IBM Support

Fix list for IBM WebSphere Application Server Liberty

Product Readmes


Abstract

Fixes for WebSphere Application Server Liberty are delivered in fix packs periodically.  This is a complete listing of all the fixes for Liberty with the latest fixes at the top.

New fix pack numbering was introduced starting 16.0.0.2. Fix pack 16.0.0.2 for WebSphere Application Server Liberty is the first of a series of common Liberty levels that apply to both Version 8.5 and Version 9.0 of WebSphere Application Server on all supported platforms.

Content

3
  
Release Date
Total number of APARs
Total number of Security APARs
Total number of Open Liberty Release Fixes
2 December 2025
1
1
8
4 November 2025
3
0
6
7 October 2025
6
1
8
9 September 2025
4
4
6
12 August 2025
3
2
12
15 July 2025
2
0
17
17 June 2025
0
0
9
20 May 2025
1
0
9
22 April 2025
2
2
4
25 March 2025
1
0
8
25 February 2025
1
1
9
28 January 2025
2
0
11
3 December 2024
5
1
10
5 November 2024
2
1
6
8 October 2024
3
0
7
10 September 2024
4
1
12
13 August 2024
3
0
9
16 July 2024
1
0
9
18 June 2024
3
1
14
21 May 2024
3
3
7
23 April 2024
6
3
10
26 March 2024
4
1
12
27 February 2024
1
0
8
30 January 2024
1
0
14
12 December 2023
3
2
10
14 November 2023
3
0
10
17 October 2023
5
0
16
19 September 2023
1
0
13
22 August 2023
4
1
8
25 July 2023
3
0
9
27 June 2023
4
1
11
30 May 2023
4
0
16
2 May 2023
3
0
15
4 April 2023
2
0
11
7 March 2023
6
2
15
7 February 2023
1
0
15
20 December 2022
4
1
9
22 November 2022
4
1
15
25 October 2022
5
1
8
27 September 2022
3
1
8
30 August 2022
3
0
12
2 August 2022
4
2
14
5 July 2022
1
0
4
7 June 2022
3
2
12
10 May 2022
4
0
14
12 April 2022
5
0
13
15 March 2022
4
2
20
15 February 2022
7
2
16
18 January 2022
6
2
18
3 December 2021
1
0
13
5 November 2021
2
0
17
8 October 2021
5
2
14
10 September 2021
3
0
11
13 August 2021
1
0
7
15 July 2021
4
1
14
18 June 2021
2
0
11
21 May 2021
4
0
19
23 April 2021
3
2
12
26 March 2021
2
0
18
26 February 2021
3
0
12
29 January 2021
2
0
24
27 November 2020
6
0
16
30 October 2020
2
1
12
2 October 2020
6
1
11
4 September 2020
4
0
10
7 August 2020
2
0
10
9 July 2020
2
0
14
12 June 2020
4
0
15
15 May 2020
3
2
14
17 April 2020
6
1
19
20 March 2020
6
1
18
21 February 2020
11
2
29
24 January 2020
2
1
23
13 December 20191113
15 November 20198219
18 October 20198218
20 September 2019619
23 August 20196019
25 July 20194114
28 June 2019508
31 May 2019308
3 May 2019
4
1
15
5 April 2019
10
1
25
8 March 2019
9
0
18
8 February 201911124
14 December 2018
29
3
51
21 September 2018
31
5
38
29 June 2018
45
1
29
16 March 2018
32
3
84
21 December 2017
54
2
 
17 October 2017
109
3
 
13 June 2017
115
1
 
14 March 2017
90
0
 
13 December 2016
103
1
 
16 September 2016
107
7
 
24 June 2016
121
5
 
18 March 2016
141
2
 
11 December 2015
78
2
 
11 September 2015
   
26 June 2015
   
13 March 2015
   
8 December 2014
   
18 August 2014
   
28 April 2014
   
11 November 2013
   
14 June 2013
   

Fix pack 25.0.0.12
Fix release date: 2 December 2025     
Last modified: 2 December 2025     
Status: Recommended     

Download Fix pack 25.0.0.12
 
Enhancements:
Title
Support FIPS 140-3 in Liberty with IBM Semeruapplication
 
Fixes:
APARSecurity APARDescription
PH68424IBM WebSphere Application Server Liberty is affected by SMTP injection due to Jakarta Mail (CVE-2025-7962 CVSS 7.5)
 
Open Liberty fixes:
Issue/PRDescription
32803400 Request Header Or Cookie Too Large error in OIDC with WASOidcNonce cookies
33029Hibernate CDI compatibility flag broken for hibernate 6.6.23
33162Provide a mechanism to change the default format of error pages like CWWWC0005I
33170Intermittent exception on Http 2.0 connection close
33219TCP WorkQueueManager race condition
33235AccessControlException in Mutiny / MicroProfile Reactive
33403OIDC login may fail if WASOidcCode cookie is too large
33427NPE in com.ibm.ejs.util.Util.toHexString
 

  Back to top 

Fix pack 25.0.0.11
Fix release date: 4 November 2025     
Last modified: 4 November 2025     
Status: Superseded     

Download Fix pack 25.0.0.11
 
Fixes:
APARSecurity APARDescription
PH68255 Fix issue preventing Swagger UI to render in some cases
PH68322 Sending multipart/form-data with mpRestClient asynchronous @restclient
PH68425 0c4 abend in bboatrue when using WebSphere Optimized Local Adapters with CICS 6.3
 
Open Liberty fixes:
Issue/PRDescription
1357Error message for CWWKS9660E can be incorrect when apps do not use User Registries
31628Support continued authentication when custom Subject is not in cache
32908Design Issue Inconsistent behaviour for `server create` with server names containing non-alphanumeric characters
32954AutoDecompress is not working correctly
32999[PH68322] Fix the exception in multipart data asynchronous call
33098`appsWriteJSON` not working correctly when JSON record ends with new line
 

  Back to top 

Fix pack 25.0.0.10
Fix release date: 7 October 2025     
Last modified: 7 October 2025     
Status: Superseded     

Download Fix pack 25.0.0.10
 
Enhancements:
Title
Add option to configure a private library to override classes and resources in an application
Support Java 25 in Open Liberty
 
Fixes:
APARSecurity APARDescription
PH67612 Add support for CICS 6.2 in WebSphere Optimized Local Adapters on WebSphere Liberty
PH67833IBM WebSphere Application Server Liberty could provide weaker than expected security due to crypto.js (CVE-2020-36732 CVSS 5.3)
PH67970 WASSAML request cookies building up in HTTP request and leading to 400 bad request error
PH68069 Missing feature description for zosIdentityPropagation-1.0 feature
PH68082 Connection handle to database remains active indefinitely
PH68239 Using OpenJ9 JDK 8, featureUtility fails with "SHA512 MessageDigest not available"
 
Open Liberty fixes:
Issue/PRDescription
21498openidConnectProvider jwkRotationTime does not allow documented setting of 30m
27025UOWScopeCallback registered with UserTransaction is called for BEGIN events but NOT for END events when UOWManager is used
32673JSP jdkSourceLevel=15 is set in OAuth Features
32713400 Request Header Or Cookie Too Large error in SAML
32741Getting NoClassDefFoundError for slf4j for Spring Boot applications using jetty starter
32787Apache Aries Activator needs updates to accommodate changes in OpenJ9 OpenJDK 17
32789Connection handle to database remains active indefinitely
32934Using OpenJ9 JDK 8, featureUtility fails with "SHA512 MessageDigest not available"
 

Fix pack 25.0.0.9
Fix release date: 9 September 2025     
Last modified: 9 September 2025     
Status: Superseded     

Download Fix pack 25.0.0.9
 
Enhancements:
TitleIdea
Automatically propagate SAF identity when client and server are in the same sysplex17
 
Fixes:
APARSecurity APARDescription
PH66669IBM WebSphere Application Server Liberty is affected by a stored cross-site scripting vulnerability (CVE-2025-36000 CVSS 4.4)
PH66953IBM WebSphere Application Server Liberty is affected by a denial of service (CVE-2025-36047 CVSS 5.3)
PH67132IBM WebSphere Application Server Liberty is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976 CVSS 7.5)
PH67546IBM WebSphere Application Server Liberty is affected by a security bypass vulnerability (CVE-2025-36124 CVSS 5.9)
 
Open Liberty fixes:
Issue/PRDescription
31374For HTTP stats, the http route attribute is not merging/abstracting requests that contain Path params for springboot application
31962openidConnectClient cannot handle low case "bearer" as token_type
32118DuplicateHomeNameException occurs during EJB application restart after an error occurs during the application start
32151Using parentLast delegation causes inconsistent parent delegation when using common library references
32197MP OpenAPI does not preserve the order of maps when merging documents
32497`CORBA MARSHAL` when sending a `Comparable` field containing a `String`
 

  Back to top 

 

Fix pack 25.0.0.8
Fix release date: 12 August 2025     
Last modified: 12 August 2025     
Status: Superseded     

Download Fix pack 25.0.0.8
 
Fixes:
APARSecurity APARDescription
PH64682IBM WebSphere Application Server Liberty is affected by a security bypass vulnerability (CVE-2024-56339 CVSS 3.7)
PH67183IBM WebSphere Application Server Liberty is affected by a denial of service (CVE-2025-36097 CVSS 7.5)
PH67283 APAR PH67283 Dynamic routing routing rules object initialize as null - prevents routing rule JSON update
 
Open Liberty fixes:
Issue/PRDescription
27885WS-AT participant could not be registered as TM is null in HA environment with a load balancer
28189MP Rest Client Warning output because clients are not automatically closed
30420JAVA_HOME set incorrectly in some situations
31077JSON mapping setting not honored for log header in messages.log
31108Update to MyFaces 3.0.3
31954java.lang.ClassCastException on server start
31967Server fails to start when recovery log tables are empty
31994CORBA MARSHAL sending java.util.Date to IBM WebSphere Application Server (traditional)
32040AutoExpand follows symlinks in the expanded directory and deletes contents
32046OpenAPI servers have the wrong protocol when proxy does https termination and uses same port as liberty server
32079Remove misleading warning CWWKL0084W emitted by delegate class loaders
32092MicroProfile RestClient applications leak when stopped
 

   Back to top 

 
 

Fix pack 25.0.0.7
Fix release date: 15 July 2025     
Last modified: 15 July 2025     
Status: Superseded     

Download Fix pack 25.0.0.7
 
 
Enhancements:
TitleIdea
Extend the scope of the maxFiles parameter in logging configuration108
 
Fixes:
APARSecurity APARDescription
PH66642 NPE in TagFiles when JspOption "usePageTagPool" is used
PH66915 Upgrade RXA to 2.3.0.18
 
Open Liberty fixes:
Issue/PRDescription
11570favicon.ico and .json content type is text/plain
30621OSGi sun.misc.UnsafestaticFieldOffset warnings in console log in Java 24
30654Server dump command does not include log files on OpenShift
31172SSE Responses with Compression Enabled Are Not Written Out in Open Liberty
31619MP OpenAPI UI shows extended header for OpenAPI 3.1 documents
31646@Transactional(NOT_SUPPORTED) doesn't re-enable UserTransaction
31679IllegalAccessError occurs when GLIBC defines a proxy class for a package private bean class in Spring
31684[PH66642] NPE in TagFiles when JspOption "usePageTagPool" is used
31687Server starts even though onError=FAIL and CWWKO0221E - port conflict - occurs
31689When using webModuleClassPathLoader=ear the JARs included in EAR lib/ can get added to the EAR loader twice
31734An Ambigious Bean Name Exception is thrown if two different wars have the same bean name and a Liberty runtime extension can see all app classes
31737Write timeout value mismatch with HTTP2
31741MicroProfile REST Client Classloading Issue In User Feature Bundles
31774OpenAPI does not check for version specific annotations on app restart
31795Add retries when attempting to install native liberty package on linux for packaging FAT
31833Potential thread-safety issue when removal of ConnectionEventListener overlaps a connection error notification
31947addHttpSessionAttributeListener ArrayIndexOutOfBoundsException occurred and the application did not start
 

  Back to top 

 
 

Fix pack 25.0.0.6
Fix release date: 17 June 2025     
Last modified: 17 June 2025     
Status: Superseded     

Download Fix pack 25.0.0.6
 
Open Liberty fixes:
Issue/PRDescription
30725Improve webContainer metatype descriptions to include equivalent WebSphere traditional custom property names
30916CWWKO0801E not tracked when SSL handshake failure is caught from Read Callback
31015Update faces-4.0 to MyFaces 4.0.3
31263Plugin Config generation caching issues
31492Fix AUTOCOMPLETE_OFF_VIEW_STATE Logging in jsf-2.3 and faces-4.0
31501RestfulWS ClientBuilder.keyStore() and ClientBuilder.trustStore() methods are prioritized behind Liberty's SSL config
31549NullPointerException in MCWrapper.getConnection when aborted connection is reused
31561Fault Tolerence causes a crash when used on an EJB
31605NullPointerExeption Cannot invoke "org.osgi.resource.Capability.getResource()" because "currentCandidate" is null
 
 

Fix pack 25.0.0.5
Fix release date: 20 May 2025     
Last modified: 20 May 2025     
Status: Superseded     

Download Fix pack 25.0.0.5
 
 
Fixes:
APARSecurity APARDescription
PH66379 Not able to config Liberty 25.0.0.3 + Java 21 with FIPS 140-2
 
Open Liberty fixes:
Issue/PRDescription
30545Update the jsf-2.3 feature to MyFaces 2.3.11
30871Enhance the behaviour of ignoreWriteAfterCommit property to more closely mimic tWAS behaviour
31057"CWMOT5100I" emitted for MicroProfile Telemetry for /health and /metrics even with "OTEL_SDK_DISABLED=true" set
31167Lookup of a subcontext fails for ejblocal namespace
31205Unclear how to correctly configure library element's folder and path
31228Update SmallRye OpenAPI to 4.0.9
31231Listing the transaction objects in jndi results in NameClassPair with empty names and implementation class names
31247WLP version 25.0.0.3 start up intermittently fails with AuthCacheImpl NPE
31347[PH66379] Not able to config Liberty 25.0.0.3 + Java 21 with FIPS 140-2
 

  Back to top 

 

Fix pack 25.0.0.4
Fix release date: 22 April 2025     
Last modified: 22 April 2025     
Status: Superseded     

Download Fix pack 25.0.0.4
 
 
Fixes:
APARSecurity APARDescription
PH65394IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Apache CXF (CVE-2025-23184 CVSS 7.5)
PH65529IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Netty (CVE-2025-25193 CVSS 5.5)
 
Open Liberty fixes:
Issue/PRDescription
30320Design Issue Including Directories Outside of WLP Root
31007Server-started message displayed when server failed to start
31089Update to MyFaces 4.0.3
31105AES password encryption generated on and after 25.0.0.2 does not work on previous Liberty versions
 
 

Fix pack 25.0.0.3
Fix release date: 25 March 2025     
Last modified: 25 March 2025     
Status: Superseded     

Download Fix pack 25.0.0.3
 
 
Enhancements:
TitleIdea
Support FIPS 140-3 in Liberty with IBM JDK 8139
 
Fixes:
APARSecurity APARDescription
PH65108 UnknownHostException causes loop in RESTMBeanServerConnection.java
 
Open Liberty fixes:
Issue/PRDescription
30598`enable-directory-browsing="true"` does not work with EE10 and later
30711[PH65108] UnknownHostException causes loop in RESTMBeanServerConnection.java
30757Liberty Closes the Persistent Connection in error state
30758JMX client doesn't fully consume heartbeat input stream, leaving sockets in CLOSE_WAIT state
30858otel.java.disabled.resource.providers is ignored by Liberty when creating OpenTelemetrySdk objects
30861JSPErrorReport unexpected tag 15 in SDEInstaller
30890Enterprise bean arguments not provided to JACC / Jakarta Authorization PolicyContext handler
30959NullPointerException can happen when starting mpOpenAPI features
 

  Back to top

 

Fix pack 25.0.0.2
Fix release date: 25 February 2025     
Last modified: 25 February 2025     
Status: Superseded     

Download Fix pack 25.0.0.2
 
 
Enhancements:
Fixes:
APARSecurity APARDescription
PH64741IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Netty (CVE-2024-47535 CVSS 5.5)
 
Open Liberty fixes:
Issue/PRDescription
30303MP OpenAPI 4.0 NPE during validation
30371HTTP AccessLogging prevents CICS JVM from terminating
30514OpenAPI 3.1 properties included when OpenAPI 3.0 output is configured
30529Possible bug in Open Liberty java.io.FileNotFoundException JAR entry com/jcraft/jsch/jce/SignatureEdDSA.class not found after upgrading to Java 17 and Open Liberty 24.0.0.12
30533Incorrect recursive substitution checking of 'ExtendedDocumentRoot.jspAttributes'
30567HTTP Stat should not resolve HTTP route for requests that end with 4xx respone code
30605Typo in metatype description of soLinger attribute
30674IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Netty (CVE-2024-47535 CVSS 5.5)
30683Remove javaee-6.0 platform from j2eeManagement versionless feature
 
 

Fix pack 25.0.0.1
Fix release date: 28 January 2025     
Last modified: 28 January 2025     
Status: Superseded     

Download Fix pack 25.0.0.1
 
 
Enhancements:
TitleIdea

Reduce size of SMF 120-11 user data when only one instance is present

20

Add option to process war manifest class path like WebSphere

112
 
Fixes:
APARSecurity APARDescription
PH63238 MYFACES-4679 - Ajax events can trigger actions unintentionally
PH64427 Rolling back a Liberty fix pack using the IBM Installation Manager GUI results in all Liberty features being removed
 
Open Liberty fixes:
Issue/PRDescription
28266Investigate possible memory leak in sipcontainer
28889Invalid multipart content with empty stream regression
29648Fix MYFACES-4679
29946Update Expression Language 5.0 API and IMPL version 10.1.31
30245Lease log creation may fail when configured for peer recovery
30258MP Telemetry does not provide the `io.opentelemetry.api.baggage.propagation` package
30341UpgradeHandler fails to notify the application of the initial data
30363Failed to install versionless features with JEE10 and MP7 plafforms
30383Connectionpool Metrics do not repopulate when restarting an application for all MP Metric features (that support monitor metrics)
30399CNTR0020E caused by java.lang.NoClassDefFoundError com/ibm/ejs/container/util/ExceptionUtil
30414Port MYFACES-4117 (No default name for @FacesComponent with createTag=true and no tagName)
 
 

Fix pack 24.0.0.12
Fix release date: 3 December 2024     
Last modified: 3 December 2024     
Status: Superseded     

Download Fix pack 24.0.0.12
 
 
Enhancements:
TitleIdea
Open Liberty will retain configurations when server.xml is unintentionally deleted, as deleting this file currently triggers the removal of all configurations113
 
Fixes:
APARSecurity APARDescription
PH62444 Delay Aiocb address release
PH63673IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java (CVE-2024-40094 CVSS 5.3)
PH63904 OLGH29988 Classloader issue when @Context injecting implementation provided by the application
PH64154 OLGH30194 RestfulWS ClientBuilder.keyStore() and ClientBuilder.trustStore() methods are ignored in EE9+
PH63185 Webcontainer exceptions are emitted with FFDCS as of 24.0.0.9 with monitor-1.0
 
Open Liberty fixes:
Issue/PRDescription
28987Introduces a configuration attribute to allow checked exceptions from @Transactional interceptors
29693Liberty server hang during shutdown with struck thread in transaction recovery
29802Fixes broken Gitter and outdated Twitter links in the Open Liberty default page
29868FeatureManager fail when installing versionless features from server.xml, leading to a NullPointerException
29903Misleading metatype descriptions where child elements of headers were incorrectly labeled as attributes
29915Changes to partitionedCookie in webAppSecurity were not being audited in logs
29988Classloader issue when @Context injecting implementation provided by the application
30018featureUtility does not connect to proxy when set with environment variable
30027Adjusts AuthUtil to handle cases where trailing whitespace is missing in the Authorization header
30194RestfulWS ClientBuilder.keyStore() and ClientBuilder.trustStore() methods are ignored in EE9+
 
 

Fix pack 24.0.0.11
Fix release date: 5 November 2024     
Last modified: 5 November 2024     
Status: Superseded     

Download Fix pack 24.0.0.11
 
Fixes:
APARSecurity APARDescription
PH63505 OLGH29711 setServerStarted method throws exception in ThreadPoolController.startupCompleted()
PH63533IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google Protocol Buffers (CVE-2024-7254 CVSS 7.5)
 
Open Liberty fixes:
Issue/PRDescription
27487com.ibm.ws.microprofile.metrics.tck.launcher.MetricsClassLoaderTest_10.testClassLoaderUnloads
29711setServerStarted method throws exception in ThreadPoolController.startupCompleted()
29730Provide option to dynamically enable/disable CXF GZIP interceptors for JAX-WS clients
29788TCCL is different in CDI extension constructor and Observer methods
29800restConnector.py README incorrectly instructions on configuration of JYTHONPATH
29822HTTP Metrics are creating new metrics (i.e., routes HTTP routes) for each explicit http request made by JSF / Jakarta Faces
 
 

Fix pack 24.0.0.10
Fix release date: 8 October 2024     
Last modified: 8 October 2024     
Status: Superseded     

Download Fix pack 24.0.0.10
 
Fixes:
APARSecurity APARDescription
PH62271 OLGH29055 Fix Part#Write Location for Abolsute FileName Paths
PH63066 OLGH29556 Resource Leakage File Handlers to tranlog directory
PH63185 FFDCS are now occurring with Webcontainer exceptions as of 24.0.0.9
 
Open Liberty fixes:
Issue/PRDescription
28609Deadlock occurs when system runs out of memory and both System Err and System Out streams are in use at the same time
29055Fix Part#Write Location for Abolsute FileName Paths
29477Trailer fields are missing in HttpServletResponse after some time
29555weld 5.1.1.SP1 has a memory leak and should be updated to (at least) 5.1.1.SP2
29556Resource Leakage File Handlers to tranlog directory
29584Webcontainer exceptions are emitted with FFDCS as of 24.0.0.9 with monitor-1.0
29591Using the mpTelemetry-1.1 feature in a z/OS Connect server on Zos leads to FFDCs
 

 Back to top

 

Fix pack 24.0.0.9
Fix release date: 10 September 2024     
Last modified: 10 September 2024     
Status: Superseded     

Download Fix pack 24.0.0.9
 
Fixes:
APARSecurity APARDescription
PH58796IBM WebSphere Application Server Liberty is vulnerable to information disclosure (CVE-2023-50314 CVSS 5.3)
PH62686 OLGH29127 WS-AT fails when downstream runtime is non-Liberty
PH62693 Provide better error when user try to deploy server package using invalid extension
PH62695 OLGH29124 JAX-RS Dynamic Outbound SSL Regression
 
