2 security is enabled
PI80285 For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
PI80314 Support for product insights in embedded server
PI80315 The productInsights-1.0 does not support BASE ILAN edition
PI80514 A jndiEntry config element with a value of "0" is parsed as a java.lang.String but should be a java.lang.Integer
PI80631 Access Log file and ELK time stamps are not the same
PI80632 Messages with digits in prefix of message ID have a blank messageId field in logstashCollector
PI80719 Websocket race condition on writing data while closing can hang a thread
PI81082 java.lang.ClassFormatError: JVMCFRE074 no Code attribute specified; is thrown
PI81086 NullPointerException thrown when using a JAX-RS provider class without a public constructor
PI81396 Unable to register a liberty server with product insights though an authentication required proxy
Intelligent Management Component PI80237 Null return codes for health actions cause NullPointerException
Java 2 Connectivity (J2C) PI78463 After configuring a connection factory for CICS RAR, the server issues J2CA8501E
PI80357 JMS connection factories defined through annotations can fail to allocate connections
PI81549 When using SQLJ context caching, auto commit and/or transaction isolation level become inconsistent
PI81717 The WaitTime provided by the ConnectionPoolStats MBean is in nanoseconds when it should be (and is documented) in milliseconds
PI81840 Bean Validation 1.1 @DecimalMin and @DecimalMax constraints inclusive property not working
Java Persistence API (JPA) PI76834 Unable to use DB2 XML data type with EclipseLink JPA; Null pointer produced
PI76902 NoSuchMethodException when a program is using CONCAT function
PI78643 Eclipselink JPA/Auditing capablity in EE Environment fails with JNDI name parameter type
PI79397 org.omg.CORBA.BAD_OPERATION when running a select SQL statement
PI81076 ServerSession numberOfNonPooledConnectionsUsed can become invalid when Exception is thrown connecting
JavaServer MyFaces (JSF) Apache MyFaces implementation PI79562 Leading '/' in JSF context param-value throws StringIndexOutOfBoundsException
PI80535 ClassNotFoundException due to classes not being exported to the thread context
JavaServer Pages (JSP) PI79800 The JSP Engine is not processing EL expressions correctly when they are in large blocks of character data
PI80319 Failure to parse tag library when the taglib is defined in the application
Liberty Application Services PI66702 Multi-address corbaname URLs do not fail over to the second address when the first address server is down
PI81297 Application fails to initialize at startup with error CWWKZ0021E
Liberty Debug and Tracing PI80225 JUL Traces do not show up in logstash collector / bluemix log collector when binary logging is enabled
PI80844 Failure if running binaryLog view serverName from wlp/usr/servers directory
Liberty Kernel PI78072 A server start may receive a java.util.MissingResourceException if started with a disabled command port
PI78444 The server schema incorrectly includes some internal configuration attributes
PI79123 ConfigUtility command line tool loosing equals sign on parameters ending with equals sign
PI79878 Server create command (using Java 8) overwrites server.env file
PI80744 SPI class, PathUtils is not normalizing leading double slashes
Liberty Log Analytics and Monitoring PI80363 Allow configurable maxFieldLength in the logstashCollector
Liberty z/OS PI77988 Update needed in module BBGZAFSM
PI78510 .pid directory created with wrong permission settings
PI78787 WOLA ACEE copied from CICS invalid for TSS
PI78970 When the z/OS connect EE server is stopped and restarted, CICS issues an abend at the time of the WOLA rebind
PI80072 Message CWWKB0392W is issued when the OTMA client name is specified in the zosLocalAdapters connection factory properties
PI80252 The size of the Java heap grows over time when using the MSGLOG DD
PI80650 Memory leak in SP132 KEY8 causes OUTOFMEMORY in Liberty
PI80988 WebSphere OLA(WOLA) service request issues return code=8, reason code=96 when called from an IMS CCTL region
PI82088 Prevent error loop when TDQ is unavailable for write
Performance Monitoring Tools PI79203 The monitor-1.0 feature may not be able to monitor user runtime components
PI80861 The Japanese translated message for TRAS0115W is incorrect
Security PI72472 WSCredTokenCallbackImpl returns null even when token exists
PI75111 Admin center doesn't work with AccessControlException after enabling Java2 security
PI77129 MYFACES-3415 - [UI:REPEAT] Field value disappears if validation error exists on current site
PI77770 Potential cross-site request forgery with WebSphere Application Server enabled with OAuth (CVE-2017-1194)
PI78245 An authData element without an ID causes a NullPointerException in the logs
PI78445 CWWKS9580E message might be logged after modifying the CSIv2 configuration
PI78730 Intermittent CWWKS9520E message issued when CSIv2 is enabled
PI79444 AccessControlException when using the servlet log method
PI95544 NPE thrown in method authorizeEJB()
Sessions and Session Management PI73188 Session activeCount shows a negative value
PI81007 Incorrect messages were thrown at System output console when using JMX connector
Systems Management Functions PI66988 Running collective command in z/OS results in FSUM7332 syntax error
PI78497 When trace is enabled extra information is being included in the controller's trace file
PI80320 apiDiscovery urls may not update properly on Liberty Admin Center
Virtual Member Manager (VMM) PI78192 UserRegistry methods that throw RuntimeExceptions can cause federated repository failures
PI79888 An sslRef on an LDAPRegistry without matching ssl config causes security init failure
PI80547 Federated Repository's participatingBaseEntry element does not allow name attribute to be empty string
PI81519 In WebSphere Liberty, the context pool timeout value is not honored on the LDAP Registry
PI81555 The ldapRegistry feature does not properly process LDAP entities with RDN values that contain characters that need escaping
PM76997 VMM certificate authentication fails when DN contains non-default X509Certificate attributes
Web Container PI75166 TAI can't obtain the SSL endpoint information using direct connection
PI76699 Provide an option to override the default values for the ESI properties in the plugin-cfg.xml
PI76891 Exception from com.ibm.ws.webcontainer.osgi.mbeans.PluginGenerator during server stop
PI77629 NullPointerException if login is required to access a servlet which uses a ReadListener.
PI78193 Returned default html error page has extra closing tags
PI78633 Access control exception due to read permission of a property from Cookie class
PI79334 Unexpected error when an application is initializing during server stop
PI80313 Enable Post Data to be read multiple times.
PI80668 ServletException when creating a servlet, filter or listener from a ServletContextListener with Java2Security enabled
PI81688 Plugin config file generation fails after a configuration update is made to a Liberty server when it is running
Web Services (JAX-WS, JAX-RS) PI77438 JAXB context creation is very slow in Liberty during Web service load test
Web Services Security PI76629 Add authentication option to JWK endpoint invocation
PI78760 OIDC IDToken updates to the "sub" field do not take effect
PI80166 OIDC provider does not recognize custom realmname from token
PI80689 Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
PI80741 OpenID Connect (OIDC) cookie not fully removed
PI81403 An error may occur if the string representation of a subject includes an ID token that contains a claim with a non-string list
WebSphere Compute Grid PI78436 Using batch injection in joblistener results in NullPointerException
PI79686 Slow response when using batchpersistence in Liberty
PI80634 When trying to stop an already completed job the error message doesn't return with the correct jobInstanceId
PI80635 CDI implementation does not support batch artifact loading via batch.xml

Fix pack 17.0.0.1
Fix release date: 14 March 2017
Last modified: 14 March 2017
Status: Superseded