Open Liberty fixes:
Issue/PRDescription
29447Cannot reflect on an injected ServletContext
26171@Transactional may throw a checked exception which is not allowed according to the interceptor specification #26171
26886java.lang.IllegalStateException Subject is read-only from WebAppFilterManager.invokeFilters
29037StackOverflowError when tracing restfulWs-3.1
29124[PH62695] jaxrs Regression by #27782
29127[PH62686] WS-AT fails when downstream server is non-Liberty
29221openid connect client feature fails SRVE0216E post body contains less bytes than specified by content-length
29277CDI does not set the TCCL during shutdown
29288Update WadlGenerator to explicitly only return the stylesheet
29306App fails to start with NPE when restore/deploy to OCP a checkpoint app image with authCache
29381org.omg.CORBA.BAD_PARAM when Yoko trace is enabled
29432OpenLiberty Database Session Replication - org.jboss.weld.module.web.HttpSessionBean$SerializableProxy - ClassNotFoundException
 

Fix pack 24.0.0.8
Fix release date: 14 August 2024     
Last modified: 14 August 2024     
Status: Superseded     

Download Fix pack 24.0.0.8
 
Enhancements:
TitleIdea
Error code and error message serviceability improvement for DeploymentAPI 
Use the Audit 2.0 feature to avoid generating unnecessary REST Handler records106
 
Fixes:
APARSecurity APARDescription
PH62107 Return HTTP 405 for non-post to collective maintenance mode APIs
PH62445 Error code and error message serviceability improvement for DeploymentAPI
PH60644 Add support for CICS 6.1 in WebSphere Optimized local Adapters for Websphere Liberty
 
Open Liberty fixes:
Issue/PRDescription
25704Support versionless Jakarta EE/MicroProfile features
27598Faces 4.0 Fix WebSocketTests so that "onerror listener" occurs
28658Enhance saml websso cookie handling
28698MYFACES-4672 Ajax MultiPart File Upload Encounters 'Uncaught TypeError G.hasKey is not a function'
28961JAX-WS Client does not Auto redirect when connecting to a WSDL URL
29083Port MYFACES-4423 to Liberty (oam.Flash.REDIRECT should not be set when Flash is disabled)
29086JWK parsing does not tolerate leading whitespace
29144Cannot make JAX-WS request for gzip Content-Encoding
29165Platform OpenAPI endpoints don't set security headers
 
 

Fix pack 24.0.0.7
Fix release date: 16 July 2024     
Last modified: 16 July 2024     
Status: Superseded     

Download Fix pack 24.0.0.7
 
Fixes:
APARSecurity APARDescription
PH61509 OLGH28877 Memory leak in JAXRSClientConfigHolder
 
Open Liberty fixes:
Issue/PRDescription
28155Deliver Oracle 23 support
28855OpenTelemetry does not filter out arquillian-liberty-support
28521XML Binding 4.0 Remove RI from TCCL and add new feature tests
28515Warning "Validation not enabled for module" when persistenceContainer-3.1beanValidation-3.0
28615Regression with jaxb / WADL2java
28652FFDC for index out of bounds in web container, WebApp.handleRequest()
28716Admin Center Server Config tool does not work to save changes using source view
28814In an edge case OpenTelemetry does not honour the priority of mpConfig ConfigSources
28877Memory leak in JAXRSClientConfigHolder

  Back to top

 

Fix pack 24.0.0.6
Fix release date: 18 June 2024     
Last modified: 18 June 2024     
Status: Superseded     

Download Fix pack 24.0.0.6
 
Serviceability Enhancements:
Title
Updates have been made to better handle the scenario where an exception occurs when the server is stopped while asynchronous tasks are running and also to avoid the NullPointerException. A more meaningful message will now be logged in this scenario
 
Fixes:
APARSecurity APARDescription
PH59682IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354 CVSS 7.0)
PH61042 PH59682 regressed the tag in pages-3.0 and productInfo -validate fails
PH61110 APIDiscovery delay processing if aggregator not yet active
 
Open Liberty fixes:
Issue/PRDescription
28414Classloading issue involving JAXBContext and JAXBContextFactory with webProfile-10.0
27858JspOption jdkSourceLevel Disabled Unintentionally
28118Port MYFACES-4658
28235Enabling openidConnectClient feature causes the body request not to be forwarded to the application's servlet (starting from WLP 24.0.0.3)
28280If an application fails to start when doing a checkpoint the checkpoint still succeeds
28350J2CA0081E Method destroy failed occurs during server shutdown
28421Bump netty dependencies to 4.1.109.Final
28431Generate Set-Cookie from the SessionCookieConfig may not include additional attributes
28459GRPC connections hang with security enabled
28475Environment variables not available during service startup within Kubernetes/OpenShift
28479Invalid JASPIC warning CWWKS1652A in log when AuthResult.SEND_SUCCESS is received from the JASPIC provider
28493restfulWS-3.1 Headers with multiple values in a multipart (EntityPart) object held are held in a List of size 1
28552NoClassDefFoundError org/apache/commons/io/input/NullInputStream when using collectives file transfer
28521XML Binding 4.0: Remove RI from TCCL
 

Fix pack 24.0.0.5
Fix release date: 21 May 2024     
Last modified: 21 May 2024     
Status: Superseded     

Download Fix pack 24.0.0.5
 
Serviceability Enhancements:
Title
The JPA Container has been updated to improve handling of syntax errors parsing JPQL during server start by implementing a retry mechanism and logging additional diagnostics
 
Fixes:
APARSecurity APARDescription
PH59146IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2024-22353 CVSS 5.9)
PH59781IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service (CVE-2024-25026 CVSS 5.9)
PH60146IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2024-27268 CVSS 5.9)
 
Open Liberty fixes:
Issue/PRDescription
28101FeatureUtility prints warning when user repositories doesn't have authentication
28125Incompatibility reported between sipServlet-1.1 and WebSockets
28152FeatureUtility custom repository connection issue
28160CWWKE0701E bundle com.ibm.ws.ssl ... The activate method has thrown an exception java.lang.ExceptionInInitializerError
28248Overflowing the usecount of the OSGi service
28285JPQLException Syntax error parsing
28344SSO should not use application/json on request to JWK
 

Fix pack 24.0.0.4
Fix release date: 23 April 2024     
Last modified: 23 April 2024     
Status: Superseded     

Download Fix pack 24.0.0.4
 
Fixes:
APARSecurity APARDescription
PH59117IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to server-side request forgery (CVE-2024-22329 CVSS 4.3)
PH60149IBM WebSphere Application Server Liberty is vulnerable to cross-site scripting (CVE-2024-27270 CVSS 4.7)
PH60199IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to jose4j (CVE-2023-51775 CVSS 7.5)
PH60642 Updates to API Discovery Swagger UI
PH60644 Add Support for CICS 6.1 in WebSphere Optimized local adapters for WebSphere Liberty
PH60659 OLGH27886: NullPointerException can occur in Kernel ClassLoader
 
Open Liberty fixes:
Issue/PRDescription
28083Server does not start with space in file path
24925UUID not working as GeneratedValue Id in some cases
26771Websocket Out of Memory Leak caused by Expired Sessions
27620Invalid encoded request URI should return 400 instead of 500
27778The server start command resolves symbolic links incorrectly on z/OS 3.1
27779StackOverFlow in JSP Caused by Recurisve JspContextWrapper#include call
27833JAX-RS and RestfulWS monitor bundles' filters are still creating objects when REST is filtered out of monitor-1.0
27886NullPointerException can occur in Kernel ClassLoader
27900NullPointerException may occur for HTTPs requests to WebContainer
27971WLP_INSTALL_DIR set incorrectly when wlp/bin is a symbolic link
 

Fix pack 24.0.0.3
Fix release date: 26 March 2024     
Last modified: 26 March 2024     
Status: Superseded     

Download Fix pack 24.0.0.3
 
Enhancements:
 
Fixes:
APARSecurity APARDescription
PH59660 BBOA1CNG RC:12, RSN:256 when starting more than 58 Liberty servers using WOLA
PH59903 Modify command to list ANGEL processes get ABEND0C4
PH60113IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2023-50312 CVSS 5.3)
PH60182 Liberty 23.0.0.6 connect via WOLA failing if IMS DBCTL enabled
 
Open Liberty fixes:
Issue/PRDescription
18105Implement OpenID Connect Back-Channel Logout 1.0
23607Enable verbose garbage collection by default on IBM Java/Semeru
26195mpHealth-2.2 responds with a status UP briefly during startup
26590Latest gRPC code levels and the IBM gRPC Servlet code are no longer an exact fit for flushes
27077FeatureUtility returns 403 if repo pwd is encoded
27218cfw performance update
27652Windows server command doesn't handle space in path unless JAVA_HOME set
27659CWWKS9590W warning message shows up with some newer ciphers are configured
27667Fix for CWWKS9590W Warning
27135SessionCache does not work after upgrading to 23.0.0.10
27715Job can not be purged when using the Java batch In-Memory Persistence
27716runAsServer before signing/verifying jws and encrypting/decrypting jwe
27777Parameters are not replaced in error message CWMMH0050E in french language

  Back to top

 

Fix pack 24.0.0.2
Fix release date: 27 February 2024     
Last modified: 27 February 2024     
Status: Superseded     

Download Fix pack 24.0.0.2
 
Fixes:
APARSecurity APARDescription
PH59680 Liberty server using ZOSLOCALADAPTERS-1.0 does not shut down after outofmemory error with ZOSAIO disabled
 
Open Liberty fixes:
Issue/PRDescription
26680io.openliberty.cdi.4.0.internal.services.fragment bundle cannot resolve dynamically against the host bundle
26939Delete lease when peer recovery is unnecessary
27290[JPA 2.2] EclipseLink Deliver Issue #1981
27294Memory leak in CXF caused by large number of PidInfo objects
27396Handling of locked Transaction Log Lease Table needs improvment
27398Server start fails on OS/400
27421Resource adapter install fails due to ArrayIndexOutOfBoundsException
27588EclipseLink for JPA 3.1 may encounter IllegalArgumentException Unsupported api 0

 Back to top

 

Fix pack 24.0.0.1
Fix release date: 30 January 2024     
Last modified: 30 January 2024     
Status: Superseded     

Download Fix pack 24.0.0.1
 
Fixes:
APARSecurity APARDescription
PH55398 OLGH26221 Port MYFACES-4606 (Issuing Element Not Found in Request Parameter Map for Ajax Requests) to Liberty
 
Open Liberty fixes:
Issue/PRDescription
25135jakarta.el.ELException The class [...] must be public, in an exported package, non-abstract and not an interface
26342ReactiveMessaging "CDI container is not available"
26831Bad value in ApplicationManager config cause ApplicationManager service to fail
26832Server should be able to reclaim its recovery logs on startup
26844Deadlock reported in sipcontainer when proxybranch times out
27008[PH55398] [OLGH26221] Port MYFACES-4606 (updated fix)
27062CWWKC1101E IllegalStateException CWWKC1013E Unable to start task null because the component in application WEB that submitted it is unavailable
27080Liberty SAML SP fails to generate response to the IdP initiated logout request
27093mpMetrics-5.0 Feature Returns Response in ISO-8859-1 Instead of UTF-8 when Accessing /metrics Endpoint
27159Upgrade Jackson 1.6.2 Dependency
27191On z/OS server start from the bin directory fails
27204Slow performance in DirectoryRepositoryClient
27208Date format in log files includes an extra trailing space character with Java versions 20 or later
27249PasswordUtil throws NullPointerException on certain input

 Back to top

 

Fix pack 23.0.0.12
Fix release date: 12 December 2023     
Last modified: 12 December 2023     
Status: Superseded     

Download Fix pack 23.0.0.12
 
Fixes:
APARSecurity APARDescription
PH57336 zosConnect failure in its XML or JSON parser
PH57878IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-44487 CVSS 7.5)
PH57933IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache Santuario (CVE-2023-44483 CVSS 6.5)
 
Open Liberty fixes:
Issue/PRDescription
25467A better error for the NullPointer we get if WithSpan is on the class level
26655OpenAPI UI required fields have an extra character
26722Microprofile Rest Client (CDI) mpConfig property "proxyAddress" not respected
26809Lease timestamp not updated for home server when recoveryGroups and tran logs in a database is configured and database outage > couple of seconds occurs
26818Processing dir files alphabetically does not match configDropins behavior
26846JAX-WS After upgrade to WLP 23.0.0.9 SOAP client generates a SOAP header part in the SOAP body
26893Space in value of -D option in jvm.options breaks server package command
26911Registered RestClientBuilderListeners are not called for injected rest client instances for MP Rest Client 1.x and 2.x
26942Liberty startup script does not resolve symbolic link to bin directory
26943NO_USER_REGISTRY message is not output properly
 

Fix pack 23.0.0.11
Fix release date: 14 November 2023     
Last modified: 14 November 2023     
Status: Superseded     

Download Fix pack 23.0.0.11
 
Fixes:
APARSecurity APARDescription
PH57110 Remove products with pid value of UNKNOWN
PH57261 [OLGH26375] Update the shared class cache URL used for non jar / zip files
PH57579IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2023-46158 CVSS 4.9)
 
Open Liberty fixes:
Issue/PRDescription
25786Update to latest Expression Language 5.0 - 10.1.11
25962Deadlock reported in sipcontainer when cancelling session in proxy mode
26332Websocket Null Argument to OnMessage After DecodeException
26375Stale class content used after updating application archives
26390Port MYFACES-4628
26419StackOverflowError when tracing jaxrs-2.0
26596Memory Leak in com.ibm.ws.request.interrupt.internal.InterruptibleThreadInfrastructureImpl
26609CDI will not create an EJBDescriptor for archive containing bean-discovery-mode=none
26636JAX-WS: @WebFault annotated Exceptions are not properly serialized as SOAPFaults on 22.0.0.8 and above
26683Component metadata is not present during CDI Startup events
 

Fix pack 23.0.0.10
Fix release date: 17 October 2023     
Last modified: 17 October 2023     
Status: Superseded     

Download Fix pack 23.0.0.10
 
Fixes:
APARSecurity APARDescription
PH55995 [OLGH26267] Login or Authentication may fail on Z/os when using the IBMJCEHYBRID provider
PH56266 [OLGH25997] Correction fix to PH42468 to remove delay in closing connection in Websocket application
PH56959 Null Pointer Exception when defining empty routing rule
PH57076 [OLGH26341] Failure at server startup of bundle COM.IBM.WS.SECURITY.TOKEN.LTPA
PH57263 [OLGH26357] Springboot 3 thin utility may cause NOCLASSDEFFOUND error
 
Open Liberty fixes:
Issue/PRDescription
11453Potential leak caused by JSTL tags
25759Enable user to set CXF's useHttpsURLConnectionDefaultSslSocketFactory property for outbound JAX-RS Client Requests
25640WithSpanInterceptor doesn't call instrumentation.end()
25781Liberty cannot be immediately restarted after stopping with localConnector-1.0 feature on Windows with hotspot
25855When two apps are configured with the same context root, neither is reachable
25997Websocket close delay
26023Liberty 23.0.0.9 - 6% Performance Throughput Regression on MicroProfile 6 OpenAPI scenario
26054CDI can throw NullPointerException if application startup fails
26076Thread safety issues in com.ibm.ws.jaxrs20.cdi.component.ThreadBasedHashMap may cause problems under load
26158Telemetry-1.0 Disabled warning message
26171@Transactional may throw a checked exception which is not allowed according to the interceptor specification
26216Port MYFACES-4606
26221Port MYFACES-4606 (Issuing Element Not Found in Request Parameter Map for Ajax Requests) to Liberty
26306Fix Documentation for Supported Java versions
2634123.0.0.9 CWWKE0701E bundle com.ibm.ws.security.token.ltpa failure at server startup
26437Packaging Springboot 3 application embedded with Open Liberty does not work

Back to top

 

Fix pack 23.0.0.9
Fix release date: 19 September 2023     
Last modified: 19 September 2023     
Status: Superseded     

Download Fix pack 23.0.0.9
 
Fixes:
APARSecurity APARDescription
PH56334 Collective replica communication issue when using OpenJDK
 
Open Liberty fixes:
Issue/PRDescription
22358Update Social Login redirection processing
23732startWinService & stopWinService default timeouts in server.bat script too short
25291Return 400 status for invalid URI
25743The shutdown order between CDI and EJB is not enforced
25759Enable user to set CXF's useHttpsURLConnectionDefaultSslSocketFactory property for outbound JAX-RS Client Requests
25782Calling stop on an already stopped server hangs for 30 seconds and then reports an error on WSL
25834OpenLiberty 23.0.0.7 with webProfile-8.0 logs messages saying it requires annotations in the jakarta.annotation namespace
25866Unexpected end of file from server
25927CWWKS1706E + CWWKS1739E errors occurs when minimal jwks data is provided by Identity Provider
25932Absolute file paths fail with the file transfer API when running under servlet 6
25958sed command in server script returning incorrect value on Solaris
25978The SPI for registering CDI extensions and Beans will scan the entire archive without an extension

  Back to top

 

Fix pack 23.0.0.8
Fix release date: 22 August 2023     
Last modified: 22 August 2023     
Status: Superseded     

Download Fix pack 23.0.0.8
 
Enhancements:
Title
Use OIDC Connect with the strongest flow for web applications using the Authcode with PKCE
 
Fixes:
APARSecurity APARDescription
PH55940 Correction fix to PH53171
PH56004IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-38737 CVSS 5.9)
PH56052 A bundle in an OSGi application with the following manifest header will fail to start
PH56063 OSGi applications compiled to Java 17 may fail to start
 
Open Liberty fixes:
Issue/PRDescription
25193Two inaccurate descriptions and one formatting problem in openidConnectProvider
25580Non-daemon Liberty Timer threads preventing JVM shutdown in CICS (Java 17)
25632MYFACES-4512
25646Semicolon inside text parameter in Reason header will result in the sipcontainer dropping the request
25693MYFACES-4611
25700Potential memory leak in Liberty version of org.jboss.resteasy.plugins.server.servlet.ServletUtil
25712NullPointerException when using app-defined javamodule data source for JPA
25804Unable to make field private final int sun.nio.ch.SocketChannelImpl.fdVal accessible when using Java 17
 

Fix pack 23.0.0.7
Fix release date: 25 July 2023     
Last modified: 25 July 2023     
Status: Recommended     

Download Fix pack 23.0.0.7
 
 
Fixes:
APARSecurity APARDescription
PH55130 Collective replica set is not able to communicate each other on AIX and IBM JDK8
PH55181 z/OS data is incorrectly collected for products with an UNKNOWN product ID
PH55442 Update REST API Discovery UI dependencies
 
Open Liberty fixes:
Issue/PRDescription
19861Concurrency errors when using same JWT access token for inbound propagation
21501Update the jsf-2.3 feature to MyFaces 2.3.10
21502Update the faces-3.0 feature to MyFaces 3.0.2
25111MYFACES-4469 IllegalArgumentException occurs in occurs in FacesConfigurator.purgeConfiguration
25354Update faces-4.0 to MyFaces 4.0.1
25368GlobalOpenTelemetry is missing public methods
25429WithSpan anotation does not work when name or kind is set
25457Local host/port and remote host/port are reversed in message CWWKO0801
25479Unable to make field long java.nio.Buffer.address accessible when using Java 17

   Back to top

 

Fix pack 23.0.0.6
Fix release date: 27 June 2023     
Last modified: 27 June 2023     
Status: Superseded     

Download Fix pack 23.0.0.6
 
Fixes:
APARSecurity APARDescription
PH53192 The /api/explorer URL from openapi-3.0 does not return the Content-Security-Policy header
PH54214 WOLA does not recognize IMS regions they are invoked with LOCKMAX=## specified
PH54373IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867 CVSS 7.5)
PH54810 Liberty on z/OS ECSA storage used by server resmgr are not being released when server stops
PH55317 

wmqMessagingClient-3.0 feature throws java.lang.ClassNotFoundException

 
Open Liberty fixes:
Issue/PRDescription
23838Invalidating a transaction user can lead to deadlocks in sipcontainer
23938ExpirationTimer can cause deadlocks in proxy mode
23950[JPA 2.2] EclipseLink Deliver Issue #1779
24752Update Expression Language 5.0 to latest 10.1.8 version
24981server version command ignores JAVA_HOME set in server's server.env
25017Posting Form-Data with the new Jakarta EE 10 Multipart Support fails
25046Liberty accesses readonly subject
25168transport close timing issue when streams are closing and a close/goaway frame comes in
25210DnsContextFactory not accessible in java 17
25212Transaction Manager configuration options shutdownOnLogFailure, logRetryInterval and logRetryLimit should be published
25283JSF Container's Application.getWrapped returns null
25316Exception when doing trace statement bubbles up to the application
25351OIDC check_session_iframe does not parse origin correctly when path is included in referer
25352org.omg.CORBA.DATA_CONVERSION illegal char value for string
25402Messaging secure CommsOutboundChain may be started with wrong sslOptions
 

Fix pack 23.0.0.5
Fix release date: 30 May 2023     
Last modified: 30 May 2023     
Status: Superseded     

Download Fix pack 23.0.0.5
 
Fixes:
APARSecurity APARDescription
PH53475 [OLGH24864] FRAME_SIZE_ERROR is generated when both http/2 and compression are used
PH54050 [OLGH25097] UI ADMINCENTER correction
PH54100 Use unauth service if auth service product registration fails
PH54173 Add Java 11 check to cacheDirPerm supported check
 
Open Liberty fixes:
Issue/PRDescription
24577Static fields leaked on application restarts
24599[JPA 3.0] EclipseLink Deliver Issue #1823
24751Update Expression Language 4.0 to the latest 10.0.27 version
24864HTTP/2 max frame size exceeded when compression is used
24939`requestTiming-1.0` causes elevated (or spiking) CPU performance due to the `SlowRequestManager`
24948OIDC RP-initiated logout end_session should verify the id_token_hint issuer
24986SSLHandshakeException occurs while closing HTTPConduit
25008NullPointerExcetion or ArrayIndexOutOfBoundsException in SearchBridge when using custom input/output configuration
25010EntryNotFoundException thrown in federated registries when using custom input/output configuration
25097Update adminCenter
25152Request Timing metrics not showing up with `mpMetrics-5.0` (when used with `requestTiming-1.0` feature
25169295651: Concurrent persistent failover timers - server not releasing claim on scheduled task when unable to run it
 

Fix pack 23.0.0.4
Fix release date: 2 May 2023     
Last modified: 2 May 2023     
Status: Superseded     