Download Fix pack 17.0.0.1

Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI35470 Message bean instances injected with the CDI @New annotations are not @PostConstruct'ed
PI55406 IllegalAccessException is emitted from InvocationContextImpl
PI62583 IllegalArgumentException in CreationalContextImpl only when trace is enabled
PI73139 CDI would not inject classes from a war file into an ear lib in single classloader mode
PI75915 CDI failover does not work if bundles have different OSGI qualifiers
Database Access, Connection Management, Merant/DataDirect drivers PI73351 DSRA0080E refers to original exception message {0} instead of actual message
PI76168 After global transaction ends, the reported auto commit value can be inconsistent with the Oracle JDBC driver
General PI68233 SSLSessionTimeout is not recognized as a valid attribute for sslOptions element
PI71616 configUtility find or install throws a NoClassDefFoundError when using local repository
PI73277 EclipseLink 2.6.3 doesn't support JPA-convertor for primitive data types
PI74721 Errant timeout can occur with async sends in WebSockets
PI75015 Memory leak in JAX-RS client.
PI75022 Failure to parse a java.util.Date object when creating a new javax.ws.rs.ServiceUnavailableException.
PI76688 Private lifecycle methods in JAX-RS resources are not invoked
Java 2 Connectivity (J2C) PI60146 Connection sharing cannot be controlled in Liberty when using direct lookup
PI71092 java.lang.UnsupportedOperationException when accessing a tested data source
PI73350 Connection manager settings not honored
PI74533 Setting an agedTimeout value of 0 on a connection manager results in J2CA8011E
PI75426 Connection manager configuration intermittently ignored for application defined data source
Java Persistence API (JPA) PI74104 EclipseLink might add unused table in generated query
PI74284 The JPA Container calls EntityManager.clear() instead of EntityManager.close() on cleanup
JavaServer Pages (JSP) PI72709 Asynchronous dispatch to a JSP file under the WEB-INF directory fails.
PI73022 JSP comments containing "%>" might throw a StringIndexOutOfBoundsException.
Liberty Application Services PI74321 After upgrade to 16.0.0.4. NamingException and ClassCastException occur on JNDI lookup on IBM i
PI75284 Intermittent NullPointerException from ApplicationStateMachineImpl when trace enabled or logging information in response to a failure
PI75389 OSGi Applications can take significantly longer to startup after upgrading Liberty
PI76368 A class that is both Remote and Serializable is mis-categorized during marshalling
Liberty Debug and Tracing PI62350 Some server startup and early messages are not collected by logstachCollector-1.0 feature.
PI74051 Transaction trace lacks PropertyPermission to read system property "com.ibm.tx.tracer"
PI74318 Incorrect message IDs appearing on dashboard when using the Bluemix log collector
PI76200 Stack trace is not included in the message field of liberty_message type
PI76620 Filter tags in logstashCollector & bluemixLogCollector to avoid tags with special characters displaying oddly on dashboard
PI76621 New message IDs need to be assigned to a few existing TRAS messages.
Liberty Kernel PI72686 Removing and adding a feature can result in a warning message about duplicate metatype definitions
PI73807 Some Liberty message IDs conflict with traditional WebSphere Application Server
PI74527 Error CWWKZ0404E can occur when starting an application on Liberty
PI74586 Liberty server will not start if jvm.options file contains spaces, after upgrade to 16.0.0.4
PI74792 java.lang.NullPointerException when starting an .ear application with autoExpand="true" in server.xml
PI76013 Resolution error for optional server config include should not create an exception
PI76432 Exception could be thrown and logged during a server shutdown if listeners timeout during quiesce
PI76607 Features that can't be loaded because of Java version dependencies may still be reported as being loaded
PI76755 Liberty metatype registry problem - metatype extension duration changed from LONG to STRING in 16.0.0.4
Liberty z/OS PI50828 WLM support is ignored when running z/OS Connect in async mode
PI66375 SPI for MVS MODIFY command support is documented to be externally available, but in fact is not available
PI72065 Loop in Liberty z/OS server when AsyncIO is enabled
PI72566 ABEND0C4 at BBGZSCFM+377E occurs during client bind
PI72776 When WLP_ZOS_PROCEDURE is set the foreground JVM uses the full set of JVM options
PI73559 WOLA service BBOA1URG fails with RC=12 RSN=240.
PI73752 Suppress FFDC for com.ibm.io.async.AsyncSocketChannel 453
PI74564 WebSocket-1.1 feature does not work in Liberty imbedded in CICS TS 5.3
PI74875 Liberty Server hang in termination after a hard failure on z/OS
PI74878 WOLA feature not started for 16.0.0.4 server using a version 4 Angel
PI76238 Message CWWKB0392W contains no message text in messages.log.
Performance Monitoring Tools PI75368 Slow memory leak might lead to OutOfMemory in Liberty
PI76212 Monitor capability breaks when different thread pool name is speicified other than "Dafault Executor".
Security PI72135 An AccessControlException is issued when restoring the security context using the ContextService APIs
PI72653 Web filters need to receive the AuthModule wrapped request or response when using JASPIC
PI73266 AccessControlException issued even when permission was granted in the permissions.xml file
PI76359 Process default SSL Setting not getting reset on a file update
PI76408 The method signature for java.security.SecureRandom.nextBytes() is no longer synchronized.
Session Initiation Protocol (SIP) Container PI76614 SIP Router is initialized more than once.
PI76615 Order of OSGI bundle could cause a class not found exception.
Systems Management Functions PI74526 A collective name sporadically changes between its given name and the default name
PI75433 Liberty collective member status becomes stale at the controller.
Web Container PI71999 XML transformer factory changed during server start
PI72223 The pluginUtility displays an untranslated message when using the merge action to merge plugin-cfg.xml files in a directory.
PI72514 Application start fails to add context root in Virtual Host map
PI72710 Response committed on return from Forward even when async is started.
PI74499 Server quiesce not cleaned properly when write during close of upgraded connection goes asynchronous.
PI75475 The WebContainer 'enableMultiReadOfPostData' config property was visible but not implemented.
PI75528 The maxRequestSize optional attribute for MultipartConfig is ignored.
PI76195 When the plugin configuration is generated it may not have one of the ports
PI76271 CORS does not handle requests with PATCH methods correctly
PI76351 ServletRequest.getRequestURI() returns inconsistent results after AsyncContext.start().
PI76364 isFinished() could incorrectly return false in some scenarios
Web Services (JAX-WS, JAX-RS) PI70234 Custom HTTP header blocks SOAPAction header
PI76616 HTTP servlet requests could be matched to incorrect cross-origin resource sharing (CORS) configuration
Web Services Security PI72558 OIDC client cookie is not removed after it is used
WebSphere Compute Grid PI73040 Batch job log REST URLs are incorrect for a failed job execution
PI73249 The ddlGen script may produce an empty file when run against a server with the Java Batch feature configured
PI74813 When using the batchManagerZos 'status' and 'listJobs' commands, the usage of --instanceId and --jobInstanceId aren't universal.
PI74924 Job with Java batch COMPLETED status moves to STOPPING status after shutdown in executor.
PI76622 Provide V2 and V3 versions of existing Batch REST APIs
PI76632 Job executions REST API syntax is misleading
PI76701 Java Batch purge command fails after a job execution did not initialize correctly
PI76702 Java Batch jobs store JES job name and JES job ID with trailing spaces
WMQ messaging providers PI61885 postCallWithException throws java.lang.IllegalStateException
PI71691 BundleException happens when adding a feature to a running server causing a bundle to be reinstalled
PI72136 Server startup fails with CWRLS0009E error due to failure in the transaction manager's recovery log service
z/OS PI61450 Apache Wink does not remove quotes from the boundary value Content-type: multipart/mixed; boundary="simple boundary"

Fix release date: 13 December 2016
Last modified: 13 December 2016
Status: Superseded

Download Fix pack 16.0.0.4

Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI69193 ContextNotActiveException in SessionScoped bean preDestroy()
PI70614 Clean up all resources on an application startup failure on cdi-1.0 feature
PI71104 @Inject Principal does not work in mutli-threaded environment.
PI71667 Application fails with WELD-001408: Unsatisfied dependencies for type Validator with qualifiers @Default
PI71734 Failover does not work with CDI 1.2
Database Access, Connection Management, Merant/DataDirect drivers PI68418 Purge policy ValidateAllConnections does not properly validate connections
PI71587 Data source is not autodetecting MariaDB.
DynaCache PI68741 HTTP status code 200 is returned to a client when the servlet or JSP throws an exception
PI71752 Plugging in an external cache provider does not work with the distributedMap-1.0 feature.
EJB Container PI66621 ReferenceContextImpl caching empty list of targets for JSP classes
PI67942 javax.servlet.HttpServletRequest.getRequestURI() might return a decoded value after dispatching
PI69642 NullPointerException deleting stateful EJB
General PI42673 Extra information in logs with Datasource custom properties
PI67034 Access was denied for property org.apache.jasper.constants.jsp_servlet_base.
PI67099 Provide option to add STS response header for HTTPs request
PI68432 When user applications are using Websocket Decoders a slow memory leak can occur.
PI69737 Errors are not logged when tasks submitted to managed executors fail
PI70332 System property to enable SSL Channel timeoutValueInSSLClosingHandshake property
PI71359 FFDC is produced for a NullPointerException in com.ibm.ws.tcpchannel.internal.SocketRWChannelSelector.updateSelector
Install V8 and above PI68915 Default server.xml is incorrect
PI69133 Disk space validator returns NullPointerException.
Java 2 Connectivity (J2C) PI68163 MQJCA1011: Failed to allocate a JMS connection
PI68257 Connection manager might remain active after transaction manager has been disabled.
PI69122 J2C pretest being used despite FailingConnectionOnly option
PI69887 FFDC logged for resource adapter config property with getter that is named with "is" rather than "get"
PI69957 Destination ID erroneously used for JCA 1.7 destinationLookup instead of JNDI name.
PI70224 The value of ConnectionHandleCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
PI71193 Illegal State Exception when transaction timeout occurs and abort is used
Java Persistence API (JPA) PI65593 The database schema name cannot be configured with openjpa.jdbc.SchemaFactory
PI66770 JPA returns incorrect results when using a native query and @SqlResultSetMapping
PI67234 ServerPlatformException Server platform class is not valid: null occurs with JPA 2.1
PI67790 java.lang.ClassCastException using JPA
PI68028 EclipseLink throws ValidationException when using nested embeddables with the same attribute name
PI68805 Potential leak of org.apache.bval.cdi.BValExtension$Releasable objects when using JAX-RS, CDI 1.2, and Bean Validation 1.1.
PI70680 Deployment of persistence unit fails with DescriptorException
PI70841 OpenJPA's ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException
PI75607 javax.persistence.PessimisticLockException when javax.persistence.lock.timeout set to 0
PI75608 Add EclipseLink support for Java 2 Security
JavaServer MyFaces (JSF) Apache MyFaces implementation PI67525 inputFile tag is not working properly on Liberty
PI70441 FlowBuilderFactoryBean Concurrency Issue
JavaServer Pages (JSP) PI67257 An escaped EL expression is being run if an escaped dollar sign precedes the former expression
PI69028 Null CodeSource location for classes loaded by JSPExtensionClassLoader
PI69942 JSP property useJDKCompiler does not work in Liberty
PI71436 A debugger does not stop at a breakpoint in a JavaSever Page (JSP).
Liberty Application Services PI70600 Auto extracted web app files have incorrect timestamp.
PI70848 When application autoExpand is enabled changes to an ear file are not detected by the Liberty server
PI70870 ConcurrentModificationException in AppClassLoader when using the global library
PI71116 When certain features are enabled the application property autoStart has no effect
Liberty Kernel PI68170 Users of Liberty's OSGI EventAdmin service cannot change the topics of interest for a registered EventHandler
PI70104 Starting a Web Application Bundle (WAB) can result in a deadlock sometimes when the WAB is installed and started dynamically
PI70637 RuntimeException: Invalid call to WsByteBuffer occurs during shutdown
PI71457 NullPointerException after a failure to bind an IIOP transport port
PI71607 Schema for resource adapters contains an unused attribute.
Liberty System Management PI69561 REST API Discovery missing APIs in web applications with multiple JAX-RS application classes
Liberty z/OS PI67718 z/OS Connect is unresponsive to the STOP command from the z/OS Console
PI69625 Liberty server at 16.0.0.3 may fail to start when using AsyncIO
PI69886 When using the zosLocalAdapters-1.0 feature to talk to CICS, the CICS container LinkTaskRspContID already exists.
PI70090 WebSphere Liberty "server" and native launcher handle a # in the middle of a JVM property inconsistently
PI70896 Liberty Server hang in termination after a hard failure on z/OS
PI71417 Startup time for Liberty for z/OS is unnecessarily slow.
Messaging Providers PI62816 Allow more than one address to be specified in the remoteServerAddress field
PI70961 Corrections to messages in JMS Messaging
Performance Monitoring Tools PI70900 Events get lost when the logstashCollector config gets updated
Security PI62070 Full chain created in PKCS12 but not for JKS key store
PI62375 Potential code execution vulnerablity in WebSphere Application Server (CVE-2016-5983)
PI69141 Make sure HTTPS URL connection default is set at the same time SSLContext is set.
PI69161 Constrained delegation works only when Liberty trace is enabled
PI69277 Java 2 Security permissions are not granted to a shared library when using the file element instead of a fileset
PI69629 CWWKX8136W: Cannot validate the server identity
PI69840 A NoClassDefFoundError or NoSuchMethodError may be thrown when accessing Swagger annotations.
PI69870 IllegalAccessException on EL expression that processes isLast() of object referencing varStatus in JSTL for-each tag
PI71525 NullPointerException when registering a Custom User Registry that returns a null realm name
PI71585 NullPointerException when null password is passed into WSCallBackHandlerFactory
PI71751 Provide better message when bad SSL configuration is used by CSIv2.
PI71789 .InvalidNameException: Validation of the Collective DN failed. 0th element type was not dc
Systems Management Functions PI69286 Non-ASCII names used in remote operations from a collective controller may become corrupted.
PI69741 Remove extra information from trace file
PI71792 New files added to a controller's configDropins/defaults directory are not replicated to other controllers in the collective.
Virtual Member Manager (VMM) PI71825 CWWKS3006E error message seen during server shutdown.
Web Container PI64898 AsyncListener onError not being called correctly
PI65762 DestroyJavaVM() method call hangs and JVM fails to shut down when asynch servlet work has been performed
PI67393 Polish the ReadListener
PI68061 Option to display customized text for some server errors
PI69220 A plugin-cfg.xml is generated with missing applications and future auto-generation fails.
PI69803 A java.lang.NoClassDefFoundError error can occur when using the pluginUtility merge action.
PI70063 A decrease in throughput can occur when many concurrent requests for JSP pages that make use of tag libraries.
PI70184 WebSocket not working if application flushes without obtaining any outputStream or writer
PI70873 java.lang.NullPointerException might occur during a request's cleanup.
PI71851 Missing apostrophes in French and Italian pluginUtility text
Web Services (JAX-WS, JAX-RS) PI70196 PI70196: ibm rest servlet can't be mapped to two different urls:
PI70313 Swagger API Explorer ignores protocol schemes for operations
PI71238 IllegalArgumentException when getHours() is called
PI71887 JAX-RS Client fails when running in OSGi bundles
Web Services Security PI68101 JSON bits are missing from a URL when SAML authentication redirects a request
PI68809 WSAS XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
PI69415 Support configurable context root for OIDC client redirect url
WebSphere Compute Grid PI70886 Java Batch REST: STOP request may not return JobNotRunningException even when the job batch status returns as COMPLETED.
PI70887 An exception in the batch executor may cause a message to roll-back onto queue (and get re-delivered) instead of consumed.
PI71718 Attempting to purge multiple job instances fails when their executions are not on the same endpoint
PI71719 Batch REST request for job instance job log links fails with remote executions
WMQ messaging providers PI68664 Record-level sharing (rls) is miscalculating the amount of data to be written to partner logs
PI69183 APAR PI18414 may result in the recovery log service using incorrect sequence numbers.
PI69314 ELException, Can not find @Transactional annotation
PI69328 CWWKZ0403E error message occurs due to error Unable to acquire the global write lock in time.