Download Fix pack 23.0.0.4
 
Fixes:
APARSecurity APARDescription
PH50863IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998 CVSS 7.5)
PH52912 CWWKO1100E: The ScheduledExecutorService OSGi service is not available
PH53883IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482 CVSS 5.3)
 
Open Liberty fixes:
Issue/PRDescription
24585Insufficient Infinispan cache creation for Liberty httpSessionCache
24004Allow more output to response following exception in forward based on wc parm
24323SIPcontainer should stop parsing non-utf8 characters when acceptNonUtf8Bytes is set to false
24469Java 11 NoSuchAlgorithmException SHA1PRNG when FIPS enabled TS012071744
24565RegistryHelper.getUserRegistry throws an IllegalStateException if no user registries are present
24578Application can't recover from exceptions thrown during startup
24598[JPA 2.1] EclipseLink Deliver Issue #1823
24683Port MYFACES-4594
24730Cleanup non-daemon threads at the server shutdown
24793JSP Options to pick up web-ext jsp-attribute values on start up (honor disableTldSearch to improve app start up time)
24804Encrypted value for internalClientSecret within oauthProvider does not work
24915Server hangs at startup when enabling trace specification com.ibm.ws.*=all
24938SOAP 1.1 Web service request to SOAP 1. Provider acting as gateway fails when wsAtomicTransaction feature is enabled
24955PH53918 UnsupportedOperationException is thrown after upgrading to 22.0.0.10 or later
24958Configurable option for FileUpload
 

Fix pack 23.0.0.3
Fix release date: 4 April 2023     
Last modified: 4 April 2023     
Status: Superseded     

Download Fix pack 23.0.0.3
 
Fixes:
APARSecurity APARDescription
PH52888 NullPointerException in Singleton EJBs as JAX-RS sub resources
PH53171 Fix Collection replica communication problem on AIX and IBM Semeru
 
Open Liberty fixes:
Issue/PRDescription
24092Aborted managed connections invoking endRequest and end are causing problems in JDBC driver code
24223Monitor-1.0 returns strange values for standard deviation
24444JAX-RS NPE in Singleton EJB Sub Resource
24462Cleanup any asyncServlet non-daemon threads at the server shutdown
24465JDBC DB2 values for queryDataSize need to be updated
24543OIDC client issue in cluster environment, starting 22.0.0.10 version
24566AcmeCA feature with revocation enabled can fail to initialize on certain OS and JDK combinations
24584pluginUtility merge action generates incorrect output for some inputs
24585Insufficient Infinispan cache creation for Liberty httpSessionCache
24631Fix ClassCastException during the de-serialization of CDI Injected Event
24651Liberty Server hangs randomly

Back to top

 

Fix pack 23.0.0.2
Fix release date: 7 March 2023     
Last modified: 7 March 2023     
Status: Superseded     

Download Fix pack 23.0.0.2
 
 Enhancements:
IdeaDescription
LIBERTY-I-40Add timeout option to server stop command
TWAS-I-43Admin Center support for datasource configuration validation
 
Fixes:
APARSecurity APARDescription
PH52074 [OLGH24157] Validate header names
PH52079IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787 CVSS 5.5)
PH52095IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364 CVSS 9.8)
PH52167 [OLGH24077] DoNotAllowDuplicateSetCookie property not working
PH52364 Check file existence before delete
PH52713 Feature resolver may pick multiple versions of the same singleton feature
 
Open Liberty fixes:
Issue/PRDescription
16007Runtime injection of detailed method trace fails for a CDI bean
23410UnrecoverableKeyException occurs when using WS-Security Callback handler on Liberty 22.0.0.9
23676Transaction manager unavailable when stopping resource adapters during server shutdown
23954The authCache->cacheRef and webAppSecurity->loggedOutCookieCacheRef server configuration elements are not included in the documentation
23976Add option to support old format of start-info in multipart/related SOAP messages
24001Fix configuration attribute name used in CWWKS1738E message
24007server dump command fails in WL on IBM i
24047Memory in com.ibm.ws.wsat.service.WebClient when creating thread context class loaders
24048Possible performance issue in com.ibm.ws.wsat.service.impl.WebClientImpl
24056Batch-2.1 feature content is active even when configuring batch-1.0 or 2.0
24077DoNotAllowDuplicateSetCookies http channel config option is not working
24155Memory leak in JaxRsFactoryImplicitBeanCDICustomizer
24157Validate HTTP header names
24293Scheduled Futures leak resources from Managed Executor Services on application stop
24371Server fails to start due to conflict on servlet feature

Back to top

 

Fix pack 23.0.0.1
Fix release date: 7 February 2023     
Last modified: 7 February 2023     
Status: Superseded     

Download Fix pack 23.0.0.1
 
Fixes:
APARSecurity APARDescription
PH49341 A race condition of transaction timeout could leave an indoubt transaction at RM side
 
Open Liberty fixes:
Issue/PRDescription
22434Race condition of transaction timeout could leave an indout transaction at RM side
23273Scripts do not respect the enable_variable_expansion indicator in server.env
22786PKCE parameters not copied by oauthForm.js
23392Stopping liberty Windows service immediately after starting results in hang condition
23425A syntax error in JSP compile should consistantly output error JSPG0077E
23567decode url query string before final redirection of the originial request
23582Messaging client hangs during shutdown
23583[22.0.0.9] Unmarshaller error when Unmarshaller obtained [from pool]
23613Intermittent NPE at com.ibm.ws.security.javaeesec.cdi.extensions.HttpAuthenticationMechanismsTracker.getAuthMechs(HttpAuthenticationMechanismsTracker.java202)
23690JTOpen Toolbox driver 11.1 JDBC connections fail from Open Liberty to IBM i
23748CDI Shared Library bean visibility problems
23771IndexOutOfBoundsException can occur during a resource outage.
23782JDBCDriverService; issue with Boolean parameters
23883Default keystore file not getting detected on file monitoring
23885Use mininum jdkSourceLevel of 1.8 for JDK 20+
 

Fix pack 22.0.0.13
Fix release date: 20 December 2022     
Last modified: 20 December 2022     
Status: Superseded     

Download Fix pack 22.0.0.13
 
 
APARSecurity APARDescription
PH49482 HttpSession options issue
PH50057 Connecting a member to a Controller Replica fails
PH50342IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google protobuf-java (CVE-2022-3171, CVE-2022-3509)
PH50815 Check for webenab products before removing product marker
 
Open Liberty Release fixes:
Issue/PRDescription
22405OidcClientImpl does not properly declare a dependency on SecurityService
22738SSLContext defined in ClientBuilder.newBuilder().sslContext(sslcontext) not preserved with restfulWS-3.0
23146JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion() return incorrect version
23273Scripts do not respect the enable_variable_expansion indicator in server.env
23310Additional fixes for JSR375 (javasec) Decorator and Alternative
23326Liberty default HttpAuthenticationMechanisms do not call HttpMessageContext.responseUnauthorized
23403HTTP/2 Intermittent server quiesce failure when stream is closed with an exception
23462NullPointerException in com.ibm.ws.rsadapter.impl.DB2Helper.isAuthException
23478NullPointerException in InstallFeatureAction for .esa files
 

Fix pack 22.0.0.12
Fix release date: 22 November 2022     
Last modified: 22 November 2022     
Status: Superseded     

Download Fix pack 22.0.0.12
 
APARSecurity APARDescription
PH49719IBM WebSphere Application Server Liberty is vulnerable to denial of service due to GraphQL Java (CVE-2022-37734 CVSS 7.5)
PH49876 zosConnect failure in XML or JSON parsing
PH50062 MDB class leak on application stop
PH50353 Updates to usage metering to set protocols and ciphers for the connection
 
Open Liberty Release fixes:
Issue/PRDescription
21808Provide a way for Custom User Registries to use the uniqueId instead of the securityName
22771In SIP headers, need to handle encoded values (%xx) while not causing error on valid Tag formats ending with %
22865Datasource changes are not propagating to JPA during dynamic config update
22909MDB class Java heap leak on application stop
22918Intermittent NPE at com.ibm.ws.security.javaeesec.cdi.extensions.HttpAuthenticationMechanismsTracker.getAuthMechs(HttpAuthenticationMechanismsTracker.java:186)
22933MP JWT 1.2 and 2.0 TCKs won't run at 22.0.0.11
22963com.ibm.ws.jpa.container.v21.cdi lacks a package-info.java file
22965Generating ssl key for FilterServer, when running FilterConfigTest takes too long
23017MP Reactive Messaging: NullPointerException during Kafka partition rebalance
23031Failed to parse Created TimeStamp in UsernameTokenValidator
23059Uses constraint violation for org.joda.time packages
23183EJB Handle deserialization fails with org.omg.CORBA.TRANSIENT: attempt to establish connection failed
23186IdentityStore validate method not getting called for BasicAuthentication request
23225IllegalStateException in dynacache when app server is stopping
23252AmbiguousResolutionException when same class is present twice and certain features are used
 

  Back to top

 

Fix pack 22.0.0.11
Fix release date: 25 October 2022     
Last modified: 25 October 2022     
Status: Superseded     

Download Fix pack 22.0.0.11
 
APARSecurity APARDescription
PH48467 java.lang.ArrayIndexOutOfBoundsException is thrown when purging data while shutting down a connection
PH48810IBM WebSphere Application Server Liberty is vulnerable to a Denial of Service due to Neko HTML (CVE-2022-24839 CVSS 7.5)
PH49305 Multiple values in request header "X-Forwarded-For" not logged
PH49341 A race condition of transaction timeout could leave an indout transaction at RM side
PH49933 Servers using Intelligent Management intermittently fail to pulbish application endpoints
 
Open Liberty Release fixes:
Issue/PRDescription
22303On z/OS running Java 11 a FFDC with caused by AttachNotSupportedException occurs when feature localConnector-1.0 is specified.
22361Cannot start Jenkins 2.346.3 with Java 17 when using AD authentication
22397MYFACES-4450: tabindex not rendered for outputLabel
22434A race condition of transaction timeout could leave an indout transaction at RM side
22584com.ibm.websphere.appserver.api.kernel.service_1.1-javadoc.zip is missing in the Liberty images
22660java.lang.ArrayIndexOutOfBoundsException when PurgeDataDuringClose=true
22688HTTP Access logging need to log multiple X-Forwarded-For headers
22721Update nekohtml version used in openid-2.0
 

Fix pack 22.0.0.10
Fix release date: 27 September 2022     
Last modified: 27 September 2022     
Status: Superseded     

Download Fix pack 22.0.0.10
 
ComponentSecurity APARAPARDescription
Channel FrameworkPH46816IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to HTTP header injection (CVE-2022-34165 CVSS 5.4)
Intelligent Management Component PH47454Error 503 returned from ODR after an application update with the war name changed while the ear file name stays the sam
Liberty z/OS PH49234Attach fails on z/OS running with Java 11 when a started task is used to start a server specifying the localConnector-1.0 feature
 
Open Liberty Release fixes :
Issue/PRDescription
20599JDBC connection not validated when numConnectionsPerThreadLocal is used
21340[JPA 2.2] EclipseLink: Deliver Issue #1245
21805Removed hideMessage logging attribute not dynamically picked
21914JobOperator.getRunningExecutions output includes job executions that aren't running
22189Missing NLS strings for allowAuthenticationFailOverToAuthMethod options
22221Session timing issue during server shutdown
22227Yoko marshals null fields incorrectly when the field is declared as a non-serializable class
22347FFDCIgnore not honored on or after 22.0.0.4
 

Fix pack 22.0.0.9
Fix release date: 30 August 2022     
Last modified: 30 August 2022     
Status: Superseded     

Download Fix pack 22.0.0.9
 
ComponentSecurity APARAPARDescription
General PH48187LTPAToken validation failure for users with space characters in the user name caused by PH47867
Intelligent Management Component PH48622DynamicRouting utility fails parsing commandline
Liberty z/OS PH48202Unpredictable results when cancelling the angel process without registered Liberty Servers first
 
Open Liberty Release fixes:
Issue/PRDescription
21126Update GSON library dependency to 2.9.0
21666java.lang.IllegalStateException: Subject is read-only from WebAppFilterManager.invokeFilters
21737Combine with MicroProfile OpenAPI: Example of date-time in Schema cannot display this format "YYYY-MM-DDTHH:mm:SSZ", will report "OrderedMap" or this "YYYY-MM-DDTHH:mm:SS.MSZ" format
21837LTPA SSO failure for certain usernames
21845featureUtility - Not decoding repository passwords when executing
21858Multiple protocols not always getting honored with the IBMJDK
21880OpenAPI 2.0+ throws error at startup
21937MP Fault Tolerance 1.x can log an FFDC when a method times out at the same time as it completes
21955Liberty does not provide exported packages for java.* packages at runtime in the OSGi framework insteance
21973Expiration fields are not compared in an LTPA Token
22012CXF property cxf.ignore.unsupported.policy is not processed correctly in Liberty 22.0.0.8
22040Invalid character warning for colon in WorkQueueManagerImplMBeanWrapper objectName
 

Fix pack 22.0.0.8
Fix release date: 2 August 2022     
Last modified: 2 August 2022     
Status: Superseded     

Download Fix pack 22.0.0.8
 
ComponentSecurity APARAPARDescription
General PH45225CICS link servers do not reconnect to a Liberty profile server after the Liberty profile server is recycled
PH45750IBM WebSphere Application Server Liberty is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777 CVSS 7.5)
 PH46073Duplicate of PH47867
PH47867IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476 CVSS 5.0)
 
Open Liberty Release fixes:
Issue/PRDescription
11959Weld does not mark org.jboss.weld.context.ConversationContext.conversations as dirty when retrieving it from session storage
20939Classpath visibility unclear -> NoClassDefFoundError: javax.cache.CacheException since 22.0.0.4 (maybe since 22.0.0.3)
20950Memory Leak with JSF's ViewScopeContextualStorage (MYFACES-4433)
21204[JPA 2.1] EclipseLink: Deliver Bug #579409
21214Server start fails when directory has spaces
21398Add additional details to `exposeWebInfOnDispatch` Server configuration description
21473ClassCastException FFDC occurs when using audit-1.0 with other features like requestTiming-1.0 or eventLogging-1.0
21526UI generated by `openapi-3.1` feature doesn't show the link specific endpoints
21601Port MYFACES-4432 to JSF 2.3 and Faces 3.0 (Resolve request object in facelets)
21615EJB persistent timers that were deferred during app start do not run when app finishes starting
21651290399-Fix umask command for IBM i in server script
21664featureUpdate downloads fail in Windows, due to #20945
21735PausableComponentException when closing message endpoints on server shutdown
21740Inactivity timeout value larger than 2147483 seconds causes immediate cache invalidation
 

Fix pack 22.0.0.7
Fix release date: 5 July 2022     
Last modified: 5 July 2022     
Status: Superseded     

Download Fix pack 22.0.0.7
 
ComponentSecurity APARAPARDescription
Virtual Member Manager (VMM) PH46082Add warning message when failed login delay is disabled
 
Open Liberty Release fixes:
Issue/PRDescription
19832OpenIdConnectClient not working with proxy settings given in jvm.options
20933FeatureUtility only checks one Maven repository
21148Transactions summary trace is missing
21441The openapi-3.1 liberty feature generates wrong property name for annotation @Schema
 

Fix pack 22.0.0.6
Fix release date: 7 June 2022     
Last modified: 7 June 2022     
Status: Superseded     

Download Fix pack 22.0.0.6
 
ComponentSecurity APARAPARDescription
Intelligent Management Component PH43910Liberty routing rules do not always respect a webserver assignment using the '*' wildcard
Liberty Administrative CenterPH45086IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393 CVSS 3.1)
SecurityPH46072IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475 CVSS 7.1)
 
Open Liberty Release fixes:
Issue/PRDescription
14425EclipseLink: Deliver Bug #567087
18844The com.ibm.websphere.logging.WsLevel class is not visible as an API
20082CWWKE0702E: Could not resolve module: com.ibm.ws.ejbcontainer.remote [852] Bundle was not resolved because of a uses constraint violation.
20908Default session meta cache name failed with RH DataGrid
20981ArrayOutOfBounds exception on z/OS with either full or JMX audit events enabled on shutdown
21004featureUtility viewSettings doesn't show repository settings
21043Bump netty dependencies to 4.1.77.Final
21050Liberty OIDC error is being returned with incorrect characters
21060Correct Service Release and Fixpack processing in JavaInfo
21079Refresh token is not cleaned up when a JWT access_token had been issued
21097Custom claims not passed to the back end
21108Admin center enhancement
 

Fix pack 22.0.0.5
Fix release date: 10 May 2022     
Last modified: 10 May 2022     
Status: Recommended     

Download Fix pack 22.0.0.5
 
ComponentSecurity APARAPARDescription
General PH42822WebSphere Liberty z/OS 20.0.0.9 java.lang.NullPointerException at com.ibm.ws.jaxrs.JAXRSRuntimeDelegate$ClassloaderReference
Liberty z/OS PH45221NPE in com.ibm.ws.zos.wlm.internal.UnauthorizedWLMNativeServices.CreateJoinWorkUnit()
 PH45329Liberty server fails to start with JVM gpf after a racroute request=auth call
 PH45749z/OS Product registration message CWWKB0108I does not contain full version
 
Open Liberty Release fixes:
Issue/PRDescription
20283Fix duplicate error messages in RESTful WS (JAXRS)
20306Bump netty dependencies to 4.1.75.Final
20476NPE when outputting SimpleTimer close to the end of a full minute.
20509JSP included jar dependency check incorrect
20522Update ExpressionLanguage 4.0 API/Impl to 10.0.18
20627schemaGen improve command line options parsing
20669Extra text found in description of connectionManager purgePolicy
20676WEBCONTAINER THREADS HUNG WHILE CLOSING WEBSOCKETS
20693Springboot application packaged with OL 22.0.0.3 failed to run
20730Deadlock in memory session and logging handler
20762Port MYFACES-4431 to JSF (Custom Navigation Handler Thows NPE during Flow Handling)
20782FeatureUtility isf does not resolve already installed user feature
20818JaxRS-Client fails performing PATCH-requests with Java17
20858localConnector problems with some combinations of jdk.attach.allowAttachSelf and com.ibm.tools.attach.enable
 

Fix pack 22.0.0.4
Fix release date: 12 April 2022     
Last modified: 12 April 2022     
Status: Superseded     

Download Fix pack 22.0.0.4
 
ComponentSecurity APARAPARDescription
Contexts and Dependency Injection (CDI) PH44666OpenAPI UI is missing CSS
General PH45006During server shutdown OSGi applications may log null pointer exceptions (FFDCs)
JavaServer Pages (JSP) PH44627Null Pointer Exception in JSP after 21.0.0.7 when skipMetaInfResourcesProcessing=true
Liberty Archive Install PH44289Install of z/OS Liberty interim fix fails with CRIMA1076E
Liberty Kernel PH45316Liberty packaging fixes - Ensure the proper set of features are packaged when several valid versions exist
 

Open Liberty Release fixes:         

Issue/PRDescription
18177Liberty OP configured with SAML IdP, logout at OP is not propagated to the IdP
19627MP JWT 1.2 fails to load all relevant MP Config properties
19767Bump gRPC dependencies to 1.43.2
19937context-root for web-ext is no longer honored with WLP 22.0.0.1
20082CWWKE0702E: Could not resolve module: com.ibm.ws.ejbcontainer.remote [852] Bundle was not resolved because of a uses constraint violation
20247webContainer property skipMetaInfResourcesProcessing=true can cause NullPointerException in JSP taglib
20293Add security headers to OpenAPI UI
20298Avoid ConcurrentModificationException during dynamic configuration updates for federatedRepository and user repositories
20303NPE during handshake when CLIENT_AUTH or SERVER_AUTH is missing in the certificate extension
20310OpenAPI UI is broken (missing CSS)
20353NullPointerException in EJBWARRuntimeImpl when dynamically updating server configuration
20403LibertyRestClientBuilderImpl nonProxyHosts PatternSyntaxException
20441Timing window where cancellation of scheduled task is ignored
 

Fix pack 22.0.0.3
Fix release date: 15 March 2022     
Last modified: 15 March 2022     
Status: Superseded     

Download Fix pack 22.0.0.3
 
ComponentSecurity APARAPARDescription
JavaServer MyFaces (JSF) Apache MyFaces implementation PH43113ClassNotFoundException for SecureSerializedViewCollection during Session Persistence
Liberty Administrative CenterPH43817IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)
Liberty Kernel PH44064Liberty server command not working on IBM i platform after installing fix pack 22.0.0.2
Liberty System ManagementPH43223 IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038 CVSS 4.4)
 

Open Liberty Release fixes:

Issue/PRDescription
12050@RolesAllowed rejects unauthenticated users when they mapped to an allowed (EVERYONE) role
19316Duplicate message key in com.ibm.ws.ui.tool.explore
19519LibertySSLSocketFactory cannot be loaded inside a custom feature
19613Bump netty dependencies to 4.1.72.Final
19659Update ExpressionLanguage 4.0 API/Impl to 10.0.14
19673JWT access token inbound propagation fails when a JWT sent as segments starts with "Bearer"
19780Adding Monitor Filter increases Startup Time.
19937Context-root for web-ext is no longer honored with WLP 22.0.0.1
19960OpenID Connect: Double URL Encoded State Parameter in Redirect location
19981ConcurrentModificationException in com.ibm.ws.security.openidconnect.clients.common.JtiNonceCache
19991featureUtility does not pass all features from server.xml to repository resolver
19999[JPA 2.2] EclipseLink: Deliver Bug #578262
20003Update Webcontainer ServletVersion Handling to Avoid SRVE8501E errors
20020AccessControlException thrown from Yoko calls to Class::getClassLoader
20063Server commands not working on IBM i after checkpoint changes
20064Fix server command on IBM i
20070503 response returned when request contained a 100-continue header
20165jsonpContainer-2.0 and jsonbContainer-2.0 features incorrectly use default providers.
20206Servers stop can fail in products that embed Liberty
20277False artifact io.openliberty.jaxrs30 in mvn repository
 

Fix pack 22.0.0.2
Fix release date: 15 February 2022     
Last modified: 15 February 2022     
Status: Superseded     

Download Fix pack 22.0.0.2
 
ComponentSecurity APARAPARDescription
Contexts and Dependency Injection (CDI)PH44762IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031 CVSS 5.4, CVE-2021-46708 CVSS 4.3)
General PH41660After 21.0.0.9 upgrade "DefaultHostname" definition in bootstrap.properties does not overwrite Liberty default
 PH43194Add support for CICS 5.6 to WOLA
 PH43281API Discovery UI will not load
 PH43530NullPointerException in JSP after 21.0.0.7
Intelligent Management Component PH41615Intelligent management WebServer plug-in is sometimes unable to route one HTTP session requests to the same member server
Virtual Member Manager (VMM)PH42489
IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031 CVSS 7.5)
 