Fix release date: 16 September 2016
Last modified: 16 September 2016
Status: Superseded

Download Fix pack 16.0.0.3

Component
 Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI38270 NullPointerException in InvocationContextImpl.configureTarget when destroying an already destroyed bean
PI42311 EJB interceptors not called intermittently
PI48614 NullPointerExceptions from CDI code
PI51620 NullPointerException when doing injection with com.ibm.ws.cdi.immediate.ejb.start set to true
PI58669 CDI javax.decorator.decorator annotation not working as expected
PI61397 Ensure application scoped context is initalized properly and active during bean preDestroy
PI64374 Race condition with session scoped contexts
PI64812 Application ClassLoader leaked during application restart from CDI's RuntimeFactory
PI65337 Use of CDI interceptors in stateless EJBs causes exceptions to be wrapped in WeldException
PI66866 Memory leak occurs when an application is restarted
PI67388 Move up Weld level to 2.3.4.Final from 2.2.16.Final.
Database Access, Connection Management, Merant/DataDirect drivers PI66423 OraclePreparedStatement.getReturnResultSet and OracleCallableStatement.getCursor fail after unwrapping statement
EJB Container PI60567 New system property to configure the EJB pool wait timeout
PI62639 NullPointerException in CDIEJBManagedObjectFactoryImpl.getEjbDescriptor when creating EJB instance to pre-load the bean pool
PI63571 AccessControlException: "accessDeclaredMembers" from com.ibm.wsspi.injectionengine.MethodMap.getMethods.
PI63709 Application exception thrown from EJB constructor lost when @AroundConstruct interceptors present
PI63821 Resource reference names starting with java:comp/env are ignored in ibm-ejb-jar-bnd.xml
PI65205 FFDC for TransactionRolledbackException when using UserTransaction in stateful bean ejbRemove method
PI66565 com.ibm.wsspi.resource.ResourceInfo not provided to ResourceFactory for <resource-env-ref> XML elements
PI67070 Customer can get EJBExceptions related to non-persistent EJB Timers during server shutdown
General PI60893 Deadlock caused by SIP Subscribe
PI61548 Potential Denial of Service in WebSphere Application Server if using SIP services (CVE-2016-2960)
PI63871 NullPointerException in MemoryPersistenceManager
PI64472 Automatically determine whether a submit or restart should be issued from the batchManager and batchManagerZos utilities.
PI65456 Issuing "job.ended" CWWKY0010I message instead of "job.failed" CWWKY0011W message, upon job failure.
Install V8 and above PI65506 Display proper asset list when embedded asset repo is missing during IM modify_add flow
Intelligent Management Component PI59258 Dynamic Routing fails to recognize the application until Collective Controllers are restarted
PI63212 Reload of web server with Intelligent Management causes CWWKV0008W messages on a Liberty collective controller
PI66993 Health condition is not set to the Liberty server in the Docker container.
PI67392 DynamicRouting does not have route information for Liberty Docker on initial deployment
Java 2 Connectivity (J2C) PI63520 Parked connection created by PoolManager results in setting a pre-existing client ID to a MQ connection
PI66424 J2CA7002E is logged when server is stopped while in the process of installing a resource adapter.
PI67186 The value of FreeConnectionCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
Java Persistence API (JPA) PI58114 ClassCastException when an equals comparison query is run on an entity with a composite @EmbeddedId
PI64129 CDI applications that inject Validator or ValidatorFactory beans cannot be failed over in a cluster
PI67305 EclipseLink assigns the same object instance to multiple embedded fields
JavaServer Faces (JSF) SunRI implementation PI64899 When using the jsf-2.2 and beanValidation-1.1 features an OSGI warning message can be seen.
JavaServer MyFaces (JSF) Apache MyFaces implementation PI63135 Custom type conversion is sometimes bypassed in EL 3.0
PI63633 Thread-safety issue in the underlying (Apache) JSF 2.0 code causes WebContainer threads to hang
PI64195 @PreDestroy methods are not invoked on session invalidation for JavaServer Faces (JSF) javax.faces.bean.ViewScoped beans.
PI64714 JSF message severities always set to ERROR after ValidatorException
PI64718 Validators are not called when using selectManyCheckbox
JavaServer Pages (JSP) PI64004 The scratchdir JSP attribute is not documented on Liberty
PI65333 A JSP error "unresolved compilation problem" is thrown during runtime
Liberty Application Services PI62861 Server stop runs before the ServletContextListener implementation completes
PI63542 ArrayIndexOutOfBoundsException may occur when doing a JNDI-lookup to a remote EJB that is located in another cell
PI64494 Timing window in generation of Type Code objects from class TypeDescriptors, causes performance problems during JNDI lookup
PI64806 java.lang.StackOverflowError on WAR
PI65244 EJB connection helpers are both null
PI65637 Starting an OSGi Application intermittently causes an endless loop.
PI66570 IllegalStateException thrown on server shutdown
PI67028 AccessControlExceptionthrown from AppClassLoader.getResources() call
PI67672 Extended use of remote EJB may cause error mentioning Phaser parties.
PI67674 Restarting ORB may cause socket bind exception
PI67719 AccessControlException from JTMThreadFactory, JNDI lookup, and JmsManagedConnectionFactoryImpl
PI67739 Configuring a non-default ORB may interfere with application client.
Liberty Archive Install PI66992 z/OS IM offering failed to modify asset due to error 'Failed to load bundle com.ibm.was.determine.job.type'
Liberty Kernel PI62609 When coreThreads and maxThreads are the same value, CWWKE1200W messages, which indicate a hung thread, may appear erroneously
PI63436 Embeddable Liberty command wlp/bin/server fails to run on old bourn shell used by Solaris 5.10
PI64318 Product validation error when running installUtility install
PI67017 Apache Commons Compress was incorrectly added to Liberty's JVM classpath
PI67231 Inconsistent installUtility/feature error messages when installing features or depending features not found on repository
PI67665 Path normalization of configuration variables can cause unwanted modifications
Liberty z/OS PI61412 HTTP access logs are not tagged on z/OS.
PI61645 CWWKF0015I and CWWKF0014W messages are misleading
PI63930 WEBSOCKET-1.1 feature does not work in Liberty Imbedded in CICS TS 5.3
PI64823 zosRequestLogging-1.0 feature does record the SAF mapped user ID in SMF 120 subtype 11 records.
PI65658 Liberty z/OS unauthenticated ID experiences ICH408I calling HttpServletRequest.login with syncToOSThread enabled
PI65709 Storage leak in subpool 249 key 2 when using the zosLocalAdapters-1.0 feature.
PI66150 Liberty server processes the start of WOLA workload to slowly
Security PI60769 IIOP sslRef mismatch not clear in error message
PI61592 Security context not propagated into JCA resource adapter
PI62626 jacc-1.5 feature does not package a separate API jar file even though it exposes the API.
PI62722 Attempting to start or stop a member from the Liberty Admin Center running in a collector on z/OS results in CWWKS2910E
PI63929 Potential open redirect security vulnerability in WebSphere Application Server Liberty CVE-2016-3040
PI63949 When auth-method tag is not used in Liberty a NullPointerException is thrown
PI64065 CWWKS9112W: Invalid run-as configuration for security-role name ApplicationRoleName in the application ApplicationName
PI64790 Cross-site scripting vulnerability in OpenID Connect client CVE-2016-3042
PI65716 configUtility and collective command line utilities do not support the custom password encryption
PI66628 The message when the custom password encryption is not available is not acculate.
PI67237 AccessControlException issued when an API tries to obtain an internal OSGi service via the kernel service SPIs.
PI67467 An intermittent MalformedURLException is issued during the server shutdown when Java 6 is used and there are permissions defined
Sessions and Session Management
PI60026 Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)
Systems Management Functions PI62640 Collective utility help text for --keystorePassword is incorrect.
PI66520 A collective controller shared configuration file is removed after it is renamed.
PI66522 A deploy rule without a defined restart command produces an exception during a deploy operation.
PI66523 The --createConfigFile option of the collective utility allows the config file to be in the configDropins/defaults directory
PI66524 The collective utility writes an unnecessary request to edit server.xml.
PI67220 Liberty member in a Docker container ignores metadata defined in the admin-metadata.xml file included in the container.
PI67221 Docker registry commands in the Docker deploy rule mistakenly prepend the repository with the user name.
Virtual Member Manager (VMM) PI62392 Login failure if userFilter contains userAccountControl attribute
PI63471 getUserDisplayName returning null when basicRegistry is configured
Web Container
PI54459 Information Disclosure in WebSphere Application Server Liberty CVE-2016-0378
PI58875 Application is started even though there has been a listener exception during application start up
PI61651 An uncaught exception in javax.servlet.AsyncListener.onComplete() might cause threads to hang
PI63193 SRVE8094W might happen even if invokeFlushAfterServiceForStaticFile=false
PI65853 WebSphere Application Server Web Container affected by Apache Struts vulnerability (CVE-2016-3092)
PI67093 Information disclosure in IBM WebSphere Application Server CVE-2016-5986
PI67470 ConcurrentModificationException thrown on getServletWrapper when serveServletsByClassname is enabled
PI67832 FFDC created when a feature is removed from server.xml.
Web Services (JAX-WS, JAX-RS) PI64462 NullPointerException in org.apache.cxf.jaxrs.impl.tl.ThreadLocal Providers.getContextResolver()
PI67586 ConcurrentModificationException in org.apache.cxf.jaxrs.JAXRSServiceFactoryBean
Web Services Security PI66148 OIDC Client Service is not thread safe
PI66354 OAuth provider does not encode non-ASCII characters properly
WMQ messaging providers PI45254 Collect more serviceability data for transaction log service
PI65127 Deadlock issue in tranlog database
PI65412 Transaction service may fail to log data correctly when its logs are stored in a database and connection failure occurs
Fix release date: 24 June 2016
Last modified: 24 June 2016
Status: Superseded