 
 Open Liberty Release fixes:
Issue/PRDescription
18299NullPointerException if used with mpMetrics 3.0
18941NullpointerException in JSP after upgrade
19177[JPA 2.2] EclipseLink: Deliver Bug #412391
19545OpenIdConnectClient cookies not getting deleted after logout
19608Oracle database helper logging `DSRA8207I` too frequently
19688Empty com.ibm.ws.logging.hideMessage hides all messages and does not create messages.log
19702Support for outbound channel selectors to start immediately
19707Runnable jar hangs after Ctrl + C
19780Adding Monitor Filter increases Startup Time
19781Calling `UserRegistry.isValidGroup` or `UserRegistry.isValidUser` when using `federatedRegistry-1.0` can return `true` when `false` should be returned
19785Federated SAF registries can incorrectly claim a SAF user or group is not in the realm when calling `UserRegistry.isValidGroup`
19826MP Fault Tolerance annotations at the class level of a Rest Client interface are ignored
19831The output of ./wlp/bin/productInfo featureInfo missing new lines
19841defautHostName does not get picked up from bootstrap.properties for cfw
19860Updating MicroProfile versions on server.xml causes issues with install manager
19897"ERROR: Input redirection is not supported, exiting the process immediately" reported with Open Liberty as a service on Windows
 

Fix pack 22.0.0.1
Fix release date: 18 January 2022     
Last modified: 18 January 2022     
Status: Superseded     

Download Fix pack 22.0.0.1
 
ComponentSecurity APARAPARDescription
General PH42908HTTP/2 streams still accepted after server shutdown despite OLGH19193
Liberty Archive Install PH41986Product validation fails by feature manager when PH39418 is installed
Runtime and Classloader PH42759Block class loads for vulnerable classes
Web Container PH42435SRVE0250I and SRVE0164E no longer emitted due to OLGH18992
Web Services (JAX-WS)PH42074 IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310 CVSS 4.8)
WebSphere MQ messaging providersPH42762Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server Liberty (CVE-2021-4104 CVSS 8.1)
 
Open Liberty Release fixes:
Issue/PRDescription
16320OAuth provider Multiple Connections are disallowed in current pre-existing attachment environment error TS003794701
17562Multiple duplicate element IDs cause excess memory allocations and looping.
18695Avoid inferring caller in LogRecord.getSourceClassName and LogRecord.getSourceMethodName in Liberty HPEL
19334Policy attachments file: policy-attachments-server.xml is not processed
19342[JPA 2.1] EclipseLink: Deliver Bug #463042
19348gRPC server property "httpEndpoints" is invalid
19366JMX file transfer errors should not expose resolved file paths
19413JAX-RS fails with 400 Bad Request when query string contains _type param
19433JNDI lookup to CORBA URL can hang
19505SRVE0250I and SRVE0164E messages not emitted unless trace is enabled
19514Test Failure: AutonomicalPolling1ServerTest.testAddPersistentExecs gets intermittent NullPointerException when transaction timeout aborts the connection
19522Unresolved gRPC bundles in feature
19547New HTTP/2 streams still accepted while server is closing
19567Memory Leak with mpJWT
19585Classes are still indexed by mpOpenAPI when mp.openapi.scan.disable=true
19589ArrayIndexOutOfBoundsException during startup with mpOpenApi
19630Application class loader to ignore designated classes
19631featureUtility installServerFeature fails when user feature is listed
 

Fix pack 21.0.0.12
Fix release date: 3 December 2021     
Last modified: 3 December 2021     
Status: Superseded     

Download Fix pack 21.0.0.12
 
ComponentSecurity APARAPARDescription
Liberty z/OS PH41840Cannot get a WOLA connection for a client after configuration update
 
Open Liberty Release fixes:
Issue/PRDescription
7735Backport close stream weld properties overlay
17428OpenAPI 2.0 includes non-public fields in the generated documentation
17599wsoc connection causes quiesce error
18896OSGiBeanValidationImpl DS component needs to wait for all config to load.
18992Application fails to restart in server.xml update scenario
19051Server script depends on the `which` command
19057Port bind skipped at server startup
19087Throughput performance degradation in eclipselink due to Thread.getStackTrace calls
19127AccessControlException in WebAppSecurityCollaboratorImpl performDelegation(...)
19193Stop allowing creation of H2 streams if server is closing
19197ClassCastException in JSP relating to JDT internal classes
19227Bug Fix: Ensure ServletRequestListener#requestDestroyed is always called
19233Incorrect PostgreSQL session table query
 

Fix pack 21.0.0.11
Fix release date: 5 November 2021     
Last modified: 5 November 2021     
Status: Superseded     

Download Fix pack 21.0.0.11
 
ComponentSecurity APARAPARDescription
IBM i PH39665WebSphere Liberty server fails to start on IBM i running with Java 11
System Management Functions PH40204Deadlock found in SingletonServiceManagerImpl registerService
 
Open Liberty Release fixes:
Issue/PRDescription
13990SAML JSP gets unexpected 500 error due to ClassCastException
16598ServletContainerInitializer is passed invalid @HandlesTypes classes
16811Response output may not close at end of dispatch forward
17155Multiple entries may be added to the Authentication Cache for a custom cache key hashtable login
17972`@Schema(multipleOf = )` can throw `NumberFormatException` in `mpOpenAPI-2.0` feature
18262server startWinService & stopWinService commands give incorrect/misleading return codes
18411Liberty message.log has repeating servlet lifecycle messages
18419ExpressionFactory#getClassNameServices fails if META-INF/services/javax.el.ExpressionFactory contains comments
18492gRPC service registration broken for EAR deployments
18663NullPointerException in JaxRsFactoryImplicitBeanCDICustomizer
18674HTTP/2 streams closed due to client window update delay
18751Bump netty dependencies to 4.1.68.Final
18813Test Failure: testJTATransactionUsedSeriallyWithOverlapAndCommitWithinLastStage NullPointerException
18836NPE when creating an HttpAuthenticationMechanism with the default package
18866Fix PasswordUtil.passwordEncode() with "hash" option
18925Cloudant NLS messages are not used
18973Investigate weld-osgi-bundle versions in feature files
 
 

Fix pack 21.0.0.10
Fix release date: 8 October 2021     
Last modified: 8 October 2021     
Status: Superseded     

Download Fix pack 21.0.0.10
 
ComponentSecurity APARAPARDescription
Liberty KernelPH39418Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517 CVSS 5.5, CVE-2021-36090 CVSS 7.5)
 PH40489SPNEGO fails with 403 error on Java 11 at 21.0.0.9
Liberty System Management PH39935CWWKE0701E at Liberty startup reports a ConcurrentModificationException in the APIProviderAggregator class
Web Container PH40879Server start hangs caused by plugin-cfg.xml generation
Virtual Member Manager (VMM)PH38929WebSphere Application Server is vulnerable to Information Disclosure (CVE-2021-29842 CVSS 3.7)
 
Open Liberty Release fixes:
Issue/PRDescription
17155Multiple entries may be added to the Authentication Cache for a custom cache key hashtable login
17489IllegalStateException is thrown when Liberty tries to update a readOnly subject
17950Fix SRVE8501E Warning
18281Possible Bug with deferServletRequestListenerDestroyOnError
18282Bug: AdminCenter SRVE0190E: File not found: /images/tools/wasdev_142x142.png
18299NullPointerException if used with mpMetrics 3.0
18348ContainerRequestContext.getAcceptableLanguages() - fails with IllegalArgumentException when invalid locales are specified in the Accept-Language header.
18404Create PluginGenerator Lock to Address FileNotFoundExceptions
18430Saml web sso sp initiated login flow resulting in buildup of WASSamlReq_xx cookies
18437JSF throws ClassNotFoundException for o.a.m.el.convert.ValueExpressionToValueBinding
18475Servlet ReadListener does not receive all HTTP request data
18503RuntimeCodebase cannot be located on collocated call
18530Startup hang caused by plugin-cfg generator changes
18552JAX-RS 2.0 and 2.1 implementation is executing resource method when Content-Type or Accept header contains invalid values
18663NullPointerException in JaxRsFactoryImplicitBeanCDICustomizer
 

Fix pack 21.0.0.9
Fix release date: 10 September 2021     
Last modified: 10 September 2021     
Status: Superseded     

Download Fix pack 21.0.0.9
 
ComponentSecurity APARAPARDescription
JavaServer Faces (JSF) Apache MyFaces implementation PH40182JSF faces-config parser throws NPE when XML namespace missing
JavaServer Pages (JSP) PH38133Incorrect Expression Language (EL) Method Matching with Varargs
Liberty z/OS PH39946Liberty logging hideMessage= parameter should also stop messages being written to messageLogDD=MSGLOG
 
Open Liberty Release fixes:
Issue/PRDescription
16700Improve featureUtility performance with remote repository
17444Pull in BZ 65358 -- Varargs Method Matching (EL Patch)
17591IdentifyException accidentally externalized as unusable top level config element
17682Exception stack trace is exposed in error returns from JMX REST apis
17912Bump netty dependencies to 4.1.66.Final
18002`@Schema(multipleOf = )` validation check is wrong in `mpOpenAPI-2.0` feature
18009Wrong char count in ServletOutputStream with non-ASCII characters skips content
18091Remove system from code
18155JSF faces-config parser throws NPE when namespace missing
18213IOException FFDC logged after HTTP/2 stream is closed by client
18237Unexpectd FFDC from Jackson
 

Fix pack 21.0.0.8
Fix release date: 13 August 2021     
Last modified: 13 August 2021     
Status: Superseded     

Download Fix pack 21.0.0.8
 
ComponentSecurity APARAPARDescription
JavaServer Faces (JSF) Apache MyFaces implementation PH38339StringIndexOutOfBoundsException Occurs When Creating a Resource
 
Open Liberty Release fixes:
Issue/PRDescription
16700Improve featureUtility performance with remote repository
16994Dynamic reconfig of discovery endpoint not updating endpoints in all cases
17313Ubuntu upgrade re-enabled openliberty@defaultServer
17678Port MYFACES-4065/MYFACES-4187 to JSF 2.2
17757Passivating remote EJB Stub fails when rmicCompatible=true
17799gRPC monitoring requires the enablement of both grpc-1.0 and grpcClient-1.0
17828Update JSP Logic to Avoid Race Condition Regarding trackDependencies
17904grpcClient-1.0 dynamic enablement unexpected behavior
 

Fix pack 21.0.0.7
Fix release date: 15 July 2021     
Last modified: 15 July 2021     
Status: Superseded     

Download Fix pack 21.0.0.7
 
ComponentSecurity APARAPARDescription
Contexts and Dependency Injection (CDI) PH37788Use first found ejbDescriptor for MD
General PH35877Session ActiveCount shows a negative value
PH34906XML External Entity Injection (XXE) in WebSphere Application Server Java Batch (CVE-2021-20492 CVSS 6.5)
 PH38224Invalid command line optional parameters with "featureUtility help installFeature"
 
Open Liberty Release fixes:
Issue/PRDescription
14575OAuth client registration: Client IDs with GB18030 characters do not work
15726Re-introduce change reverted from 14248
16282Nullpointer exception during authorization using OidcLogic
17235FeatureUtility should return RC=20 when invalid action name is specified
17299Allow multiple version of singleton feature with featureUtility installFeature command
17344OIDC RP may fail to login if clientSecret is not configured TS005720300
17437NPE in com.ibm.tx.jta.util.logging.TxTr.initTrace
17478Invalid command line optional parameters are shown with "featureUtility help installFeature" and "featureUtility help installServerFeatures"
17482Unexpected results with JSP trackDependencies in the extended document root
17489IllegalStateException is thrown when Liberty tries to update a readOnly subject
17576OIDC Update the description for disableIssChecking
17593EJB Singleton Lifecycle Deadlock
17635Bump gRPC dependencies to 1.38.1
17658ConcurrencyPolicy loses queue slots when managed executor deactivates and erroneously cancels tasks of other executors
17666JavaMail tries to use a resource file that only exists in the implementation
 

Fix pack 21.0.0.6
Fix release date: 18 June 2021     
Last modified: 18 June 2021     
Status: Superseded     

Download Fix pack 21.0.0.6
 
ComponentSecurity APARAPARDescription
JavaServer Pages (JSP) PH36923java.lang.NullPointerException caused by PH34711
Liberty Kernel PH37460Setting 'AutoExpand' to true causes the 'UseJandex' setting to be ignored
 
Open Liberty Release fixes:
Issue/PRDescription
12778mpJWT-1.1 configured by using jwksUri results in CWWKS5523E at the first jwt token presented to the server
15023WASReqURLOidc cookie encodes the request url but does not decoded it upon successful redirection
16598ServletContainerInitializer is passed invalid @HandlesTypes classes
16743Pull in MyFaces 2.3.9
17040Revision to httpOption maxKeepAliveRequest default value
17047PluginGenerator FFDC: BundleContext is no longer valid
17117Test Failure: Failover1ServerCoordinatedPollingTest.testMultipleInstancesCompeteToRunManyLateTasksPC
17177Failed to locate data source, null Resourcefactory
17203ORB.init() called simultaneously on two threads during server start
17268APAR PH37460 useJandex is ignored when autoExpand is set
17294java.io.IOException might be thrown during AsyncContext.complete()
 

Fix pack 21.0.0.5

Fix release date: 21 May 2021     
Last modified: 21 May 2021     
Status: Superseded     

Download Fix pack 21.0.0.5

 
ComponentSecurity APARAPARDescription
Liberty OSGi Applications PH28781CWWKZ0404E: An exception was generated when trying to resolve the contents of the application
Liberty z/OS PH35442Smf120 subtype 11 records sometimes missing values when a servlet request takes an error path
 PH35542Abend 0C4 in ntv_registerserver reported on WebSphere Liberty z/OS 20.0.0.12 (wlp-1.0.47.cl201220201111-0736)
 PH36576CWWKB0086E seen in angel in fix pack 21.0.0.3
 

Open Liberty Release fixes:

Issue/PRDescription
13522Publish the WebContainer property enableMultiReadOfPostData
14174The WebContainer properties may not be updated accordingly.
14345ServletContext getContextPath() does not end with forward slash.
15216JDBC Kerberos problems on IBM JDK 8
16203IllegalStateException when calling CDI bean with @Transactional(Transactional.TxType.NEVER) from websocketEndpoint
16307Update Liberty to not block use of Oracle 21c JDBC driver with IBM Java 8 and Kerberos authentication.
16428Remove Internal From setHtmlContentTypeOnError
16495Rename plugin-cfg File Using Files#Move
16524Fix issue with spanning an audit record across audit logs when signing and encrypting of audit logs is enabled
16539SESSION ACTIVECOUNT SHOWS A NEGATIVE VALUE
16637Authorization failure occurs when LDAP or basic user attempts login in SAF federated registry
16661microprofile-config.properties is not loaded in OASFilter
16694Avoid virtual host missing warning if server is in the process of shutting down
16764Deploying two applications with mpOpenApi-2.0 enabled can cause IllegalStateException: SROAP00001: Model already initialized.
16772[JPA 2.1] EclipseLink: Deliver Bug #573094
16774PostgreSQL session table check missing qualifier name
16793Include RelayState in the logout response to IdP initiated slo requests
16808Issue16807 support new Java policy location per open JDK 9
16843Cleanup request thread data
 

Fix pack 21.0.0.4

Fix release date: 23 April 2021     
Last modified: 23 April 2021     
Status: Superseded     

Download Fix pack 21.0.0.4

 
ComponentSecurity APARAPARDescription
Administrative ConsolePH34122
Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258 CVSS Score 7.5)
Java 2 Connectivity (J2C) PH33683EJB timer service does not adjust for daylight savings time
JavaServer Faces (JSF) Apache MyFaces implementationPH34711Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296 CVSS 8.8
 
Open Liberty Release fixes:
Issue/PRDescription
15336Replace DNS lookup with regular expression to get the domain name in SSO Cookie Domain function
15989MyFaces Update State Saving
16054HSTS Header not added on responses with 404 status
16113Shared Class Cache not generated on Windows
16118Create setHtmlContentTypeOnError Webcontainer Property
16160HTTP/2 ClassCastException during error handling
16184EJB timer service does not adjust for daylight savings time during fall adjustment
16301LDAP and Database Identity Stores fail to reprocess deferred EL expressions
16353Bump netty dependencies to 4.1.62.Final
16364Premature response completion in Async servlets
16410Improve messaging in ldapRegistry-3.0 when userFilter and groupFilter do not contain an AVA with %v
16416Java 2 Security exception when adding custom principal to the subject for Jaspic
 

Fix pack 21.0.0.3

Fix release date: 26 March 2021     
Last modified: 26 March 2021     
Status: Superseded     

Download Fix pack 21.0.0.3

 
ComponentSecurity APARAPARDescription
Liberty z/OS PH33563
SAFPasswordUtilityFactory.getInstance().passwordChange results ioException: exception in opening zip file after multiple calls
 
 PH34338ABEND0C4 during Liberty server shutdown
 
Open Liberty Release fixes:
Issue/PRDescription
5470NLS message CWWKE0031E is inaccurate when emitted from server script
11249JAXRS leaks memory when applications do not close their Client references
12606server.bat script does not read path of jvm.options correctly as documented
14926Bean Validation 1.1 NullPointerException from ValidationReleasableFactoryImpl
15646Issue15644ProperMergingOfJava2Permissions
15744Pull in MyFaces 2.3.8
15799Plugin Generator can cause server shutdown delay
15822LDAP group members may be ignored when the member's RDN starts with cn (and possibly other attribute names).
15853Bump netty dependencies from 4.1.52.Final to 4.1.59.Final
15857EJB client intermittently throws BAD_PARAM after server restart
15869MP Config AppPropertiesTrackingComponent synchronization
15878JAX-RS requests that do not specify the port fail with SSL
15927Cannot inject optional list with mpConfig-1.x
15943Merge multi-homed environment related changes into Liberty
15975Create a UDP connection using the selected outbound interface
15985Threads backing up during transaction processing due to use of Dictionary
16037Separating ciphers with two spaces results in unspecified behaviour
16060Eclipselink bundles lack javax.mail.internet
 

Fix pack 21.0.0.2

Fix release date: 26 February 2021     
Last modified: 26 February 2021     
Status: Superseded     

Download Fix pack 21.0.0.2

 
ComponentSecurity APARAPARDescription
Contexts and Dependency Injection (CDI) PH33219
AdminCenter web app is not updating status after an operation concludes
 
Install PH33517Issue with <INCLUDE LOCATION> tag on Liberty 20.0.0.9 failed to support the WLP_USER_DIR in already built fixes
Java 2 Connectivity (J2C) PH31875J2CA0079E: getManagedConnection internal illegal state state = state_inactive mcw
 
Open Liberty Release fixes:
Issue/PRDescription
11777prepareJSPThreadCount is not documented in Open Liberty - Investigate if any issues using it and document
12490IOExceptions thrown after HTTP/2 stream is closed by client
12694EclipseLink: Deliver Bug #538296
14109Update gRPC dependencies to 1.35
14175Expression Language 3.0 value lookup performance improvement
14248Update WC property suppressHtmlRecursiveErrorOutput
14934JAX-RS client creates a new SSLSocketFactory for every request
15040ClassCastException might happen when serving a static resource
15433System WABs may come online with the web container after server reports started
15550NullPointerException in HttpServletRequest or HttpServletResponse context proxies
15698
FeatureUtility not parsing Liberty custom environment variables
 

Fix pack 21.0.0.1

Fix release date: 29 January 2021     
Last modified: 29 January 2021     
Status: Superseded     

Download Fix pack 21.0.0.1

 
ComponentSecurity APARAPARDescription
Install PH32961InstallUtility and FeatureUtility are working when the variable is a directory, but not part of a file name
Intelligent Management Component PH31732Restricting IP access in ssh keys in authorized_keys, results in ssh key being appended when collective member is restarted
 
Open Liberty Release fixes:
Issue/PRDescription
10000HttpServletResponse.sendRedirect(String location) builds absolute URL including protocoll and server-name
12095PluginGenerator: BundleContext is no longer valid
12417Fix java.lang.IllegalStateException: jstl facade bundle can not be located
13515Add addstricttransportsecurityheader WebContainer prop to metatype
14532Plugin Generator can cause server shutdown delay
14815Recovery race
14925OAuth user registry lookups may use incorrect custom cache key
14928EclipseLink: Deliver Bug #514486
14936Issue when deploying Open Liberty application to Openshift
14950Pull MyFaces 2.3.7 into Open Liberty
14975OIDC RP: creating a subject with allowCustomCachKey=false results in a subject that includes a cache key
15174Include tag on windows not parsing correctly
15216JDBC Kerberos problems on IBM JDK 8
15220Add HTTP/2 IOException for misbehaving client error case
15237Clear federated repository specific information from AuditManager thread
15242Stop the ACME Certificate Checker Task when the server is stopping
15263HTTP TRACE method requests are rejected with a 403, and `enableTraceRequests="true"` does not help
15305Pull in CXF-8278
15315Enable server shutdown on recovery log failure
15337Dynacache initialization issue when ID is missing
15342CONTAINER_NAME env variable is not reflected in logstashCollector-1.0
15388Include tag file name unable to be parsed for featureUtility
15390Various thread safety issues in the Liberty scheduled executor
15550NullPointerException in HttpServletRequest or HttpServletResponse context proxies
 

Fix pack 20.0.0.12

Fix release date: 27 November 2020     
Last modified: 27 November 2020     
Status: Superseded     

Download Fix pack 20.0.0.12

 
ComponentSecurity APARAPARDescription
General PH30714PortOpenRetries needs to do retries for hostname lookup failures
 PH30744Increased CPU can occur after moving to Liberty version 19.0.0.7 or higher
Install PH32363InstallUtility and featureUtility ignores included config files on Windows
Intelligent Management Component PH31277Health policies do not trigger
Java Persistence API (JPA) PH29720EclipseLink generates SQL for the coalesce function with incorrect whitespace.
Systems Management Functions PH30558Do not store Leader ID when server is stopping
 