Download Fix pack 16.0.0.2

Component
 Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI58316 Changes to JSP in EAR or WAR not picked up if CDI-1.2 feature enabled
PI61971 CDI forces a creation of an extra session, which causes memory usage issues.
DynaCache PI59818 Servlet and Object Cache services are initialized multiple times during Liberty startup causing delays and exceptions
EJB Container PI58029 Classloader leak associated with PCRegistry
PI59443 A method named ejbCreate on a managed bean may be treated as a post construct interceptor method
General PI52696 WebSphere Application Server proxy - Too many open files
PI53321 Using WOLA with CICS version 5.3 causes BBOX abend
PI54666 NullPointerException when using IPv4/IPv6 loopback addresses
PI55413 CICS BBO (WebSphere) link server abends with WRITEQ TSQ BBO* error eibresp: 16 eibresp2: 0
PI57228 The HTTP Channel will consume additional memory, in specific circumstances, when processing inbound data.
PI58457 Quotes are automatically added to the cookie Path attribute on version 1 cookies
PI58692 NullPointerException when using batchManager to purge and no arguments specified
PI58800 High CPU utilization can occur for WebSocket sessions that expire using a non-default MaxIdleTimeout value
PI58918 Response Splitting Vulnerability using a specific API CVE-2016-0359
PI59273 A job instance with zero executions cannot be stopped or restarted.
PI61321 Serviceability changes for batch feature
PI61621 The persistent user data and metric values are invalid when a job fails in the middle of a chunk step
PI62053 HTTP Channel Access Log does not properly record how much is written to the file
PI64247 For Double Byte languages an FFDC IllegalArgumentException can occur for a WebSocket connection that closes due to an error
Intelligent Management Component PI61807 Web Server SSL certificate created by the Liberty dynamicRouting feature needs updating
Java Persistence API (JPA) PI47094 ClassCastException using a shared JPA module on JPA 2.1
PI55889 JPA Merge fails intermittently with FOREIGN KEY constraint error
PI58092 Delay in application startup on Liberty
PI58523 When using jpa-2.1 with Bean Validation, XML constraints are not recognized
PI59004 Criteria Modelgen API is not included for the EclipseLink provider
PI59757 JPA PersistenceUnitUtil.getIdentifier() fails for nested EmbeddedId
PI59782 Eclipselink on Liberty is missing javax.json imports
PI59999 OpenJPA custom plugins can cause Classloader leaks
PI62022 Bean validation interceptor is invoked twice
JavaServer MyFaces (JSF) Apache MyFaces implementation PI57255 MyFaces CDI support is disabled if non-CDI application is loaded first
PI59422 Flow beans are destroyed before the flow is finalized
JavaServer Pages (JSP)
PI56811 XXE and RCE via XSL extension in JSTL XML parse and transform tags
PI59436 NullPointerException when using EL expressions returning null
PI60837 A StackOverflowError can occur when com.ibm.ws.el.reuseEvaluationContext is set to true
PI61400 There are unused message properties files packaged in the Expression Language (EL) 3.0 bundle.
Liberty Administrative Center PI58080 Admin Center toolbox cannot save bookmarks with Explore search results which search on tags
PI62052 Potential security vulnerability in Admin Center for Liberty CVE-2016-0389
Liberty Application Services PI53419 Liberty server z/OS: Deadlock adding WABs to web container
PI58841 An OSGi web app using JSP and JSTL by default currently needs to explicitly import the JSTL spec packages.
PI59010 CWWKC2259E: "Unexpected child element defaultDatasource" in WebSphere Liberty for EJB 2.1
PI60496 EBA will fail to resolve when blueprint-1.0 is active
PI60749 Common shared library classes return null when calling getProtectionDomain().getCodeSource().getLocation()
PI61468 Application classloaders are leaked by transaction monitoring threads.
PI61906 Classloading trace doesn't contain details of classpath being traversed.
PI62078 ClassLoader leak in CDI's RuntimeFactory
PI62240 ClastCastException doing a JNDI lookup
PI62385 Classloading perfomance of the Liberty ORB has been slightly improved.
Liberty Archive Install PI60256 Failed to testConnection against wlp-feature-8559.zip
PI62355 License jar upgrade returns a confusing message when it fails due to invalid edition.
Liberty Debug and Tracing PI57488 Null characters added to logs when truncated by user
PI58309 NullPointerException seen with logstashCollector-1.0 feature when access log source is enabled
PI58310 logstashCollector-1.0 feature reports a NullPointerException during server shutdown operation
PI58311 TRAS0120W message reports incorrect lost events
PI58386 Duplicate FFDC records are sent for the same failure by logstashCollector-1.0 feature.
PI60821 NullPointerException when eventLogging feature is removed
PI61051 Removal of ISADC script
PI61371 High Performance Extensible Logging (HPEL) binarylog view does not sort by time stamp
PI62013 Warning message should be issued when wrong source is specified.
PI62015 Unexpected null pointer exception appearing in FFDC logs with logstash collector whenever updating the source
Liberty Kernel PI48971 ActiveMQ properties not being honored in JMSActivationSpec in Liberty
PI59235 Problems with serialization code
PI59906 Server command help is missing the --os option description
PI60941 When installUtility install serverName is run, the server logs and workarea were not created under WLP_OUTPUT_DIR
PI61175 During startup the application manager can cause an FFDC with a ConcurentModificationException causing no applications to start.
PI61177 Spurious error may be logged when bundle starts and immediately stops.
PI61178 Dynamically configuring one or more features from zero features will delay starting applications by 30 seconds
PI61319 The help for the productInfo command line tool reports an error rather than provide the help text.
PI61320 Missing attribute message is confusing
PI61324 Server package zips when unpacked lack file permissions for scripts in bin folder.
PI61451 installUtility command may fail with a SocketException: "Too many open files"
Liberty System Management PI57567 Merged plugin-cfg.xml generated by ClusterManager mbean generateClusterPluginConfig operation contains dup elements
PI58426 Collective create always treats --keystorePassword as a required argument
PI61176 Using the IBM JMX REST client from Liberty requires setting too many properties
PI61895 Swagger document and UI in apiDiscovery-1.0 did not show non-ASCII characters properly.
Liberty z/OS PI50018 linkTaskChanID property does not work when used with z/OS Connect service provider
PI52665 z/OS WOLA CICS BBOC control transaction cannot support long command strings from the console
PI54756 z/OS Connect JSON Parse Error message missing JSON payload.
PI56919 IllegalArgumentException: com.ibm.ws.security.saf.SAFException: CWWKS2910E: SAF service IRRSIA00_CREATE did not succeed
PI57546 UserRegistry.getUsersForGroup() is not implemented in Liberty server
PI58016 Asian characters in UTF-8 encoded payloads are converted to escaped unicode characters
PI58155 Liberty server takes ABENDEC6 RC0000FD1D due to CPU time limit exceeded
PI58468 WOLA fails to reconnet to CICS TS after previous executions have succeeded
PI59320 ABEND 0C4 RSN=00000004 or a CICS ASRA ABEND when you have more than 128 WOLA connections in an address space
PI61322 CICS programs called over WOLA are being passed an incorrect channel or container name.
PI61323 An ABENDDC2/ABENDSDC2 occurs in program BBOATRUE when CICS is configured to use an embedded Liberty server.
Performance Monitoring Tools PI60781 NullPointerException being thrown from requestTiming feature if any exception occured
Security PI55373 Collective framework needs to support certificates signed by third party signers
PI59813 Improve the exception generated when client does not trust the server.
PI61090 NullPointerException from FeatureWebSecurityCollaboratorImpl
PI61204 NullpointerException when using ibm_securitylogout in Liberty
PI61253 OAuth or OpenID Connect response does not contain state parameter
PI61622 The French help text of the PasswordUtility command line utility contains typographical errors.
Systems Management Functions PI58664 Liberty collective member status is incorrect
PI62453 When making a JMX Connection to a collective member, the JVM default for HTTPs connections is updated
Virtual Member Manager (VMM) PI54746 Federated repository does not allow a user login with Turkish characters
PI56819 User login failure when uniqueUserIdMapping inputProperty set to non default values
Web Container PI51122 Webcontainer intermittently generates a 500 error with StringIndexOutOfBoundsException
PI56833 WebContainer is setting the Content-Language
PI57951 Line feed code disappears when data is uploaded with enctype="multipart/form-data" in an HTML form
PI58920 Dispatcher type obtained from HttpServletRequest is not updated on post processes
PI59415 Development version of servlet SPI bundle does not match with runtime webcontainer bundle.
PI60797 Enable POST only for a form login
PI61594 AsyncContext.dispatch() might dispatch to an incorrect URI if using different versions of ServletRequest.startAsync()
PI61628 A 404 error might be generated when using redirectToWelcomeFile
Web Services (JAX-WS, JAX-RS) PI53319 ClassNotFoundException on WebSecurityHelper
PI56315 JAX-RS MessageBodyWriter is not run
PI56374 ClassCastException: java.util.TreeMap incompatible with javax.ws.rs.core.MultivaluedMap
PI58097 HTTP Response header with invalid Date string is added to the response on a WebServices request
PI58779 JAX-RS 2.0 @Context injection from client side provider reports NullPointerException
PI58799 IllegalArgumentException inJAX-RS InjectionUtils.java code
PI59519 Update product.json model to match recent changes in API Connect
PI59633 When using JPA to persist an object, the JAX-RS engine does not correctly catch any exceptions that are thrown
PI59640 Security definition is missing from the filtered Swagger document returned by API Discovery Framework
PI59643 Using @Context to get the HttpServletRequest and changeSessionId() always returns null
PI61936 Information disclosure in JAX-RS API
PI62155 Suppress SOAP FAULT error message
PI62450 Swagger processor may allow weaker than expected security
Web Services Security PI59665 OIDC Relying party auth flow fails with 401 error when security trace is enabled
PI59677 OIDC relying party authentication failure due to CWWKS1704E error
PI62735 The groupId(s) get lost in id_token and introspection
WMQ messaging providers PI59123 WS-AtomicTransaction participant recovery after a server crash may never complete
PI60966 Problem distributing transaction between WSAS traditional and Liberty using WS-AtomicTransaction.

Fix release date: 18 March 2016
Last modified: 18 March 2016
Status: Superseded

Download Fix pack 8.5.5.9
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI50291 Beans searched for through instance interface are not found
PI51134 NullPointerException if all interceptors are on methods overriden, defined at class level or defined in a different method
PI51508 Reduce contention in AbstractOwbBean.equals use
PI52391 BeanManger.equals cannot distingiush between two BeanManagers for the same module after a restart
PI52756 CDI is activated and generates error with no existence of beans.xml
PI52765 Provide a fix for Weld bug in CDI 1.2
PI57976 Objects of class NullInjectionPointImpl are visible in applicaiton code
PI58021 ClassNotFoundException if application contains a jar which contains other archives
Database Access, Connection Management, Merant/DataDirect drivers PI57239 Error when multiple threads attempt to authenticate to Mongo at the same time
EJB Container PI49639 CWWKC2259E: "Unexpected child element" in Liberty profile for EJB 2.1
PI50806 NullPointerException in AbstractEJBRuntime.bindAllRemoteInterfacesToContextRoot when using ejbRemote-3.2 feature
PI53807 Improve message text when EJB SessionContext fails to serialize
PI55049 Non-persistent EJB Timer created while application is stopping may not be removed
General PI48725 Initial TLSv1.0 application data packet read into the wrong buffer by the SSL channel
PI49508 At startup end users requests routed with HTTP 404 response
PI49566 WebSockets might not close the connection if sessionIdleTimeout is set
PI51523 HTTP Channel getCookieValue throws ArrayIndexOutOfBoundsException when cookie is only one-digit double quote "
PI51552 Unwanted CWWKC1556W warning when application starting or server shutting down
PI51740 The HTTP Channel could cause the Operating System to send an RST packet when the connection is closed
PI52417 Host name resolution with collectives on z/OS may not resolve properly
PI52845 SSL handshake fails due to a java.lang.IllegalArgumentException.
PI54212 Update one class in Apache Commons
PI55344 The job logs are producing a date such as 2016-12-28 as opposed to 2015-12-28 during the last week of the year
PI55874 Jobs containing split-flow may continue executing the (split-flow) even after the job is stopped.
PI56019 The com.ibm.websphere.appserver.api.mediaServerControl.1.0_1.0.11.jar file in the dev/api/ibm directory is empty.
PI56057 The MediaServerControl Javadoc provided contains accessibility issues.
PI56076 Batch job logs do not contain the exception stack trace on step or job failures.
PI57100 Remote partition wrongly ends in COMPLETED state when job is stopped, wrongly bypassing partition execution on restart.
PI57542 IOExceptions is not thrown on inbound connections
PI58014 Message's address is null in SipUdpConnLink
PI58049 The exitStatus after the restart of an executor is not properly being rolled back to the correct value.
Install V8 and above PI51130 Updating Liberty using group-mode Installation Manager does not set group-write bits
PI55969 An update to the licenses in IBM WebSphere Application Server Liberty V8.5.5.9 is required.
Intelligent Management Component PI53304 Auto scaling does not fully scale in to the minimum number of servers or scale out to the maximum number of servers
PI57006 A scaling controller might not register a scaling member correctly when the member starts.
PI57007 ConcurrentModificationException in com.ibm.ws.scaling.controller.topology.RepositoryMonitor$UpdateHandler
PI57982 In a Liberty collective, not all instances of an application are used when routing with Intelligent Management for Web Servers.
Java 2 Connectivity (J2C) PI53120 Datasource connection pool minimumPoolSize to be 0 by default for newly created datasources
PI54230 ClassNotFoundException when using generic RA in Liberty
Java Persistence API (JPA) PI46699 A null value is returned when trying to use OpenJPA's DelegatingConnection's unwrap()
PI47094 ClassCastException using a shared JPA module on JPA 2.1
PI47144 Merging an unmanaged entity multiple (3) times leads to an exception.
PI50341 Using java.sql.Timestamp data type for entity version value requests current timestamp from wrong SYSIBM table on DB2
PI50694 ClassCastException is thrown in JPA when QueryCache is enabled
PI51878 ddlGen script is shipped in ASCII instead of EBCDIC in Liberty 8.5.5.7
PI52209 EntityNotFoundException in OpenJPA
PI53589 OpenJPA fastpath broken on Java 8
PI56340 OutOfMemoryError from org.apache.bval.cdi.BValExtension$Releasable objects not being released.
PI56499 AbstractMethodError occurs when using JPA with beanvalidation-1.1 feature
PI58001 NullPointerException from org.eclipse.persistence.queries.ReadObjectQuery under heavy loads
PI58005 With a Liberty image consisting of only EE7 features, importing javax.persistence 2.1 with WDT requires an internal attribute.
JavaServer Faces (JSF) SunRI implementation PI46218 DeploymentException occurs if different web modules in an enterprise application have CDI beans with the same name
JavaServer MyFaces (JSF) Apache MyFaces implementation PI45044 JSF problem in a Portlet environment: Form inputs inside a data table lose their values if validation fails
PI47885 h:selectManyCheckbox and h:selectOneRadio components do not support f:ajax tags.
PI49486 MyFaces leaking file descriptors when reading stylesheet files
PI50108 JSF component binding with ViewScope beans does not work and causes an exception
PI51038 Fix EL 3.0 ImportHandler support in JSF 2.2
PI53555 JSF ViewScope implicit objects are not resolved in JSP pages
PI54702 Null renderer-type tag causes custom TagLib xml parse error
JavaServer Pages (JSP) PI52851 Changing JavaServer Pages (JSP) features between requests can result in a java.lang.NullPointerException.
Liberty Application Services PI51184 CWWKG0031E is received after commenting out a JNDI element and then adding it back at runtime
PI51375 Application Manager change to make time waiting for apps at startup configurable
PI52936 Application classes will provide incorrect values when calling getProtectionDomain().getCodeSource().getLocation()
PI54707 Intermittent ConcurrentModificationException thrown on startup when two Liberty apps use a privateLibraryRef.
PI55383 Client container application fails to run
PI55891 SPI classes under com.ibm.ws.container.service reference some non-SPI classes
PI56452 NullPointerException in WABInstaller.java results in "Unable to install bundle" message
PI56644 SPI classes under com.ibm.ws.javaee.dd reference some non-SPI types
PI56831 Classloader.getResource("") does not return url to WEB-INF/classes
Liberty Debug and Tracing PI51841 Request timing can accidently remove an executing request from the active request list
PI52003 New "JSON" format added to binarylog command