Open Liberty Release fixes:
Issue/PRDescription
14425EclipseLink: Deliver Bug #567087
14426EclipseLink: Deliver Bug #463350
14457EclipseLink: ClassCastException for Boolean-Typed JPS-Query
14540com.ibm.wsspi.cache.getProperties() returns empty map.
14542Java 15: IllegalAccessError when using MP Rest Client
14555TCP: add retry logic to hostname loookup when opening ports
14582Prevent jsonp-1.0 and jsonpContainer-1.1 from both starting.
14597Increased CPU when moving from Liberty 19.0.0.6 to newer releases.
14650MP GraphQL does not scan JARs in WEB-INF/lib for GraphQL components
14655Move participatingBaseEntry check to avoid inaccurate logging of CWIMK0004E message
14657Fix connection manager deadlock for purgePolicy=FailingConnectionOnly
14735Fix the Logging metatype description message for hideMessage
14743Variables in include files not recognized after config update
14781Wrong FailureScopeController used in peer recovery
14826Allow Spring Boot app with embedded launcher script to deploy
14828Server stop hang
 

Fix pack 20.0.0.11

Fix release date: 30 October 2020     
Last modified: 30 October 2020     
Status: Superseded     

Download Fix pack 20.0.0.11

 
ComponentSecurity APARAPARDescription
General PH30494NullPointerException is received when using the PasswordChange API with more than one UserRegistry
Java 2 Connectivity (J2C)PH29942Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693 CVSS 5.3)
 
Open Liberty Release fixes:
Issue/PRDescription
7056HTTP/1.1 and HTTP/2 behave differently when a non-standard HTTP method is used
12312Update to commons daemon breaks windows servicel
12724Unable to Override JAX-RS SecurityContext in ContainerRequestFilter
13073FFDC raised when fallback method or handler throws exception
13830Federated repositories returns the string "null" instead of the value null for several methods
13861Getting ManagedThreadFactory from JNDI is failing in 20.0.0.9
13908Liberty Java security function does not honor JDK's java.policy file.
14003Test Failure: com.ibm.ws.microprofile.health20.fat.ApplicationStateHealthCheckTest.testPreLoadedApplicationsHealthCheckTest_mpHealth-3.0
14183Need an option to load a custom JaasLoginModule without going through com.ibm.ws.kernel.boot.security.LoginModuleProxy
14192Eclipselink: Wrong month is returned if OffsetDateTime is used in JPA 2.2 code
14377Server.xml config sources do not respect config_ordinal
14421EJB persistent timer may attempt to run after server stop issued
 

Fix pack 20.0.0.10

Fix release date: 2 October 2020     
Last modified: 2 October 2020     
Status: Superseded     

Download Fix pack 20.0.0.10

 
ComponentSecurity APARAPARDescription
Asynchronous beans PH29578CWWKE0701E: Frameworkevent error org.osgi.framework.serviceExcception
Liberty Kernel PH27428NullPointerException because wsJarUrlStreamHandler creates unusable input stream
 PH27908Unconverted adapt to web annotations from com.ibm.ws.openApi.internal.annotationScanner
 PH28816During server startup, the warning "Unconverted adapt to web annotations" appears in server logs
Liberty z/OS PH28141Out of memory in cell pool using 500 connections
Web Services SecurityPH29368WebSphere Liberty running oauth-2.0 or openidConnectServer-1.0 features is vulnerable to a denial of service attack (CVE-2020-4590 CVSS 5.3)
 

Open Liberty Release fixes:

Issue/PRDescription
11646Concurent Login Issue
11722mpHealth - readiness check reports UP when application fails to start
11847Add support for traditional websphere property: com.ibm.ws.webcontainer.suppresslastzerobytepackage
12613Enabling openTracing with no tracer class configured impacts performance
12790Need to limit how many times an OIDC refresh token can be used to get new tokens
13404Kafka connector can report failure for acknowledgements which eventually succeed
13551NullPointerException when starting an EJB module during server stop
13569Federated basicRegistry returns inconsistent results for case insensitive direct user lookups in scim-1.0
13613Support IIOP transmission of Supplemental Multilingual Plane characters (such as emoji) in (wide) Strings
13681Getting ManagedThreadFactory from JNDI is failing in 20.0.0.9
13817PostgreSQL tables are not automatically generated for transaction recovery
 

Fix pack 20.0.0.9

Fix release date: 4 September 2020     
Last modified: 4 September 2020     
Status: Superseded     

Download Fix pack 20.0.0.9

 
ComponentSecurity APARAPARDescription
EJB Container PH27497CNTR5010E,CNTR0075E Errors after migrating from WebSphere V8.5.5.X TO V9.0.5.X
 PH27912CNTR5104E OR CNTR5102E occurs at EJB start after upgrading WebSphere to V8.5.5.16, V9.0.5.0, V9.0.5.1, OR V9.0.5.2
Install PH30219<INCLUDE> Tag not being considered when installing server.xml
Java Persistence API (JPA) PH26967OpenJPA's class transformer needs to respect app classloader concurrency
 PH28547JPA persistence activator retains classloader references, potentially leading to OutOfMemory condition
 
Open Liberty Release fixes:
Issue/PR
Description
11504Occasional ArrayIndexOutOfBoundsException in JaspiServiceImpl.getDescription during Arquillian Tests
11556Connection leak when XAResource.recover fails
12832Bean Validation should consider @ValidateOnExecution when CDI is not enabled.
13027Jaxrs security not getting SSL Socket Factory updates
13036mpGraphql Exception allowlist not working. NullPointerException is thrown by mpConfig
13138

 

tag not being considered when installing server.xml
13170MDB method restricted from being private final for no methods listener
13309Application with EJB 2.x local interface that extends java.rmi.Remote fails to start
13331ignore extra ffdc when application fail to start due to vhost already removed by stop app
13447Http/2 -clean up connection on error
14183Need an option to load a custom JaasLoginModule without going through com.ibm.ws.kernel.boot.security.LoginModuleProxy

Fix pack 20.0.0.8

Fix release date: 7 August 2020     
Last modified: 7 August 2020     
Status: Superseded     

Download Fix pack 20.0.0.8

 
ComponentSecurity APARAPARDescription
Systems Management Functions PH27639Stopped application may show as started in collective controller.
Security PH34376RACF RACMAP filter fails to properly match on realm
 
Open Liberty Release fixes:
Issue/PRDescription
12074Webcontainer property decodeUrlPlusSign issue
12312Update to commons daemon breaeks windows service
12450Batch: Fixes for remote partition job logs
12523Failed to parse Created TimeStamp in UsernameTokenValidator
12613Enabling openTracing with no tracer class configured impacts performance
12695JAX-RS Application Proxy should override getProperties()
12780CWMRX1001W seen in messages.log
12865spring-cloud-starter causes ApplicationStarted event to be fired before the ModuleStarted events for Spring Boot web apps
12967"peer not authenticated" failures in RP to OP communication on some versions of Java 11
13094MDB message listener method name restricted from starting with "ejb"
Fix pack 20.0.0.7

Fix release date: 9 July 2020     
Last modified: 9 July 2020     
Status: Superseded     

Download Fix pack 20.0.0.7

 
ComponentSecurity APARAPARDescription
Liberty System Management PH26177API Discovery UI fails
z/OS PH23733Unexpected Transaction CPLT ABEND ASIB when transaction is rolled back
 
Open Liberty Release fixes:
Issue/PRDescription
8048Unable to write multipart data in Jax-Rs
12032Configuration for sslSessionTimeout is ignored at runtime
12067PluginUtility currently looks in the workarea for com.ibm.ws.jmx.local.address but should look in the logs/state directory
12352Correct spelling mistake in com.ibm.ws.jsp.jstl.facade/bnd.bnd
12375IllegalArgumentException occurs when processing SOAP response containing SOAP Fault
12399HTTP/2 read window not updated
12516Changes to SSL Session Timeout
12537H2 NPE HttpOutputStreamImpl.flushHeaders
12545syncQueryTimeoutWithTransactionTimeout="true" with totalTranLifetimeTimeout="0" results in SQLTimeoutException
12567Fault Tolerance 2.1: org.eclipse.microprofile.faulttolerance cannot be resolved
12599HTTP/2 connection termination performance
12708Entry and exit trace is missing when using OpenJDK with OpenJ9 version 8.
12715JAX-RS @Context injection into ContextResolver failing with NPE
 

Fix pack 20.0.0.6

Fix release date: 12 June 2020     
Last modified: 12 June 2020     
Status: Superseded     

Download Fix pack 20.0.0.6

 
ComponentSecurity APARAPARDescription
Administrative Console PH25475After logging in to admin center console, in the web browser console role is getting exposed
General PH25479JAXRS resource not injecting objects via CDI constructor injection
Liberty z/OS PH25650Message CWWKO0230I is issued even if the Asynchronous I/O support was not activated
Virtual Member Manager (VMM) PH24423With SCIM-1.0 feature and LDAP registry, SCIM queries for group members do not deliver the display name for group members
 
Open Liberty Release fixes:
Issue/PRDescription
9157Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
10067Update JPA to fix EclipseLink bug 618
10236Update JPA to fix EclipseLink bug 558283
10240Update JPA to fix EclipseLink bug 558414
10812Update printSessionManagerConfigForDebug method to include cookieHttpOnly
11773[openidConnectServer-1.0] incorrect http status code for error response invalid_grant
11795EclipseLink: Deliver Bug #561664
11882Missing FunctionMapper
11927Include user name in CWWKS1773E error message TS003412433
11977May get an NPE in URLEncoder.encode when OAuth provder gets bad clientId TS003459997
11984JNDI lookup fails with org.osgi.framework.ServiceException
12019Application MBean status is not updated when application fails to start
12024The JCA SharedPool can leak MCWrapper objects
12212Cached configuration not used in some circumstances
12297Correct JSP 2.3. Feature File
 

Fix pack 20.0.0.5

Fix release date: 15 May 2020     
Last modified: 15 May 2020     
Status: Superseded     

Download Fix pack 20.0.0.5

 
ComponentSecurity APARAPARDescription
Liberty z/OS PH24366Liberty fails to remove the client address space level RESMGRs when cleaning up Liberty's client structures
Web ContainerPH20847Information disclosure in WebSphere Application Server (CVE-2020-4329 4.3)
Web Services SecurityPH24154Identify spoofing in WebSphere Application Server (CVE-2020-4421 5.0)
 
Open Liberty Release fixes:
Issue/PRDescription
11475CWWKG0090E seen when using include that worked in previous version
11550SSL Channel: double release of WsByteBuffer race condition
11582NPE in OpentracingUtils.lookupAppName()
11590MetricProducer provides a simple timer and concurrent gauge with the wrong MetricType
11595SAML SP should use 401 instead of 403 when redirects user to IdP
11682Social login feature cookies may not use dynamically updated web app security config
11696Exception during UserTransaction thwarts @Fallback on @Asynchronous method
11716Changes for issue 11646
11746Unable to create logger error in server startWinService when WLP_OUTPUT_DIR set in server.env
11750Correct redirect location.
11755Update Weld3 to 3.1.4
11767Lock contention acquiring applicationTracersLock in OpentracingTracerManager.ensureTracer()
11785intermittent h2 timing test failure
11870H2 NPE check modification

Fix pack 20.0.0.4

Fix release date: 17 April 2020     
Last modified: 17 April 2020     
Status: Superseded     

Download Fix pack 20.0.0.4

 
ComponentSecurity APARAPARDescription
General PH23757EJB persistent timer/deserialized context fails with CWWKC1004E (unavailable context) after mpContextpropagation-1.0 disabled
Install V8 and above PH23517zosConsoleCommandDisplayWork-1.0 as an auto-feature is not installed
Liberty Archive Install PH23233NullPointerException when installing the required WLP server's features from local repository
Liberty z/OS PH22112Display work with zosRequestLogging feature does not count servlet requests
 PH23817gpf in liberty server during shutdown
Web Services SecurityPH22080Cross-site scripting vulnerability in samlWeb-2.0 (CVE-2020-4303, CVE-2020-4304)
 
 Open Liberty Release fixes:
Issue/PRDescription
4040Make RC consistent for starting liberty as a Windows Service
4873Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
8933Authentication cache fails to find existing Subjects, slowing performance.
9692Non-English characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9986Application fails to start because of java.lang.IllegalStateException: Configuration pid com.ibm.ws.app.manager_23 was deleted
10707Thread safety problem in JSON logging field name mapping code
10986Invalid JSON data passed to @Path resource method(@Valid MyPojo) yields H500 instead of H400
11043java.security.AccessControlException: Access denied ('java.util.PropertyPermission' 'org.osgi.framework.bootdelegation' 'read')
11044custom-login-configuration not honored in java:comp/env bindings without binding-name
11108mpRestClient-1.3 ignoring hostnameVerifier configuration
11199EJB Persistent Timer/deserialized context fails with unavailable mp.cleared.context.provider after mpContextPropagation-1.0 disabled
11289ConcurrentModificationException during JSF application startup
11445The JarFileClassLoader throws an IllegalArgumentException when defining package com.ibm.websphere.ras.annotation
11454Remove lock contention and other perf improvements for starting multiple applications
11478Minor code issue in LdapHelper.getRDN in com.ibm.ws.security.wim.adapter.ldap
11510Timing window where server loses the ability to run a persistent timer if config update to disable execution overlaps a poll
11534Async implementation of MP rest client returns CompletionStage of Collection of HashMap but expected CompletionStage of Collection of a user defined type
11535AdapterUtil.createXAException utility method garbles message parameters
11543PH22080
 

Fix pack 20.0.0.3

Fix release date: 20 March 2020     
Last modified: 20 March 2020     
Status: Superseded     

Download Fix pack 20.0.0.3

 
ComponentSecurity APARAPARDescription
Liberty log analytics and monitoring PH22677Logstash error when parsing json
Liberty z/OS PH21809Liberty on z/OS message routing to msglog dd stops unexpectedly
 PH21956JVM crash in zosLoggingBundleActivator.ntv_writeFile()
 PH22759Abend on the z/OS Hard failure Cleanup Thread during server stop processing
Virtual Member Manager (VMM) PH21704SCIM fails to search when quotation marks are included in search filter
Web Services (JAX-WS, JAX-RS)PH22079Vulnerability in Apache CXF affects WebSphere Application Server Liberty (CVE-2019-17573)
 
Open Liberty Release fixes:
Issue/PRDescription
8547Oracle connectionProperties being traced
9588Fix JWKS behavior that returns cached JWK despite the JWK not having right KID
10310EclipseLink: Deliver Bug #347987
10510Thread fails to complete during the quiesce period
10552Webcontainer Bundle Deactivation causes IO Exceptions for the Cached Plugin-cfg File
10697LDAP registry and URBridge are not un-escaping double quotation and apostrophes from the XPATH search expression
10712AsyncResponseImpl.initContinuation() throws NPE when Continuation is null
10730Javadoc of ConnectionManagerMBean.getJndiName is not accurate
10732Context-root attribute for server.xml web-ext element ignored
10762Missing warning when a server element is not present
10867German translation for 'Logout' incorrect for OIDC applications
10961Request URL mismatch between scheme and port
10981Yoko ORB shutdown thread hangs
10996Error parsing JSON when using ELK with logstashCollector-1.0
11052Basic registry throws PatternSyntaxException when search for users or groups includes braces
11105HTTP/2 stream initialization race conditions
11123Enhance NCSA access log 'enabled' attribute documentation
 

Fix pack 20.0.0.2

Fix release date: 21 February 2020     
Last modified: 21 February 2020     
Status: Superseded     

Download Fix pack 20.0.0.2

ComponentSecurity APARAPARDescription
General PH10461When using BYO SSH keys, starting a collective controller keeps appending the ssh key to the authorized_keys file
 PH11895PI81056 did not fully resolve the issue resulting in msg CWWKO0224E (hostname resolution error) during server startup
 PH19384Liberty for z/OS server using optimized local adapters abends in method WOLANativeUtils.ntv_getClientService on shutdown
PH19528Denial of Service in WebSphere Application Server (CVE-2019-4720)
PH19989Denial of Service in WebSphere Application Server (CVE-2019-12406)
 PH20816Install of common Java SDK for Liberty on z/OS fails with CRIMA1161E
 PH20912Unable to set samesite cookie option with response.addHeader
 PH21213Unable to install WebSphere Application Server Liberty V8.5 version 20.0.0.1 using IBM Installation Manager
 PH21281Warnings showing the text "Unconverted adapt" appears in server logs
 PH21564java.lang.SecurityException possible from messaging component calls to System.getProperty("line.separator")
 PI93822EJB auto-link fails for java:global with beanName provided
 

Open Liberty Release fixes:

Issue/PRDescription
8015 Delay TCP Port starts until server is initiailized
9085ServletCacheEngine ignore cache for App using default context root
9157Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
9512OIDC RP does not reject requests that match more than one filter
10067EclipseLink: Deliver Bug #618
10142 Installing mpHealth 1.0 and 2.0 features together causes NullPointerException
10189Fault Tolerance reports an internal error when an asynchronous method returns null
10196H2 close with error produces invalid state
10236EclipseLink: Deliver Bug #558283
10238Default logging format not being set when using an invalid console/message logging format
10240EclipseLink: Deliver Bug #558414
10243Pull in MYFACES-4311 and add a FAT
10248JsonB provider not found when loaded from library
10293Test Failure: com.ibm.ws.testing.opentracing.test.FATOpentracing.testImmediate
10310 EclipseLink: Deliver Bug #347987
10337Java Batch: Error reported when JMS job dispatch message is redelivered
10384Support for SameSite attribute in Set-Cookie header is needed
10393PersistentTimerCoreTest.testDisabledLateTimerMessage FFDC indciates missing doPriv on abort
10397Retry port opening according to configurable number of retries
10426requestTiming-1.0: servletTiming server configuration does not work with servlet-4.0
10461Basic registry throws PatternSyntaxException when search filter contains paren
10462LDAP registry throws InvalidSearchFilterException when principalName search filter contains paren
10508Avoid using System.getProperty("line.separator") in messaging code
10559Need to quit warning about strange cookies sent from IBM ID
10578oidcclient does not expand ID attribute after 19.011
10582JAX-RS 2.0 ExceptionMapper is ignored when using mpOpenTracing
10587Yoko ORB shutdown thread hangs
10604Wrong encoding for special characters (Swedish language)
10702Decompression Ratio Support
 

Fix pack 20.0.0.1

Fix release date: 24 January 2020     
Last modified: 24 January 2020     
Status: Superseded     

Download Fix pack 20.0.0.1

 
ComponentSecurity APARAPARDescription
Liberty System ManagementPH20161OpenAPI Swagger UI vulnerability (CVE-2019-17495)
Web Services (JAX-WS, JAX-RS) PH18762Add support for gzip encoding
 
 Open Liberty Release fixes:
Issue/PRDescription
6956Liberty depends on the ps command during shutdown
8563Pull in MyFaces 2.3.6
8773OIDC Client Requests Tokens with the same auth code
9281auditUtility command/script file not found in /bin directory.
9307Error message when MP Open Tracing feature is enabled but not in use
9441Auto-features which depend on kernel features do not get installed
9943 Map the Spring Boot application's context root to the application's welcome page (index)
9516Unfriendly user error message displayed and user is blocked from signing in to their application when their liberty session expires
9602H2 Synchronization problem with tests that are sending duplicate frames
9679H2 intermittent error when upgrade fails
9708For a batch job with partitioned step, the PartitionReducer's afterPartitionedStepCompletion gets ROLLBACK on normal completion.
9798Handling logging out of mp jwt flow introduces an error
9824 Cannot distinguish opaque token that contains two dots from JWT
9848Resource adapters might fail to start with Bean Validation 1.1 and CDI 1.2 enabled.
9886Unresolved module com.ibm.ws.rest.handler.validator.jca
9904javax.servlet.ServletRequest.getParameterValues returns null in Jaxrs applications
10006service.ranking can be removed from com.ibm.ws.persistence defaultInstances.xml
10030H2 connection error causes server timeout
10144Add additional support for range attributes on Active Directory Ldap searches
10165Fault Tolerance messages not output
10178Resource leak when installing features through Gradle on Windows
10215CXF cannot process a gzip encoded SOAP response
10228 Rest Client for MicroProfile loses entity on POST requests with status code 202 response
 

Fix pack 19.0.0.12

Fix release date: 13 December 2019     
Last modified: 13 December 2019     
Status: Superseded     

Download Fix pack 19.0.0.12

 
ComponentSecurity APARAPARDescription
Liberty Administrative CenterPH18799WebSphere Liberty is vulnerable to a Cross-site scripting vulnerability in the Admin Center  (CVE-2019-4663)
 
 Open Liberty Release fixes:
Issue/PRDescription
8395Remove obsolete com.ibm.ws.webcontainer.channelwritetype from Liberty's metadata and web container properties
9228LDAP registry returns error code 21 when updating boolean values
9293Opentracing can cause jaxrs exceptions to not be logged
9386NullPointerException when using dynamic filter to add mapping for servlet name
9455HTTP/2 malformed requests should cause stream reset
9499FFDC when Exception thrown by user code proxied using ContextService
9545Test Failure: junit.framework.TestSuite.com.ibm.ws.cdi12.fat.tests.SessionDestroyTests
9596Relax criteria for calling out an FFDC when dealing with the Selector logic
9607NPE in the SIP Container when a Digest challenge does not contain the `algorithm` field
9625Unable to load LibertySSLSocketFactory during transaction recovery
9676Class transformers can fail if a class is loaded from the shared classes cache
9692Non english characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9825JNDI literals parsing too verbose
 

Fix pack 19.0.0.11
Fix release date: 15 November 2019     
Last modified: 15 November 2019     
Status: Superseded     

Download Fix pack 19.0.0.11
 
ComponentSecurity APARAPARDescription
General PH11427Service call by service.Create() does not time out in 30 seconds
PH17678Man in the middle vulnerability in OpenSAML (CVE-2014-3603)
 PH18113Add Apache HttpClient library
 PH18282SCIM API fails to retrieve a group or user with a forward slash in the DN
JavaServer Pages (JSP)PH13983Information disclosure in WebSphere Application Server (CVE-2019-4441)
Liberty z/OS PH18715java.lang.StringIndexOutOfBoundsException exception in com.ibm.ws.zos.registration.internal.ProductManager.start
Security PH18751Exceptions when using keystore ID="defaultkeystore" after upgrading to fix pack 19.0.0.9 on z/OS
 PH29291NullPointerException might be thrown during EJB invocation on 19.0.0.9
 