PI54917 ConcurrentModificationException in collector manager
PI55910 Logging in InvocationContextImpl outputs array IDs instead of array contents
Liberty Kernel PI51988 Invoking productInfo with valid command but bad option does not give errors
PI52309 WebSphere Liberty default executor auto-tuning is disabled when an embedder overrides the default ThreadFactory.
PI53867 ScheduledExecutorService can temporarily leak classloaders for canceled tasks.
PI54458 Wrong charset returned in page-not-found error when incorrect context root is requested.
PI55031 Fix defect in Equinox framework to incorporate in Liberty
PI55670 Liberty File URLs contain incorrect number of '/' characters
PI56645 Configuration conflict warning message needs improvement
PI56678 FileNotFoundException when application start-up fails.
PI57314 JSP classloading ignores the application parent-last classloader setting
PI57974 OSGi applications may be able to get access to OSGi services provided by Liberty feature bundles which are not considered API.
PI57975 Deadlock may occur when creating a Java util logging Logger
PI57980 Improper error when running Liberty scripts with unsupported Java version.
PI57981 Changing SSLDefault may still require unnecessary configuration of defaultKeystore
PI58006 Feature updates are less likely to result in unnecessary component activation and deactivation
PI58035 When installing features using the installUtility jaccWeb-1.5 and ejbComponentMetadataDecorator-1.0 are not installed
Liberty System Management PI53219 Wrong locale in the content when calling REST API to generate schema
Liberty z/OS PI50915 More details will be provided for some failures in WOLA connections via Liberty
PI51171 Allow WOLA client to re-connect after a Liberty server failure or recycle
PI51329 Default JAVA not read from java.env when server is started with a PROC.
PI53339 Liberty on z/OS fails to route messages to MSGLOG DD card
PI53469 z/OS Connect does not preserve JSON payload element ordering as shown in copybook files.
PI53842 Basic authentication not working z/OS Connect dynamic services
PI54855 Liberty on z/OS does not pick up the IFAUSAGE properties file in the product extension directory
PI54886 When starting a Liberty server that has zoslocaladapters configured the sever abends with a System 106.
PI55029 Liberty started task does not expand @WLP_INSTALL_DIR@ when used in the path specified by WLP_DEFAULT_JAVA_HOME in java.env.
PI56289 Calls to WOLA services BBOA1* may hang when Liberty server is cancelled or ABENDs
PI56385 Message CWWKB0101I does not provide enough information to diagnose problems connecting to an Angel process.
PI56987 WLP_SKIP_UMASK=true is not working when Liberty server is started from a started task on z/OS
Messaging Providers PI47483 [WARNING ] CWWKG0032W: Unexpected value specified for property
Performance Monitoring Tools PI55077 Monitor group filter does not work with the component which are not using the code intstrumentation.
Security PI50399 NullPointerException thrown at com.ibm.ws.transport.iiop.security in Liberty profile
PI51188 Login fails with mixed-case password phrase on z/OS.
PI52181 Liberty incorrectly displays warning message aboutWSGUEST user missing the RESTRICTED attribute
PI52566 Incorrectly returning CWWKS4306E when application URI is unprotected and Liberty receives an expired LtpaToken
PI57413 CWWKE0702E: Could not resolve module: com.ibm.ws.management.security is logged when zosSecurity-1.0 is enabled.
PI57668 Collective member certificate login fails with LDAP or Federated user registry
Sessions and Session Management PI53220 Session attribute not stored with Oracle as database session persistence and MultiRowSchema=true
Systems Management Functions PI58002 Collective replica restart may fail
Virtual Member Manager (VMM) PI48674 LDAP binary attribut handling in VMM
Web Container PI42598 Filter with only WebFilter annotation does not get invoked
PI43752 AsyncContext.dispatch() dispatches to an incorrect URI
PI52414 While using an upgrade request the quiesce operation did not complete
PI52415 isFinished on a stream can return true before the stream is fully read
PI53854 Unable to retrieve the REMOTE_USER from the WSRU header without using any security in Liberty
PI54235 A redirect using an URI relative to the current request URL redirects to the wrong URL
PI54414 Managed thread factory not available in ServletContextListener.contextInitialized
PI54701 The Servlet SPI was refactored to provide a complete set of SPI classes.
PI57884 Blocking write is not allowed once WriteListener is enabled.
PI58013 If an error occurs during a request with a ReadListener and is upgraded, a quiesce operation may not complete properly
Web Services (JAX-WS, JAX-RS) PI48389 @PreDestory method invoked twice when @RequestScoped annotated on resource class and no @Context field in the class
PI50692 Data conversion issue for Multi-part MIME on mainframe (z/OS)
PI51798 Liberty JAX-RS implementation may throw NullPointerException
PI52014 User customized provider life cycle annotation @PostConstruct @PreDestroy not work or throw NullPoint Exception when stop server
PI54152 Liberty profile JAX-RS 2.0 Client Side Built-in Providers Installation Performance Issue
PI55038 Injection on implementation of ParamConverterProvider in JAX-RS 2.0 fails with NullPointerException
PI55547 Customized EJB ExceptionMapper cannot be mapped to user defined Exception in more than two JAX-RS 2.0 Applications
PI56455 ClassNotFoundException loading the jaxws-2.2 and appSecurity-2.0 features
Web Services Security
PI49272 Cross site scripting vulnerability in Oauth Service Provider CVE-2015-7417
PI57265 Add OpenID Connect relying party (RP) config option to specify whether to do client side redirect
PI58003 Cross-site scripting vulnerablility in OIDC client web application
WMQ messaging providers PI43413 Deadlock in controller due to timing window in the recovery log service; servant times out
PI53471 Extended Unit of Work API may not throw errors back to the application when they occur during transaction end processing.
PI53472 Thread safety defect in Unit of Work manager initialisation
PI53661 When inside an @Transactional declarative transaction, an error is thrown upon entering an @TransactionScoped context.
PI54151 Unable to find the @Transactional annotation
PI56465 @TransactionScoped bean instances do not have their @PreDestroy-annotated destructors called.
PI56466 Access to UserTransaction methods is not correctly disabled within nested @Transactional annotations
PI56467 @Transactional rollBackOn/don'tRollbackOn scans the exception class hierarchy in the wrong direction
PI56529 @Transactional annotation processing code emits FFDC when encountering RuntimeExceptions in the dontRollBackOn list