Open Liberty Release fixes:
Issue/PRDescription
4387Runnable JAR execution fails when WLP_USER_DIR env var is set to "other" location with CWWKE0005E
7701Pull in MyFaces 2.3.4
8152TAI negotiateValidateandEstablishTrust called twice during authentication.
81967234-TRACENPE COMMIT1
8404Confidential for Security Integrity fix CVE-2014-3603
8860jwkRetriever should not require an sslSocketFactory if using http
8899federatedRegistry-1.0 group membership may use a repository that does not participate in the realm
9085ServletCacheEngine ignore cache for App using default context root
9122Remove additional ; in WebApp.java
9129Update Commons BeanUtils to 1.9.4
9130Header Key retrieval fix for case sensitivity
9132correct certain JSP messages
9143NullPointerException might be thrown when the security audit is enabled for ejb.
9380IllegalStateException in JMX Connector RESTHandler from call to getWriter
9416Add Apache HttpClient v3.1 library
9436RACF SDBM LDAP registries may encounter OperationNotSupportedException
9437Test Failure (20180702-1422): com.ibm.ws.jdbc.fat.v41.JDBC41Test.testTransactionTimeoutAbort
9441Auto-features which depend on kernel features do not get installed
9451Fix Intermittent NullPointerException on TCP trace during shutdown
9472H2 Intermittent NPE in HttpOutputStreamImpl.flushHeaders()
 

Fix pack 19.0.0.10

Fix release date: 18 October 2019     
Last modified: 18 October 2019     
Status: Superseded     

Download Fix pack 19.0.0.10

 
ComponentSecurity APARAPARDescription
Contexts and Dependency Injection (CDI) PH05014Null CDI Bean results in a NullPointerException thrown in Apache WebBeans code
GeneralPH16611Multiple vulnerabilities in HTTP/2 implementation used by WebSphere Application Server Liberty
Intelligent Management Component PH16337Liberty OIDC is not working with dynamic routing plug-in
Liberty z/OS PH14100Out of storage condition caused by a leak in LSCL causing rc12 Reason Code 24 from BBOA1CNG
 PH16940Liberty servers abend with an ABENDSEC3 RSN=20000800 when a Liberty server is shutdown using force or similar
SecurityPH15518Multiple vulnerabilities in WebSphere Application Server Liberty (CVE-2019-4304, CVE-2019-4305)
WebSphere Compute Grid PH13367Job Partitions reported failing due to a deadlock on Java Batch Job Repository tables
WMQ messaging providers PH13286Provide mechanism to disable 1PC optimization
 
Open Liberty Release fixes:
Issue/PRDescription
7767Expose JSF MyFaces Implementation classes as third-party
7849The JWK retriever does not remove stale JWK from cache
8532Deadlock issue when using persistence batch framework
8597Federation of a custom UserRegistry (CUR) results in different behavior than when stand-alone
8612export jsf-2.3 impl classes as third-party
8614export jsf-2.2 impl classes as third-party
8736Case TS001514963: requestTiming does not show all SQL queries
8808OIDC RP does notHTTP Auth header as containing a valid OIDC id_token
8840CWIML0514W occurs using uppercase group DN on getGroups
8863Failure to parse multiple comma separated links in an HTTP Link header on a Jaxrs Response object
8886GA Fault Tolerance - Metrics 2.0 integration
8903When JACC is enabled, annotated role mapping is not enforced properly.
8951OperationNotSupportedException: [LDAP: error code 53 - R000128 Filter is not supported (sdbm_search:1413)]
8979requestTiming-1.0 feature does not work in OpenLiberty
9021JSF File Descriptor leak in DefaultFaceletFactory
9033Erroneous CWWKL0058W warning when multiple JARs in library have META-INF/services
9069Web Admin Security Updates
9079Terminate misbehaving HTTP/2 connections
 

Fix pack 19.0.0.9

Fix release date: 20 September 2019     
Last modified: 20 September 2019     
Status: Superseded     

Download Fix pack 19.0.0.9

 
ComponentSecurity APARAPARDescription
Liberty Debug and Tracing PH15280Leak of RACF ACEE control blocks in Liberty server
Liberty KernelPH17088 Apache Commons Compress denial of service vulnerability (CVE-2019-12402)
  PH17796ConfigHash value in plugin-config.xml causing parsing issues
Liberty z/OS PH15877Angel stops without detecting active Liberty servers
Security PH15505Collectives keystore mismatch
WebSphere Compute Grid PH10566Issues with remote partition restart if server crashes
 
 Open Liberty Release fixes:
Issue/PRDescription
7600social login linkedin flow is broken and needs updating
8169ProfileManager.getImpl call ignores realm allowOpIfRepoDown setting
8219Support direct HTTP/2
8473webAppSecurity overrideHttpAuthMethod set to BASIC or FORM does not function
8546HTTP/2 trailer improvements
8561CWIML4564I informational message lists wrong LDAP server.
8647java.lang.IllegalStateException when running Liberty wlp-webProfile7 19.0.0.8
8761Java Batch: Remote JVM partitions not restartable after executor shutdown
8793Custom fields not logging when using LogRecordContext and field names contain underscores
 

Fix pack 19.0.0.8

Fix release date: 23 August 2019     
Last modified: 23 August 2019     
Status: Superseded     

Download Fix pack 19.0.0.8

 
ComponentSecurity APARAPARDescription
Database Access, Connection Management, Merant/DataDirect drivers PH15281Postgres SQL Large Object API blocked
Liberty z/OS PH13341The --clean action is ignored when WLP_ZOS_JOBNAME is set
Security PH15089A login might be required for unprotected resources when none of TAIs processed a request
Sessions and Session Management PH13932"Using collection QEJBASSN for session persistence." is always output with startup of Liberty servers
Virtual Member Manager (VMM) PH14786Using non ASCII characters (ex. Chinese) in an SCIM filter fails
Web Container PH14619ServletContext.getRealPath() should not return null for nonexistent files
 
Open Liberty Release fixes:
Issue/PRDescription
5035Update ServletContext.getRealPath() behavior
7521Call Class.forName() within doPrivileged block from WASURLObjectFactoryFinder
8085HttpServletMapping.getPattern is not correct for /* mapping
8128Clean up URIMatcher40 and ServletWrapper
8141Adding mpConfig-1.3 feature while the server is running does not install the configuration feature properly
8250OIDC discovery endpoint does not emit the revocation endpoint
8252Eclipselink: Fix bug 547173
8274WSOC: fix a read during close timing window.
8277login process is carried out for unprotected resources even TAI does not intercepts a request
8304Loose application with MP Health not picking up changes after recompile - GM 19.0.0.7
8307Error on edit for OAuth client with no secret
8339openidconnect emits httpclient spurious log warnings for certain cookies
8346Liberty 19.0.0.7 Blocks *all* Large Object API functions for Postgres
8401Add doPrivileged block in WASInitialContextFactoryBuilder for class look up
8449content-length header should not be required for HTTP/2 requests
8458Channel framework chains not closing down before timeout
84608458 - Loop until cfw chain is closed
8474PushBuilder should ignore headers with null values
8482URBridgeEntity uses NLS message key, REQUIRED_IDENTIFIERS_MISSING, which is not defined
 

Fix pack 19.0.0.7

Fix release date: 25 July 2019     
Last modified: 25 July 2019     
Status: Superseded     

Download Fix pack 19.0.0.7

 
ComponentSecurity APARAPARDescription
Liberty Administrative CenterPH13994Clickjacking vulnerability in Liberty Admin Center (CVE-2019-4285)
Security PH13970After updating to 19.0.0.4, SESN0008E errors started occurring
Systems Management Functions PH13649Invalid command line optional parameter (--hostName) with "collective help addReplica"
Virtual Member Manager (VMM) PH13757SCIM 1.0 returns HTTP 404 return code for user search
 
Open Liberty Release fixes:
Issue/PRDescription
5337NullPointerException in BridgeUtils seperateIDAndRealm(...)
6158Pull in MyFaces 2.3.3 once it is released
7539Federated Repositories LoginBridge does not handle output property mappings that are multi-valued
7552JPAContainer incorrectly sets App Classloader as the CCL
7612Scrub error response for unwanted characters
7670IllegalArgumentException in MP Metrics from timing issue
7854WSLogManager static fields not properly initialized in jdk7
7871Fix NPE in WebAppSecurityCollaboratorImpl when invoking web resource using custom HTTP method
7888socialLogin needs to produce choice menu with one provider and localAuth enabled
7920WASReqURL cookie path is not set when the context root of an application is set to root
7984When Auditing function is enabled, it is potential that SRVE0777E error is logged
7986Memory leak when stopping applications
8034NullPointerException in UniqueNameHelper.getValidDN
8096After updating to 19.0.0.4, SESN0008E errors started occurring
 

Fix pack 19.0.0.6

Fix release date: 28 June 2019     
Last modified: 28 June 2019     
Status: Superseded     

Download Fix pack 19.0.0.6

 
ComponentSecurity APARAPARDescription
Channel Framework PH13269Delay ALPN init until required and free ALPN resources on connection errors to prevent OutOfMemory
Liberty Debug and Tracing PH11759Performance drops when writing a large amount of log entries to Liberty console log
Liberty z/OS PH12644Keys are not stored in ICSF with triple-length PCICC format
Security PH07530A NullPointerException is thrown during SAFKeyRingNotificationMbeanImpl initialization
Web Services Security PH11031OAuth runtime emits error when adding EXTENDEDFIELDS column many times
 
Open Liberty Release fixes:
Issue/PRDescription
6317JAX-RS request context modified after client request
7207EclipseLink: Deliver Bug #421056
7433Avoid inferring caller in LogRecord.getSourceClassName and getSourceMethodName when processing System.out calls
7440Investigate possible difference in values between Prometheus and JSON format metrics
7632EclipseLink: Deliver Bug #421056 pt2
7634Session time based write option not honor small time interval
7695java.sql.Connection's network timeout not getting set to the correct value
7831Timing issue between deleted configuration and configuration store

Fix pack 19.0.0.5

Fix release date: 31 May 2019     
Last modified: 31 May 2019     
Status: Superseded     

Download Fix pack 19.0.0.5

 
ComponentSecurity APARAPARDescription
General PH11801Liberty 19.0.0.3 cannot start Java health center starting with IBM JDK 8.0.5.31
Security PH08972Liberty on z/OS message CWWKS2934E issued during initialization is confusing when it does not reflect final status
Systems Management Functions PH11844Joining a member to a back level controller fails when the collective uses a collective-wide ssh key
 
Open Liberty Release fixes:
Issue/PRDescription
6095Ability to extend the size of the log buffer beyond 8k on WebSphere Application Server Liberty Profile
6391Building .tar.gz server package fails on Windows
7307redirectcontextroot=true and redirected secure page causes null
7332remoteIp "proxies" Default Regex Adjustment
7407Better handle private headers during message deserialization
7434NullPointerException in MethodAttribUtils.getXMLCMCLockAccessTimeout
7441NullPointerException in AppDefinedResourceFactory
7448NPE in LTPAConfigurationImpl.loadConfig
 

Fix pack 19.0.0.4

Fix release date: 3 May 2019     
Last modified: 3 May 2019     
Status: superseded     

Download Fix pack 19.0.0.4

 
ComponentSecurity APARAPARDescription
Liberty z/OS PH10537SMF 120 subtype 11 and 12 records should report the value of cvtzcbp
 PH10538The RCVTID is not available to Java applications deployed in Liberty
Messaging ProvidersPH06340Potential denial of service vulnerability in WebSphere Application Server (CVE-2019-4046)
Security PI91146Liberty runs unnecessary authentication logic when TAI is configured
 
 Open Liberty Release fixes:
Issue/PRDescription
1338invokeForUnprotectedURI triggers unnecessary authentication
5376LdapConnection getAttributesByUniqueName() throws EntityNotFoundException for existing user
6756Initial requests with custom method (including PATCH) fail with HTTP/2
6982JAX-RS 2.1 Performance
6987Redirect Scheme and Port Mismatch
7044Externalize ThrowIOEForInboundConnections httpOptions
7052mpFT 2.0: Circuit Breaker metrics updated incorrectly when non-failure exception thrown
7071Outbound SSL Connection IOException
7080FT 2.0: Circuit breaker does not correctly restrict executions when in half-open state
7083Using Automatic WorkQueue for Async JAX-RS responses
7102Improve BNF Header Storage
7171inherited templated transient views raising "unable to create views" exceptions
7184Test Failure: EEConcurrencySpecTest.testListenerInvokeAnyWithTimeout Future.get interrupted during taskDone with CWWKC1120E
7211getManagedConnection: illegal state exception. State = STATE_INACTIVE after abort due to transaction timeout
7260Problems with resolution of environment variables
 

Fix pack 19.0.0.3

Fix release date: 5 April 2019     
Last modified: 5 April 2019     
Status: Superseded     

Download Fix pack 19.0.0.3

 
ComponentSecurity APARAPARDescription
Contexts and Dependency Injection (CDI) PH09834java.lang.VerifyError on OpenWebBeans with Java 8 update 11 and 7 update 65
EJB Container PH08828OutOfMemory in InjectionEngine cache
General PH09657Usage Metering discards metrics on HTTP 500 response from metering service
  PH12825TransactionScoped observers do not fire
Java Message Service (JMS)PH07036Potential Spoofing vulnerability in WebSphere Application Server (CVE-2018-1902)
Liberty Administrative Center PH06250Accessability section 508 compliance for admin center
Liberty z/OS PH09140Liberty server request failures after the angel process is canceled
Web Container PH08872The servletRequeset.getContextPath() might return a different context path when using with OIDC client application.
Web Services (JAX-WS, JAX-RS) PH09634The policy-attachments-server.xml file under WEB-INF is not processed
Web Services Security PH09651OpenID Connect client authzParameter and tokenParameter values not updated when dynamically removed from server configuration
 
Open Liberty Release fixes:
Issue/PRDescription
4300DefaultExtensionProcessor file.not.found message does not contain default message that takes a parameter
6019ApplicationManager startTimeout blocks startup when app is missing
6129Fix Java 2 Security issues with JSPs
6246Apply "useAuthenticationDataForUnprotectedResource" to jwtSso cookie
6255jsonp-1.1 API dependencies incorrect
6295ClassCastException when using binaryLog with --monitor
6317JAX-RS request context modified after client request
6360Filter out embedded server dependencies for Spring Boot 2.1.x
6407Test Failure (20190101-0221): com.ibm.ws.kernel.boot.ServerStartAsServiceTest.testWinServiceLifeCycle
6521Generic types are lost in MP Rest Client and JAX-RS clients due to bug in JsonBProvider
6527Stack overflow scheduling new ManagedScheduledExecutor task from task
6573Application exceptions should not be wrapped in EJBException
6628Command line variables are not working on windows
6641ClassNotFoundException thrown during sessionPostInvoke
6659ServletRequest.getContextPath() might return wrong value when OIDC app is in used
6668Externalize maxOpenConnections tcpOptions
6725Using slash slash comment in JSP expression spanning lines can get JSP error
6727JSP slash slash comment fix
6761Custom JAX-RS ParamConverter does not work for collection and array types
6768Using slash slash comment in JSP expression spanning lines can get JSP error, Java7 compatible
6790Loading classes from multi-release jars does not work
6812HTTP request header "If-Modified-Since" parsing fails with IllegalArgumentException if default Locale is not US
6822Automatic EJB Timer creation skipped if database tables do not exist
6868WebContainer: make code more service deactivate aware
6951ClassNotFoundException during JSF initialization
6953Tolerate missing ps
 

Fix pack 19.0.0.2

Fix release date: 8 March 2019     
Last modified: 8 March 2019     
Status: Superseded     

Download Fix pack 19.0.0.2             

 
ComponentSecurity APARAPARDescription
General PH07896Liberty server start hangs on "CWWKZ0018I: Starting application" when thread pool max size is set
Liberty z/OS PH08209Add support for CICS 5.5 for WebSphere Optimized Local Adapters
 PH08497Message ICH408I is not generated when user lacks access to profile prefix in appl class
 PH08753Ship assembler DSECT that maps SMF 120 subtype 11 z/OS connect user data
Security PH08030Changes needed in the SAFAuthorizationService API
Virtual Member Manager (VMM) PH08428NullPointerException is thrown when creating a SCIM user with missing name
Web Services Security PH06141Multipart/related SOAP part Content-Type issue
  PH08466OAuth introspect endpoint does not return correct issuer if OpenID Connect provider configures issuerIdentifier
  PH09706Liberty OIDC message numbers CWWKS1754 through CWWKS1759 are duplicated
 
Open Liberty Release fixes:
Issue/PRDescription
4975Destroy of aborted connections and removal from the pool
5094Fix NPE in servlet cleanup for WebSocket request
5833The federatedRepositry-->primaryRealm-->defaultParents element should support multiple occurences in the server.xml
6017Auto plugin generation is inconsistent with OSGI applications
6183Incomplete SRVE0279E message
6273JAX-RS clearing RuntimeContext for server side message when resource invokes a client
6287Add default value to the remoteIp "proxies" attribute in the metatype.xml of the HTTP Channel
6298Update WebContainer.getCacheManager() to avoid NullPointerException
6323Invalid archive files no longer prevent apps from starting
6348Fix 500 error when servletPath is NULL
6371Handle exception on call to connection.abort
6381WLP 18.0.0.4 fails to rotate trace log on Windows
6408Fix for connection wait timeout message not being translated.
6427Connection wait time does not dynamically change to 0
6452showPoolContents waiting connection requests value is incorrect
6490Test Failure (20190203-0423): PolicyExecutorTest.testConcurrentUpdateMaxWaitForEnqueue
6518Redundant log file in workarea after sever start with errror: java.lang.IllegalArgumentException: The property 'osgi.configuration.area' ... is being overriden ...
6524SSL Channel throws NullPointerException during stress
 

Fix pack 19.0.0.1

Fix release date: 8 February 2019     
Last modified: 8 February 2019     
Status: Superseded     

Download Fix pack 19.0.0.1 

 
ComponentSecurity APARAPARDescription
General PH02684Add an openIDConnectClient configuration option to allow token reuse
  PH07247Unnecessary HttpHostConnectException FFDC logged for usage metering
JavaServer MyFaces (JSF) Apache MyFaces implementation PH06135JSF 2.0 throws a NullPointerException during server shutdown
 PH06389JSF can leak JarFiles causing problems with application removal
Liberty z/OS PH05262Calling request.login() from a servlet does not sync the ID to the thread
 PH07190It is difficult to debug problems when the Liberty server connects to a earlier angel process
 PH07213Ship assembler dsects for smf120 subtype 11 and subtype 12 records
 PH07486Liberty generic MODIFY HELP output is too verbose
Web Container PI80786Http 500 is returned from a request with too many parent directories (forward slashes) in the url
  PH05787ConcurrentModificationException
Web Services SecurityPH07297Denial of Service vulnerability in Guava (CVE-2018-10237)
 
Open Liberty Release fixes:
Issue/PR
Description
3553Set 400 status code for invalid URI
3645User ID is not synced to the thread during HttpServletRequest.login()
4809Remove internal designation/updates for servletPathForDefaultMapping/make servlet-4.0 default / tests
50773645 sync user during login
5341Modify default ldapRegistry-3.0 read timeout to be 1 minute
5772AppClassLoader does not correctly handle null response from ClassFileTransformers
5785CWWKS9582E: The [defaultSSLConfig] sslRef attributes required by the orb element with the defaultOrb ID have not been resolved within 10 seconds.
5798H2: Separate Continuation Frame Checking Between Read And Write
5862ConcurrentModificationException happens when a web application receives a large number of requests immediately after it starts.
5963DataSourceDefinition, ConnectionFactoryDefinition, and AdministeredObject properties should not be path normalized
5970trackLoggedOutSSOCookies setting causing multiple login failure
5976ConcurrentModificationException from ReferenceContext starting web application
59835785-orbssltimeout2-commit1
5992JarFiles never released by JSF
6020Fix Open Liberty Windows Service name in server.bat
6036PollingDynamicConfig tasks can be leaked
6042Hot update broken in 18.0.0.4
6058Invalid connection pool Prometheus metric format (monitor, mpMetrics)
6073OL 18.0.0.4 server package does not package loose application as war
6113Pull MYFACES-4251 to JSF 2.3
6123Trace Specification logging level "off" does not work
6152NamingException masked when listing entries in a JNDI context
 
Fix pack 18.0.0.4

Fix release date: 14 December 2018     
Last modified: 14 December 2018     
Status: Superseded     

Download Fix pack 18.0.0.4

 
ComponentSecurity APARAPARDescription
DynaCachePH02049Cross-site scripting vulnerability in cache monitor (CVE-2018-1767)
General PH02212Application with CDI 1.2 in Liberty 18.0.0.2 fail to start
  PH02361WebSphere Liberty OIDC client implementation is proxy-unaware
  PH02742NPE when doing direct forward operation
 PH02750java.lang.classCastException occurs in OidcClientImpl.logout
 PH03409Seemingly erratic thread pool growth during low or no-load situations after upgrading to 18.0.0.1
 PH04652WebSphere Application Server Liberty for z/OS provides no metrics for usageMetering-1.0
 PH04653Updated CPU limit (--cpus) not recognized by usage metering feature
 PH05071JVM hang when calling GarbageCollectorMXBean.getLastGcInfo for usageMetering-1.0
 PH06256CWWKS1739E: A signing key required by signature algorithm [RS256] was not available when upgrading to 18.0.0.3
 PI97786eclipselink throws "argument type mismatch" for jpql case expression
 PI99263ServletContext.getRealPath() returns null for resource in extended document root
Install V8 and above PH03040Fixpack 18.0.0.3 cannot be installed on IBM i
 PH04137Updating WebSphere Liberty for z/OS to fix pack 18.0.0.3 fails with NullPointerException
JavaServer Pages (JSP)PH02063Potential security bypass in WebSphere Application Server with Expression Language library (CVE-2014-7810)
Liberty z/OS PH02955Unable to use SAF Keyring for collective SSH communication
 PH03549When the zosWlm-1.0 feature is enabled. the health indicator of the server is only ever set to 2 percent
 PH03768EntryNotFoundException SAFGRP is not a valid group
 PH04243EC3 abend reason code 20F00600 occurs after a 422 abend
 PH04282Error authenticating when Liberty server tries to connect to a back-level angel process
 PH05100OutOfMemory failure in Liberty under CICS when connected to an angel process
Messaging Providers PH00027After migrating to WebSphere Application Server V9, the CWSID0046E error is seen in the logs
Systems Management Functions PH03232Incorrect server state reported in a multicontroller collective
Virtual Member Manager (VMM)PH02811Privilege escalation vulnerability in WebSphere Application Server (CVE-2018-1901)
 PH04136Attempt to create user in SCIM returns 500 HTTP status code with DefaultParentNotFoundException message
 PH04147Attempt to update user ID in SCIM returns 500 HTTP status code with IllegalArgumentException message
Web Services (JAX-WS, JAX-RS) PH02234Issue when processing the caller token for UsernameToken
 PH03014A property is set in the RequestContext but the interceptor does not read this property resulting in a NullPointerException
Web Services Security PH03004CWWKS1721E: The resource server received an error it was attempting to validate the access token z/OS Connect EE
 PH05414OpenIdConnect client subject might not contain Id Token
WebSphere Compute Grid PI87244Firewall prevents the Liberty Java batch tool from displaying job logs
 
Open Liberty Release fixes:
Issue/PR
Description
1438JAAS login module shared library is missing protection domain
2663PH00738 Session scoped beans are not updated in the database when liberty is configured to only persist updated session attributes
3113ArrayIndexOutOfBounds in LdapConfigManager.setFilters()
3919Future does not return immediately when timeout fires when using timeout with Async
4132full tmp dir prevents server from reading server.env during startup
4135Pull in MyFaces 2.3.2 once released
4202Migration of JMS delivery delay.
4332Need to fix first line of output from Liberty JSON log format to actually be JSON
4535LogRecordContext API is missing from /wlp/dev/api/ibm jars
4760Expose a couple of packages to the thread-context in jsf-2.3
4792Fix BundleContext is no longer valid error on server shutdown
4853Provision compatible javax.annotations API for SpringBoot applications
4873Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
4898H2: fix some HTTP/2 code and test issues uncovered by further parallel stream stress testing
4912Fix missing doPriv in unwrap
4913JSR375: When JASPIC is enabled, a login panel pops up even EVERYONE role is assigned
4955Externalize multiple httpOptions
4960Faces servlet mappings defined in web-fragment.xml do not work - jsf-2.2
5045Add a recursion counter for messagehandlers into BaseTraceService
5076NullPointerException in ClassLoadingServiceImpl
5088SpringBoot applications fail to start when a non jar file is in the library directory
5094

Fix NPE in servlet service which may happen when WebSocket is used

5114Test Failure (Liberty - Mac EBC - 20180915-0112): PolicyExecutorTest.testStartTimeout
5126HTTP/2 engine must tolerate priority frames received in any state and better handle flow control problems
5149update openidconnect client way of sending credentials to userinfo endpoint
5154Flush queued actions when an app is removed
5164/metrics output got truncated on Japanese locale
5244MYFACES-4252 Classpath._searchDir can throw NullPointerException
5277Fix Java 2 Security access issue in kernel DefaultFileStreamFactory
5293Deadlock in ZipFileArtifactNotifierImpl
5339H2: Fix race condition in multi-stream writing logic
5345Improve our serviceability around page search and chasing referrals for Ldap
5363MP Rest Client does not honor MP Config-specified providers
5383Occasional HTTP/2 MessageSentException: Message already sent
5395SSL config not used by RestClient
5425JAX-RS Client does not pool HTTPS connections
5428Fix bug in server package server-root command
5441JMSContextInjectionBean uses deprecated CDI method
5453Microprofile appProperties element not showing up in schema
5465Pull MYFACES-4260 to both jsf-2.2 and jsf-2.3 features
5483release bug: implement PH02361 in development stream
5498When using advanced connection manager property numConnectionsPerThreadLocal and connection fail during cleanup, the connection managers connection pool may fail to remove failing connections resulting in no connections being available.
5510Deliver fix for CVE-2014-7810
5557OpenId Connect clients might exhibit a thread leak
5560MessageSentException intermittently during flushBuffers
5585EJB timer ScheduleExpression serialization incompatibility
5590Failed to createMinimumEscapeHandler for unknown jaxb class
5637Expose jsf 2.3 org.apache.myfaces.push.cdi to thread context class loader
5647Fix --include default to have /usr for server and shared folder
5779Too many threads during low-load operation
6002CWWKS1739E error may occur when using OpenID Connect in 18.0.0.3
 
Fix pack 18.0.0.3

Fix release date: 21 September 2018     
Last modified: 21 September 2018     
Status: Superseded     

Download Fix pack 18.0.0.3             

 
ComponentSecurity APARAPARDescription
General PH00304The maximum connections setting of a data source's connection pool is not  always honored
  PH01447Improvement to SSL Closing Handshake
  PH01499APAR for OLGH4402
 PH01610Application fails to start due to JAXBEXCEPTION after upgrading to 18.0.0.2
PI99176Information disclosure in WebSphere Application Server Liberty (CVE-2018-1683)
 PI99600AccessControlException thrown when connecting to Health Center with Java 2 Security enabled
 PI99672Remove the first_rows hint from Oracle V10+ pagination queries
Intelligent Management Component PH00735Null Pointer Exception when HTTP or HTTPS ports blank in server.xml
Java Persistence API (JPA) PH01681Then and else expressions should be case result instead of case operand type
Liberty z/OS PH01179Duplicate entries of the BBGZSCFM module are listed in the output of IPCS LPAMAP
 PI96910ICH error messages are not issued during Liberty startup when checking for access to BBG.SECPFX.* and APPLl profiles
 PI97659Display memlimit value and source as well as region information in Liberty log at startup
 PI98758Setting enablefailover to false for the safregistry can produce misleading messages if authorized services are not available
 PI99411The Liberty message log DD is not configurable
Security
PH01295Information disclosure in WebSphere Application Server Liberty (CVE-2018-1755)
 PI97676Message CWWKS1100A may be misleading
 PI99285User login fails when configuring zOS mapDistributedIdentities
Systems Management Functions PH00435Collective controller logs NoSuchElementException from LivenessMontiorV2
 PH00566Member should fail over after continuous 2 minutes sendHeartBeat failure
 PH00730The unnecessary information should not be generated in repository dump file
 PH00926Collective repository dump should include non-sensitive host and jmx auth information to help diagnose issues
Virtual Member Manager (VMM) PH00881SCIM does not return paged results for requests that do not include the 'count' parameter
 PH01668SCIM incorrectly returns 500 on MaxSearchResultsExceeded
 PH01863SCIM updates to users can result in attributes being marked for deletion that were not designated for deletion by the request
 PI99257Requests to SCIM to retrieve a resource by ID that do not include an ID result in an 500 HTTP status code
 PI99317Request to SCIM "groups/{ID}" endpoint specifying "members" attribute does not return the group members
Web Container PH00448A CWWKE0702E message is printed when the webCache-1.0 feature is enabled
Web Services (JAX-WS, JAX-RS)
PH00401Potential man-in-the-middle attack in WebSphere Application Server Liberty for JAXWS(CVE-2018-8039)
 
PH01221Potential man-in-the-middle attack in WebSphere Application Server for JAXRS (CVE-2018-8039)
Web Services Security PH12959
OAuth provider does not update settings in the consent cache
 PH03418Code execution vulnerability with OpenID connect in WebSphere Application Server Liberty (CVE-2018-1851)
  PI95405Liberty may not find key in JWK by x5t
WebSphere Compute Grid PH02256File access exceptions when running a Java Batch application with syncToOSThread enabled
 
Open Liberty Release fixes:
Issue/PR
Description
2489Global error when there are no registries available (Ldap,etc) for VMMService
2659Capture security context from Java Batch thread when syncToOSThread is enabled
3422Check for override of default configuration and ignore
3489MP Rest Client does not use Liberty SSL config when making outbound requests
3522Update Xalan library
3853basicRegistry-1.0's 'ignoreCaseForAuthentication' attribute does not apply to getUsers(...) method
3952Add global error when user registry is not found
4002Incorrect CWWKZ0022W messages printed with VirtualHost Usage
4016Quiesce should not be blocked by application start
4028Liberty 18.0.0.1 startup issues with Arabic locale
4040Make RC consistent for starting liberty as a Windows Service
4044Server failure before framework startup can leave JVM running
4158Need to squelch "Could not obtain lock" errors appropriately
4186Need to improve config dropins processing
4203In 18.0.0.2 an IllegalArgumentException can occur when "maxParamPerRequest="-1"
4211Java 2 security issue in org.apache.cxf.transport.https.HttpsURLConnectionFactory
4244Add global error when user registry is not found
4272When a thread is interrupted waiting for a connection from the connection manager, maximum connections will be decremented.
4275NPE in JAXRS client when OpenTracing is included
4310Spring boot application deployment in Liberty throwing Class cast exception
4341PageControl's 'startIndex' is not honored when 'size' is greater than results
4345Add doPrivileged code for InetAddress related activity in messaging
4346Add doPrivileged code for InetAddress related activity in IIOP
4368ConcurrentModificationException when a JAXRS API has multiple consume and/or produce MediaTypes
4392Fix server hang issue when bootstrap.properties variable is incorrectly specified
4402Format problem with logs when traceFilename=stdout and traceFormat=ENHANCED / BASIC
4462NonPersistent EJB timer dying if timeout throws exception on last retry
4465RejectedExecutionException: Trigger.getNextRunTime: null creating EJB timer
4505SSL Closing handshake improvement
4521Install kernel does not throw exception if already installed features are specified again with a different capitalization
4530Install kernel map installs features without wlp/bin and wlp/dev contents
4531ManagedScheduledExecutor tries to run tasks during server shutdown
4550Injection race condition in JAX-RS during startup
4609Maven features should provide transitive dependencies for stable API, third-party API
4619PersonAccount's and Group's get(String), isSet(String), and unset(String) methods may throw NullPointerExceptions
4666Correct getServletPath for default mapping
4712release bug: mpjwt JsonWebToken.getAudience() return type noncompliant with spec when no audiences present.
4717Update Yoko to favour CSI endpoints
 
Fix pack 18.0.0.2

Fix release date: 29 June 2018     
Last modified: 29 June 2018     
Status: Superseded     

Download Fix pack 18.0.0.2 

ComponentSecurity APARAPARDescription
Contexts and Dependency Injection (CDI) PI92477WELD-2447 ClientProxy serialization support should be container agnostic
  PI95074WELD-2466 null pointer exception in webservice calls
DynaCache PI94514NullPointerException occurs using a MetaDataGenerator
EJB Container PI95215MessageEndpoints are notProperly released
General PI95821StabilizeProduct Insights Enablement
 PI96187Update bluemixUtility command for data sovereignty regulations
 PI96735Access log "maxfiles" attribute not working as intended with value of 0
 PI97234APAR for OLGH2631
 PI99031Garbage collection events not captured by logstashCollector-1.0 for IBM Java 8 SR 5 FP 6 and above
Intelligent Management Component PI92330CWWKS2910 error when using dynamic routing in Liberty on z/OS with SAF security
Java Persistence API (JPA) PI92847JPQL with trim is not handledProperly and it results in DatabaseException
 PI93064EclipseLink throws ORA-00932 for CLOB fields in an ElementCollection
 PI94027EclipseLink JPQL generation for nested arrays with 'in' expression
 PI95283EclipseLink InsertObjectQuery concurrency failure
 PI95766db representation of boolean values withPostgres is incorrect
  PI97483Eclipselink re-sorts insert and removes statements within a transaction
  PI97786Eclipselink throws "argument type mismatch" for JPQL case expression
JavaServer MyFaces (JSF) Apache MyFaces implementation PI93972Classloader issues in JSFExtensionFactory can cause NPE
 PI94947Update of composite component within ui:repeat does not work
Liberty Administrative Center PI98574If Liberty Admin Center was accessed via reverseProxy,the Liberty server made an unnecessary request back to theProxy server
Liberty z/OS PI82554WebSphere Liberty AngelProcess does not identify its version and fix pack level during start-up
 PI90719Command line script to detect if commandPort is enabled, for use duringPause/resume request
 PI93922SMF120-11 timeused and starttime is only set for a forwarded servlet
 PI95864Specifying an angel name of "" for the server does not register server to default angelProcess
 PI96813It is difficult to automate WebSphere Liberty from messages on the z/OS console
 PI96954Liberty on z/OS memory leak in 64bitPrivate due to native DirectByteBuffer support
 PI97611ABEND0C1 in ntv_getAngelVersion with WebSphere Liberty version 18.0.0.1
Security PI89624CWWKS4106E: LTPA configuration error in Liberty
 PI95717suppressUncoveredHttpMethodWarning configuration does not work
 PI96014Authfilter in Liberty not matching when multiplePaths are defined
 PI96597There is an issue with the cache
Systems Management Functions PI95994Deploying docker container as liberty collective member failed with error "already appears to be a member."
 PI97924Improve the error handling of a Collective join command using sshPrivateKey option
Virtual Member Manager (VMM) PI96814SCIM returns HTTP status code 500 whenPassed an invalid filter
Web Container PI93226SRVE0266E : Error occured while initializing servlets:java.util.ConcurrentModificationException
Web Services (JAX-WS, JAX-RS) PI97288Attachments behavior change in Liberty after migrating from tWAS
Web Services Security PI94599Intermittent NPE in SocialLogin feature when a running server is reconfigured
 PI96012Client authentication JWTS require "sub" claim
PI96884Information disclosure in WebSphere Application Server Liberty (CVE-2018-1553)
WebSphere Compute Grid PI90716Liberty z/OS CWWKY0035I: An exception occurred while trying toPersist job java.lang.IllegalStateException: no match found
 PI90961Liberty on z/OS: Batch JMS dispatcher change to lazy access of connection factory
 PI93514JobPurge request deletes the batch db records even when the executor JVM is stopped
 PI98247After batch events config change,atchManagerZos hangs waiting for job completion; batch job log events notPublished correctly
 PI98295The dispatch (JMS) message for a stopped job can, if later consumed, cause a later restart execution of that job to fail.
 PI99138Repeated delivery of Batch job dispatch JMS message resulting in ClassCastException each time
 
Open Liberty Release fixes:
Issue/PR
Description
1261LDAP registry with global class mapping in groupMemberIdMap adds "objectclass=*" to Group searches
2792On restart of a Java Batch job, deserialization fails when checkpoint objects contain array type fields
2877JSP engine unable to find tag files within loose JAR file
3045Send and receive Strings in SIB messages using strict UTF8
3102In 18.0.0.1, the minify option is not making the runnable JAR package any smaller
3103Access Log "maxFiles" attribute not working as intended with value of 0
3106Kernel Service MBeans not properly exposed
3127Federated repositories does not restrict the names of extended properties
3132Package `com.ibm.websphere.kernel.server` is not exposed as IBM-API
3140Default app classloader ProtectionDomain set by common libraries
3160AsyncIO native direct ByteBuffer leak
3198Avoid full deserialization within ObjectMessage.toString()
3226NullPointerException from EJSContainer.postInvoke() method
3233Close streams for repositories represented by a single JSON file
3248Add mapping of all JSP files in web module into the generated_web.xml
3280Test Failure (20180420-0319): LoadTest.testCommitAndRollback RuntimePermission denied for WSJdbcTracer invoking newProxyInstance
3383ldapRegistry-3.0 does not configure a read timeout for JNDI connections
3490PI96086 - Nested EJB Async method calls not honoring nested get(timeout, unit) timeouts
3520suppressUncoveredHttpMethodWarning does not work
3533Redeploying WABs leads to OutOfMemoryError
3577JAXRSClientImpl.target(UriBuilder) fails with IllegalArgumentException when client built with input containing a template variable
3578Batch runtime should only transition to InstanceState.JMS_CONSUMED from JMS_QUEUED state.
3700java.sql.SQLFeatureNotSupportedException: Method org.postgresql.jdbc.PgPreparedStatement.getLargeUpdateCount is not yet implemented.
3739Failure to load JPA PersistenceServiceUnit used by Batch feature using V2 version of JobInstance entity.
3752Connection leak if failure occurs while managed connection is being constructed
3779Update EclipseLink binaries from 2.6.6.WAS-3e5c71a to 2.6.6.WAS-0ab4033
3785Security exceptions thrown when trying to use IIOP with Java 2 security
3851JAX-RS Client APIs fail when attempting PATCH method over HTTPS on IBM JDK
3889Validate paths within WAR files
 
Fix pack 18.0.0.1

Fix release date: 16 March 2018     
Last modified: 16 March 2018     
Status: Superseded     

Download Fix pack 18.0.0.1 

 
ComponentSecurity APARAPARDescription
General PI93106Product insights attempts to send usage after failed registration
Java Persistence API (JPA) PI92398Under certain conditions OpenJPA can insert an embeddable into the Datacache map
  PI95871Wrong context Classloader in org.apache.openjpa.enhance.pc
JavaServer MyFaces (JSF) Apache MyFaces implementation PI87954Hung thread issue in MyFaces _getMetaDataTarget
 PI90391Fix bug MyFaces-4045 in IBM myfaces implementation
Liberty Administrative Center PI93411Saving changes to member's configuration files via Admin Center's Server Config tool get applied to the controller instead
Liberty Kernel PI94763Fileupload causes NullPointerException on getHeader() call
 PI94116Open Liberty rollup for 18.0.0.1
Liberty OSGi Application PI88291Slow start of the web services and error during the startup of the services
Liberty System Management PI92311Memory leak in liberty swagger library during application stop/start
Liberty z/OS PI91275Add an informational message to WebSphere Application Server Liberty on z/OS logs to indicate which angel process is used
 PI91511SMF 120-11 UserData added from a filter does not show up in the final SMF record
 PI92070WebSphere Application Server Liberty on z/OS WOLA CICS link server fixes for RTXSYS and RTX parameters
 PI92171An intermittent performance degradation is observed with CICS v5.4 and Liberty 17.0.0.3 compared to Liberty 17.0.0.1
 PI92868WebSphere Application Server Liberty on z/OS crash in CICS BBOATRUE during shutdown when embedded Liberty servers are at a mix of 16.0.0.3 and 17.0.0.3
Security PI86784Enable the function of enforcing URL hostname verification as an attribute on the ssl element of server.xml
PI90980Potential spoofing vulnerability in WebSphere Application Server (CVE-2017-1788)
 PI91500GetUserPrincipal().getName() returns garbled user ID on 17.0.0.3
 PI92764Message CWWKS3005E issued when a Federated repository is configured
 PI94094SAF API doc missing from Javadoc package in Liberty
Sessions PI93474Remove SessionManager instance when application is stopped
Systems Management Functions PI92781A Liberty collective controller sometimes logs a NullPointerException
  PI92828Liberty collective intelligent management features may fail to function correctly intermittently
Web Container
PI90804Security vulnerability in Apache Commons FileUpload used by WebSphere Application Server (CVE-2016-1000031)
 PI92334Application class loader is not set correctly in a thread during an async operation
Web Services (JAX-WS, JAX-RS)
PI92494Potential denial of Service in WebSphere Application Server Liberty for JAXWS(CVE-2017-12624)
  PI92886Policy attachments not working as expected
Web Services Engine PI92386High CPU usage on Liberty when using IBM JDK
Web Services Security PI88321Liberty always honors RelayState during IdP-initiated SAMLWeb SSO
 PI93303CICS_REGION_BUT_API_DISALLOWED surfaces using OAuth-2.0 feature
 PI93579exp' is earlier than the 'iat' in OIDC token
 PI96273Some 404 and 500 errors in OAuth or OpenID Connect might expose configuration information
 
Open Liberty Release fixes:
Issue/PRDescription
402
Add stop command to readme file
407
Informative error message for collision with reserved resource adapter ids
938
Challenge when using request.authenticate with BasicAuthenticationMechanismDefinition
1047
LDAP paging failure recovery reuses cookie when switching failover servers
1102
Improve CDI performance by not loading too many classes
1125
Readd ability for hot replace for trace injection for IBM Java 8.0.0.6+
1142
MyFaces-4045 JSF 2.2 flow reentrancy fix
1143
RememberMe cookieName needs to support EL expressions
1150
Corrections to AnnotationTargetsImpl_Targets.isInstanceOf
1164
Fix Java 2 Security problems with Bean Validation 2.0 code
1173
Pull in MyFaces-4177 to JSF 2.3
1202
Fix for resetting autocommit for non transactional datasources
1204
Grant Hibernate validator accessPrivateMembers permission by default
1210
Channel.ssl FFDCs thrown during server shutdown
1232
Description of runIfQueueFull should refer to relation with maxPolicy
1243
Pull in MyFaces-4066 to JSF 2.3
1255
Fix and test issue where a connection error occurs on a free connection
1266
Fix JPA 2.2 Bindings Files
1267
Bean Validation CDI extension fixes
1272
Pull in MyFaces-4176 - Search expression fails to resolve component outside of form
1278
PI91306: UriInfo.getMatchedResources() does not return resource class information
1311
Update EL handling in database and LDAP identity stores
1320
PI87504: JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
1336
Release JACC policy context in post invoke
1344
Try to remove an existing SAF map before adding one
1349
Update Bean Validation 2.0 descriptions to mention providers used
1362
Thread context propagation for managed completable future
1372
In beans.xml, element causes ProcessAnnotatedType<> events to not fire
1382
Cannot register a second (synchronized) handler with an already active logging source
1384
ConcurrentModificationException when both Console and Message JSON handlers are configured
1424
If the command port is disabled when issuing a pause or resume request from the server script, issue a message saying so
1433
Fix Java 2 Security errors in LogUtils by ensuring getClassLoader calls are in doPriv
1439
Improve synchronization mechanism between BaseTraceService and MessageLogHandler
1459
Property com.ibm.ws.jaxrs.client.disableCNCheck not honored
1485
Fix NPE that may occur when multiple CDI-injected servlets are specified in the web.xml for a JAXRS application with load-on-startup specified
1498
Fix IOException not closing socket
1501
Fix JSF _ComponentAttributesMap performance issue
1504
Address CVE-2017-1000208 vulnerability in Swagger Parser for MicroProfile OpenApi
1520
Improve performance when JAX-RS applications are updated
1553
Web binding overrides are not properly recognized with autoExpand apps is enabled
1565
Fix exception when parsing faces-config-extension element
1578
Cannot use app-defined for Bean Validation
1597
SQLServer JDBC driver not recognized when defining a dataSource on
1599
Fix for JDBC getClass().getInterfaces() method calls
1607
Fix NPE in EJBAsyncRuntimeImpl.modified when updating asynchronous config
1671
Fix BundleException Cannot connect region 'system.bundle' to itself
1674
ServerEndpointControlMbean returns true when isPaused is called with an empty target
1685
Resource.getRequestPath returns incorrect path in JSF 2.3
1687
JDBC pool manager must avoid caching values obtained from the managed connection factory
1709
Fixed JASPIC error and exception messages
1731
Fix Java 2 Security errors related to JAX-RS getServiceReferences() and getService() methods
1743
Fix context class loader in servlet async dispatch or runnable
1758
Make consoleLogLevel default to an env variable setting first
1764
Fix NPE that could occur during MyFaces validation
1765
AccessControlException from JAX-RS 2.0 when servlet filter is used
1786
No longer WARN on 404 Not Found
1795
Fix writing of single-file-repositories
1865
PushBuilder.push error conditions updated
1911
AccessControlException from the EL API when using JSF 2.3
1935
Java 2 Security issues in batch-1.0 feature
1944
WebSockets for non-secure BASIC_AUTH adhere to session invalidation
1948
Avoid overwriting updates made to the session cache by another thread
1950
Implement HttpServletResponse.getTrailerFields()
1952
PI93226: ConcurrentModificationException during application startup
1963
Fix Java 2 Security issue with package minify
1975
Remove SessionManager instance when app is stopped
2010
Update HttpServletResponse setTrailerFields error conditions
2016
Ensure header names are non empty and accept empty header values
2022
Retrieve all values on multi-valued LDAP properties
2044
Return the correct HttpServletMapping during include, async and when using a named dispatcher
2050
Fix org.apache.myfaces.flow.cdi.FlowScopeBeanHolder incompatible across versions
2057
Handle null/empty contracts in JAX-RS Client.register(...) calls
2067
Fix CWWKS4106E: LTPA CONFIGURATION ERROR IN LIBERTY when using PKCS11Impl provider 
2071
Fix for garbled User Principal when binary data is retrieved from registry
2086
Throw IllegalStateException in SseEventSink.send when SseEventSink is closed 
2143
Fix batch runtime table version determination
2150
Close JAX-RS sink on exception
2175
Fix ConcurrentModificationException during app startup
2251
Product information for replaced products should not be displayed
2270
Issue warning message when it is determined security not present
2336
Fix ConcurrentModificationException during app startup
2340
Fix JSON output of JSON console (remove duplicate basic messages and abide by consoleloglevel)
2358
Fix java.lang.NullPointerException in AccessLogger
2385
Fix NPE that can occur with certain logging configurations
 