Fix release date: 11 December 2015
Last modified: 11 December 2015
Status: Superseded

Download Fix pack 8.5.5.8

Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI47250 Liberty Profile with CDI 1.2 and CDI enabled application has slow startup
PI49410 Publish the Weld 3rd party version on the repackaged Bundle-Description
PI49978 If CDI 1.2 is enabled then a BeanManager could be returned when resolving any JNDI value.
PI50790 Turn off beans.xml validation by default.
PI50802 ProcessInjectionTarget and ProcessInjectionPoint events are not fired when processing non-CDI Interceptors.
PI52419 Export weld packages so that DeltaSpike Scheduler can be supported
EJB Container PI47475 A NameNotFoundException occurs for injection of resource into ManagedBean in EJB module
PI48390 IllegalStateException thrown during server stop when j2eeManagement feature is installed
General PI42523 Root not injected on URL containing query but omitted path
PI45266 HTTP response splitting vulnerability CVE-2015-2017
PI47651 An OutOfMemory error can occur from a leak in WebSockets when websocket session timeout is set
PI47954 Future.get can hang during ManagedTaskListener.taskStarting for repeating task
PI48097 Cleanup of resources can be missed after Thread.run for threads created by a ManagedThreadFactory.
PI48327 WLP does not handle requests successfully during shutdown
PI48759 The TCP Channel's Host Name Include and Exclude lists are case sensitive
PI50766 ExecutionException raised instead of AbortedException for aborted task
PI51046 BATCHMANAGER SCRIPT WebSphere Application Server SHIPPED IN ASCII ENCODING ON z/OS INSTEAD OF EBCDIC ON LIBERTY 8.5.5.7
PI51656 COMM_FAILURE exception raised during IIOP invocation due to IIOP connection being closed while in use
PI52303 Duplicate IIOP request IDs lead to incorrectly parsed response (from incorrectly handled reply message).
Install V8 and above PI51982 LIBERTY 8557 CANNOT ROLLBACK TO LIBERTY 8553 AND BELOW
Intelligent Management Component PI49835 java.lang.IllegalStateException: The ScalingMemberReplacementService service is not available
JavaServer MyFaces (JSF) Apache MyFaces implementation PI47095 A java.lang.ClassNotFoundException can occur during deserialization of the HTTP session
PI47578 An UnsupportedOperationException is thrown with an eager ManagedBean containing a ManagedProperty in JSF 2.2
PI47600 The "class" attribute cannot be set in a custom tag in JSF 2.2
JavaServer Pages (JSP) PI43036 JspTranslationException when using a JSP tag containing another tag with deferred-attributes
PI44611 JSP engine throwing an IllegalStateException when PageContext.findAttribute(string attributename) is called
PI46827 Memory leak in javax.el.BeanELResolver caused by application restarts
Intelligent Management Component PI52161 Liberty collective server status is not in sync with DataPower status query
Liberty Application Services PI50370 Unnecessary IllegalStateException FFDC created during some server stops
Liberty Archive Install PI50812 Some download error messages are shared with install error messages, but the content of the message only mentions install.
Liberty Debug and Tracing PI49056 NullPointerException when updating traceSpecification programmatically.
PI50369 NullPointer in MethodInfoImpl tracing
PI51010 Liberty core dumps when -Xhealthcenter:level=inprocess jvm option is used with health center agent version 3.0.5 or above
Liberty Kernel PI46358 Problem with notify call for updateTrigger="mbean"
PI46856 Unused server.env file generated when creating client processes using Java 8
PI47941 Liberty featureManager command may hang until killed
PI48377 Unable to use wlp-featureRepo-8.5.5.7.zip as a directory based repository in WDT
PI49759 When setting the trace file name to 'stdout', the distinction between error and general output messages is lost.
PI49927 UPDATE TO COMMAND PRODUCTINFO VIEWLICENSEINFO
PI50096 When Java security is enabled application class loaders may get access to internal packages contained in liberty profile
PI50775 There needs to be a space character preceding the ellipses mark used in some install command line messages.
PI51403 SSL support does not start properly
PI52579 Errors after adding or configuring additional content to server when the server installation path contains unsafe characters
Liberty z/OS PI46937 Security identity not propagated from batchManagerZos to batch exectuor in multi-server environment causes JobSecurityException
PI47050 Unintall zosBundle addon fails if use Java7 to run Liberty installUtility
PI47248 PERMISSION ERRORS ACCESSING RESOURCES IN THE SERVER'S WORKAREA DIRECTORY USING APPLICATION SYNCTOOSTHREAD WITH JSP INCLUDE TAG
PI47476 CWWKT0022E IN LIBERTY SERVER WHEN USING DVIPA HOSTNAME DEFINED BY VIPARANGE
PI47730 SERVICEABILITY ENHANCEMENTS TO ENABLE TRACING IN THE TOOLING THAT z/OS CONNECT USES
PI48362 The performance of inbound requests using the zosLocalAdapters feature is poor.
PI48528 z/OS CONNECT USE OF HTTP GET WITH INVOKEURI FAILS WITH WOLA SERVICE PROVIDER
PI48823 HIGH I/O AND CPU USAGE WITH ZOSCONNECTDATAXFORM DATA TRANSFORMER
PI48987 AFTER RESTARTING LIBERTY WITH z/OS CONNECT, NO z/OS CONNECT SERVICES ARE AVAILABLE
PI50040 CWWKE0701E MESSAGES SEEN AT LIBERTY SERVER STARTUP
PI50389 CONVERTTOJSONPRIMITIVE DATA TRANSFORMATION PART OF z/OS CONNECT USES HIGH CPU
PI50787 A z/OS modify command fails when running OSGi console commands.
Performance Monitoring Tools PI42967 Excessive appendCustomSetString calls cause high CPU when using VE and PMI.
PI49140 Health manager dumps many files into member server's /tmp directory
Security PI44880 Improve serviceability for form-logout processing.
PI47544 Fix keystore file monitoring so it is not polling by default.
PI47823 In Liberty profile ignoreCase=true is not honored for administrator-role entries
PI48220 The hashtable login module does not honor the uniqueId and security name when passing then userId
PI49157 App Server Classic to Liberty profile remote EJB lookup is not working when CSIv2 uses LTPA
PI50589 Liberty profile needs a meaningful message in the NO_PERMISSION exception when failing to decode a GSSUP token.
PI50717 Populating the users to the BasicRegistry might fail due to CWWKS3104E: Multiple users are defined error
PI50825 Access is denied with a WebSphereRuntimePermission for getSSLConfig in CSIv2 during a naming lookup.
Sessions and Session Management PI51030 There is a duplicate creating table problem when using Informix as session database on Liberty profile
Systems Management Functions PI50111 Automatically deployed member fails to start on Microsoft Windows
PI50484 Multiple clusters concurrently deploying to new host have JRE collision
PI50768 wlpInstallDir and/or jreInstallDir and/or otherInstallDir install to default location instead of to user specified one.