Fix pack 17.0.0.4
Fix release date: 21 December 2017     
Last modified: 21 December 2017     
Status: Superseded     

Download Fix pack 17.0.0.4
Component
Security APAR
APAR
Description
EJB Container
PI89936Vulnerability in Apache Commons affects EJB Embeddable Container and JPA Client (CVE-2015-7450)
General PI80333Support CPU constraints in ProductInsights
 PI82233Non-daemon threads are created with remote EJB using the IIOP transport
 PI82510Liberty appserver automatically decompresses the bodies of incoming http-soap messages
 PI82557TCP Channel access lists not documented
 PI84016OpenJPA orm.xml default schema used over 'openjpa.jdbc.Schema' property
 PI84349Liberty Oauth 2.0 may encounter a SQL syntax error for the option "LIMIT" during cleanup
 PI84428ArrayIndexOutOfBoundsException from OpenJPA for query on EmbeddedId
 PI85402EclipseLink does not recognize Java 9 platform
 PI86208Cannot decode IOR due to ClassCastException
 PI86321Liberty OpenID Connect Relying Party does not handle large id_tokens in implicit logins
 PI86840Eclipselink generates sequence IDs incorrectly for @EmbeddedId classes that are shared across multiple entities
 PI86914Correct mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
 PI87557Null pointer exception when TAI returns NULL TAIResult
 PI87565OutOfMemory issues from webcontainer component WebComponentMetaDataImpl
 PI88051Application reload when a JSP file under WEB-INF is updated
 PI88485The groupProperties membershipAttribute does not work when filters exist
 PI88618CWPMI0010W was found in the messages.log
 PI88620Performance degredation when federating SAF registry
 PI89003Help tet for the BatchManager listJobs command is unclear
 PI89041FFDC java.lang.IllegalStateException: Module has been uninstalled. occurs when dynamically configuring Liberty
 PI89278Incorrect value of FreeConnectionCount
 PI89446Product Insights throws NullPointerException
 PI89584Certain early startup and product script messages are not properly translated into non-English languages
 PI89672OutOfMemoryError in ArrayList containing objects of type com.ibm.ws.logging.internal.impl.IntrospectionLevelMember
 PI9001330 second delays for remote EJB when running as a collective member
 PI90154BluemixUtility fails to create/delete instances of Watson Discovery service
 PI90282CWWKB015E IWMEJOIN return code 2,135 during servlet read listener
 PI90699ProductInsights errors after resuming from 'sleep' state
Java Persistence API (JPA) PI80863Issue with the way OpenJPA caches and reuses query parameters for BETWEEN expressions when OpenJPA's QueryCache property enabled
 PI81260OpenJPA does not pass-through SSL connection properties that set using openjpa.ConnectionProperties when creating Db2 connection
JavaServer MyFaces (JSF) Apache MyFaces implementation PI88288jsf-2.0 MyFaces error handling cannot be enabled in production project stage
 PI88850High CPU issues from org/apache/myfaces/
 PI89168Protected-view not working in Liberty 16.0.0.4
 PI89363ProtectedViewException for a protectedview access while checking the OriginJeader for appContextpath
 PI90507Instances of action listener in a FaceLet are not being removed until app shutdown
 PI90509Fix for MYFACES-3752
Liberty Application Services PI69483Removing IBM-App-ForceRestart header causes applications not restarted
Liberty Kernel PI90930Open Liberty Rollup for 17.0.0.4
Liberty z/OS PI86596Removal of possibly misleading FFDC z/OS liberty Async Servlet support
 PI90060Messages occurring very early at startup are not printed to the MVS console when requested in the zosLogging configuration
 PI90429When starting a Liberty server as a started task on z/OS from the server script there is no option to specify a job name
Performance Monitoring Tools PI81367java.lang.ClassNotFoundException dumped in the FFCD log file when PMI monitor feature is enabled
  PI87599ConnectionPoolStats MBean was not available if enabled the trace with com.ibm.websphere.monitor.*=all
Security PI88769Liberty 17.0.0.2 is throwing ClassCastException when calling ibm_security_logout with Extreme Scale feature enabled
Session Initiation Protocol (SIP) Container PI78794The SIP Container fails to parse a message when the size exceeds 2048 bytes and double CRLF is sent before the message
 PI79119With number.of.parse.errors.allowed set to -1 WebSphere drops well formed requests
Systems Management Functions PI81552Application state becomes stale at the Liberty collective controller
 PI83274Incorrect collective member status shown in Admin Center
 PI88296Password protected ssh keys cannot be used for remote host authentication
Web Services Security PI84359OIDC WASReqURLOidcp cookie constantly grow when LTPA token expired
PI89103OpenSAML used by WebSphere Liberty contains XML external entity (XXE) vulnerability (CVE-2013-6440)
 PI89575LTPA cookie is not created in certain single sign-on scenarios
WebSphere Compute Grid PI88583In WebSphere Liberty 17.0.0.x Java batch executor fails with CWWKS0800E error
 
Fix pack 17.0.0.3
Fix release date: 17 October 2017     
Last modified: 17 October 2017     
Status: Superseded     

Download Fix pack 17.0.0.3
Component
Security APAR
APAR
Description
Dynamic Cache PI78148SRVE0014E from servlet caching
 PI78552DYNA1064E is logged on some dynacache APIs when the underlying cacheprovider does not support disk caching
EJB Container PI87472EJB remote injection fails with NPE if ORB not yet available
Federated Repositories PI05723Handle long data type from VMM for extended properties
 PI79440NullPointerException in URBridgeXPathHelper.getExpression()
 PI79452NPE in LdapConfigManager.getSupportedProperties()
 PI81497When one base DN is the subset of another in a federated repository, LDAP failures occur
 PM95697LDAP contexts getting leaked after first connection exception
General PI77400BBOA1INV Fails with RC = 8 RSN = 44, FFDC invalid group name returned
 PI80363Allow configurable maxFieldLength in the logstashCollector
 PI80397Remote EJB call with the same object in multiple arguments fails
 PI80932WSCredTokenCallbackImpl class is not visible to applications
 PI81056Liberty server needs to retry starting the TCP channel after error CWWKO0224E due to hostname resolution error
 PI81124Closing websocket session throws NullPointerException
 PI82101Task retry not immediate after XAResource rollback
 PI82109Provide support for CICS 5.4 in WebSphere Optimized local Adapters
 PI82218JAX-RSResponses contain unnecessary Cxf-Content-Language header
 PI82296AsyncContext.comple() fails when called from a readListener
 PI82327java.lang.RuntimePermission error when destroying an upgradeHandler
 PI82364For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
 PI82556AppSecurity-2.0 does not include trustAssociation in Liberty
 PI82672productInsights does not register embedded WebSphere
 PI82684During server shutdown, if ProductInsights is trying to complete its first registration it may not cancel all of its tasks
 PI82994filenotificationmbean may not notify the listener
 PI83111Monitor function of AdminCenter does not display the correct value of "used connections"
 PI83159JAX-RS resource methods report as not found when using scientific notation as path parameters
 PI83439ClassCastException thrown when using remote EJBs in servlet with parent-last classloading
 PI83516Using reference-listener along with service factory causes TransactionManager errors
 PI83682ProductInsights not reporting used JVM memory correctly
 PI83713Path template variables in JAXRS 2.0 do not support scientific notation
 PI83901The context ClassLoader is not getting set properly when loading CDI extensions at app startup
 PI84036JAX-RS Client must access endpoints via authenticating proxy
 PI84083Usage data is not queued if connection to Bluemix Product Insights host fails
 PI84327WebSphere Application Server Product Insights does not send in group name translations
 PI84487Certificate login does not work with custom user registry on Liberty
 PI84842The application's classloader is leaked when restarting the app
 PI85373Open Liberty Rollup for 17.0.0.3
 PI85490Deadlock caused by WsLogManager and SIB trace code
 PI85492Commit of HTTP response in render_response(6)
 PI85683Register Windows service and start/stop service for Liberty fails if it is installed in directories names with a space
 PI85783Accumulation of org.apache.cxf.transport.http.osgi.HTTPTransportActivator objects
 PI85910OIDC does not recognize x5c tag in JWK
 PI86198Inconsistent aliasing between --jobParameterFile and --jobPropertiesFile in the batchManager and batchManagerZos CLI
 PI86443Use of the JAX-RS multipart media type results in a java.lang.ClassNotFoundException: javax.ws.rs.core.MediaType
 PI87119NullPointerException caused by external port component configuration
 PI87467CDI injection into JAX-RS classes is broken when using multiple apps and one app is not CDI-enabled
 PI87504JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
Install V8 and above PI88170Block installUtility/featureManager install userFeature '--to=core'
Java 2 Connectivity (J2C) PI82859Incorrect value of connectionPoolstats
 PI86100Intermittent sharing scope for data sources being created at the same time on two different threads
 PI87470Unable to install resource adapter using loose configuration file
Java Message Service (JMS) PI81329NCSA access logs %B option output displays "-" instead of the size of the response in bytes
 PI81864ConcurrentLinkedList tailsequencenumberlock garbage collected
Java Persistence API (JPA) PI77555Eclipselink scrollable cursor results in a ClassCastException
 PI80863OpenJPA caches and reuses the query parameters for BETWEEN expressions when OpenJPA's query cache is enabled
 PI81260OpenJPA does not honor SSL connection properties for DB2
Java SDK PI85250Hung thread issue in myfaces _getMetadataTarget
 PI86494Messages returned from JSF APIS are in the incorrect order
JavaServer MyFaces (JSF) Apache MyFaces implementation PI82893JAVAX.FACES.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL value affects display behaviour for required fields
PI87299Information disclosure in Apache MyFaces affects WebSphere Application Server (CVE-2011-4343)
PI87300Information Disclosure in WebSphere Application Server in JSF (CVE-2017-1583)
JavaServer Pages (JSP) PI82529HTTP transport encoding CP943C is used for JSTL params
 PI83486StackOverflowError generated due to the JSP TabLibraryCache recurses into loadWebInfMap with the value "/WEB-INF"
Liberty Application Services PI87139Configuration updates blocked by application restart
 PI87468Schema lists invalid attributes for resource adapters and EJB applications
Liberty Debug and Tracing PI83872NullPointerException in MultipleCriteriaFilter when retrieving logs from Liberty binary log
Liberty Kernel PI87138Synchronization in ConcurrentServiceReferenceElement creates a performance bottleneck
 PI87471Potential NullPointerException ServerXMLConfiguration.parseDirectoryFiles
 PI87480AccessControlExceptions in Liberty kernel code
Liberty System Management PI85828Correcting algorithm for collective deployment using a local file
Liberty z/OS PI78510.pid directory created with wrong permission settings
 PI78787WOLA ACEE copied from CICS invalid for TSS
 PI79017z/OS connect cannot read request that came in with transfer-encoding=chunked
 PI79034For products that embed Liberty, some bootstrap.properties do not take effect at server startup
 PI82088Prevent Error loop when TDQ is unavailable for write
 PI83503WebSphere Liberty servers with zOS connect failing to start with abend 0c4 in wolanativeutils.ntv_activatewolaregistration
 PI85520Message CWWKO0229I is not issued when asynchronous I/O is configured
Messaging Providers PI83027Default threadpoolstats data cannot be retrieved due to InstanceNotFoundException
Performance Monitoring Tools PI80861The Japanese translated message for TRAS0115W is incorrect
Security PI73345Distributed identity mapping not working in Liberty z/OS
 PI84335PasswordUtil API classes are not packaged in a separate PasswordUtil.jar file
 PI84597Liberty z/OS trace includes unnecessary information
Servlet Engine/Web Container PI81052JSF portlets may not be able to obtain a session ID
 
PI88642Information disclosure in WebSphere Application Server (CVE-2017-1681)
Virtual Member Manager (VMM) PI79223In Liberty VMM user registry cannot get groups for user from LDAP
 PI81923LDAPRegistry contextPool defaults do not match documentation
 PI81954LDAPRegistry attributesCache and searchResultsCache default timeout set too low
 PI85208LDAP registry cache is not used in some cases to retrieve cached attributes
 PI85213Federated repository may not use UniqueGroupIdMapping outputProperty when calling userRegistry.getUniqueGroupID
 PI85214Federated repository passes internal properties to customRepository implementations
 PI86719The LDAPRegistry contextPool timeout setting does not timeout after the configured time
 PI87461Federated Repositories is returning principal name instead of unique name for getUserSecurityName
 PI87466ArrayIndexOutOfBoundsException is thrown when groupMemberIdMap inside ldapRegistry is empty
Web Container PI83141WebContainer performance issue when under high load
Web Services (JAX-WS, JAX-RS) PI64462NullPointerException in org.apache.cxf.jaxrs.impl.tl.ThreadLocalProviders.getContextResolver()
  PI86914Correct Mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
Web Services Security PI62735The groupId(s) get lost in id_token and introspection
 PI68809WebSphere Application Server XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
 PI78760OIDC IDToken updates to the "sub" field do not take effect
 PI80166OIDC provider does not recognize custom realmname from token
 PI80689Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
 PI80741OpenID Connect (OIDC) cookie not fully removed
 PI80963Refresh tokens are issued unconditionally even for clients that do not require them
 PI94351Secure flag is not set on the Liberty WASOidcCode cookie
WebSphere Compute Grid PI72923CDI injection of Java batch jobcontext fails with npe in the absence of an active job on the current thread
 PI81200StepListner.afterStep cannot catch an exception thrown by ItemProcessor.processItem
 PI84639batchManagerZos not available after minified server is extracted
 PI86175Prevent job start and restart of the same job from occurring simultaneously
 PI86193Support message delay/priority for Liberty Java Batch

Back to top

Fix pack 17.0.0.2
Fix release date: 13 June 2017     
Last modified: 13 June 2017     
Status: Superseded     

Download Fix pack 17.0.0.2
 
Component
Security APAR
APAR
Description
Channel Framework PI85709Add watchdog timer to write waits on closing
Contexts and Dependency Injection (CDI) PI72811Allow excluded alternatives
 PI77286 Vetoed EJBs throw NullPointerException
 PI77514CDI observer for @initialized(applicationscoped.class) is not called inside jar
 PI79787 Prevent WebSphere internal packages from being exposed to applications
 PI80901Version numbers in symbolic names are too fine grained and can cause failover to fail between different versions of Liberty.
 PI82020WeldTerminalListener is not registered
Database Access, Connection Management, Merant/DataDirect drivers PI80335DSRA8020E Error is thrown when using IBM i Toolbox JDBC driver with WebSphere Liberty
EJB Container PI77856EJB 3.x Stub class throws RemoteException for communication failure
 PI79261Deadlock with persistent EJB timers for Singleton beans
General PI71956CWWKE0108I is written to stdout
 PI74918The umask values is not shown in the server logs
 PI75258The CICS Link server abends when unable to write to a TS Queue
 PI75280Attributes missing from the element httpOptions and throws warning message
 PI75512Cleanup up websocket connection when outbound connection attempt fails at the app server
 PI75590 Corrections are needed to the documentation in the Knowledge Center
 PI77605JAXRS Client APIs do not use configured SSL settings
 PI77615JAXRS application start fails with ClassNotFoundException when JSPs are specified in web.xml
 PI77976ConstraintViolationException when using @Valid annotation
 PI78177When a websocket connection is closed while reading data an object leak might occur
 PI78260Liberty jaxb-2.2 feature does not expose some xlxp2 packages
 PI78738Loop while closing an SSL connection
 PI79260ProductInsights reports incorrect product version and host name
 PI79275JAX-RS 2.0 Client calls fail when ssl-1.0 feature is enabled without any SSL configuration.
 PI79391ContainerRequestContext.hasEntity() returns true for a GET request.
 PI79987Endpoint MBean information does not update when server.xml <httpEndpoint> is modified
 PI80082JAX-RS 2.0 OPTIONS methods are not invoked when used in sub-resource locator classes
 PI80256AccessControlException thrown when finding resources if Java 2 security is enabled
 PI80285For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
 PI80314Support for product insights in embedded server
 PI80315The productInsights-1.0 does not support BASE ILAN edition
 PI80514A jndiEntry config element with a value of "0" is parsed as a java.lang.String but should be a java.lang.Integer
 PI80631Access Log file and ELK time stamps are not the same
 PI80632Messages with digits in prefix of message ID have a blank messageId field in logstashCollector
 PI80719Websocket race condition on writing data while closing can hang a thread
 PI81082java.lang.ClassFormatError: JVMCFRE074 no Code attribute specified; is thrown
 PI81086NullPointerException thrown when using a JAX-RS provider class without a public constructor
 PI81396Unable to register a liberty server with product insights though an authentication required proxy
Intelligent Management Component PI80237Null return codes for health actions cause NullPointerException
Java 2 Connectivity (J2C) PI78463After configuring a connection factory for CICS RAR, the server issues J2CA8501E
 PI80357JMS connection factories defined through annotations can fail to allocate connections
 PI81549When using SQLJ context caching, auto commit and/or transaction isolation level become inconsistent
 PI81717The WaitTime provided by the ConnectionPoolStats MBean is in nanoseconds when it should be (and is documented) in milliseconds
 PI81840Bean Validation 1.1 @DecimalMin and @DecimalMax constraints inclusive property not working
Java Persistence API (JPA) PI76834Unable to use DB2 XML data type with EclipseLink JPA; Null pointer produced
 PI76902NoSuchMethodException when a program is using CONCAT function
 PI78643Eclipselink JPA/Auditing capablity in EE Environment fails with JNDI name parameter type
 PI79397org.omg.CORBA.BAD_OPERATION when running a select SQL statement
 PI81076ServerSession numberOfNonPooledConnectionsUsed can become invalid when Exception is thrown connecting
JavaServer MyFaces (JSF) Apache MyFaces implementation PI79562Leading '/' in JSF context param-value throws StringIndexOutOfBoundsException
  PI80535ClassNotFoundException due to classes not being exported to the thread context
JavaServer Pages (JSP) PI79800 The JSP Engine is not processing EL expressions correctly when they are in large blocks of character data
 PI80319Failure to parse tag library when the taglib is defined in the application
Liberty Application Services PI66702Multi-address corbaname URLs do not fail over to the second address when the first address server is down
 PI81297Application fails to initialize at startup with error CWWKZ0021E
Liberty Debug and Tracing PI80225JUL Traces do not show up in logstash collector / bluemix log collector when binary logging is enabled
 PI80844Failure if running binaryLog view serverName from wlp/usr/servers directory
Liberty Kernel PI78072A server start may receive a java.util.MissingResourceException if started with a disabled command port
  PI78444The server schema incorrectly includes some internal configuration attributes
  PI79123ConfigUtility command line tool loosing equals sign on parameters ending with equals sign
  PI79878Server create command (using Java 8) overwrites server.env file
  PI80744SPI class, PathUtils is not normalizing leading double slashes
Liberty Log Analytics and Monitoring PI80363Allow configurable maxFieldLength in the logstashCollector
Liberty z/OS PI77988Update needed in module BBGZAFSM
 PI78510.pid directory created with wrong permission settings
 PI78787WOLA ACEE copied from CICS invalid for TSS
 PI78970When the z/OS connect EE server is stopped and restarted, CICS issues an abend at the time of the WOLA rebind
 PI80072Message CWWKB0392W is issued when the OTMA client name is specified in the zosLocalAdapters connection factory properties
 PI80252The size of the Java heap grows over time when using the MSGLOG DD
 PI80650Memory leak in SP132 KEY8 causes OUTOFMEMORY in Liberty
 PI80988WebSphere OLA(WOLA) service request issues return code=8, reason code=96 when called from an IMS CCTL region
 PI82088Prevent error loop when TDQ is unavailable for write
Performance Monitoring Tools PI79203The monitor-1.0 feature may not be able to monitor user runtime components
  PI80861The Japanese translated message for TRAS0115W is incorrect
Security PI72472WSCredTokenCallbackImpl returns null even when token exists
 PI75111Admin center does not work with AccessControlException after enabling Java2 security
 PI77129 MYFACES-3415 - [UI:REPEAT] Field value disappears if validation error exists on current site
PI77770Potential cross-site request forgery with WebSphere Application Server enabled with OAuth (CVE-2017-1194)
 PI78245An authData element without an ID causes a NullPointerException in the logs
 PI78445CWWKS9580E message might be logged after modifying the CSIv2 configuration
 PI78730Intermittent CWWKS9520E message issued when CSIv2 is enabled
 PI79444AccessControlException when using the servlet log method
 PI95544NPE thrown in method authorizeEJB()
Sessions and Session Management PI73188Session activeCount shows a negative value
 PI81007Incorrect messages were thrown at System output console when using JMX connector
Systems Management Functions PI66988Running collective command in z/OS results in FSUM7332 syntax error
 PI78497When trace is enabled extra information is being included in the controller's trace file
 PI80320apiDiscovery urls may not update properly on Liberty Admin Center
Virtual Member Manager (VMM) PI78192UserRegistry methods that throw RuntimeExceptions can cause federated repository failures
 PI79888An sslRef on an LDAPRegistry without matching ssl config causes security init failure
 PI80547Federated Repository's participatingBaseEntry element does not allow name attribute to be empty string
 PI81519In WebSphere Liberty, the context pool timeout value is not honored on the LDAP Registry
 PI81555The ldapRegistry feature does not properly process LDAP entities with RDN values that contain characters that need escaping
 PM76997 VMM certificate authentication fails when DN contains non-default X509Certificate attributes
Web Container PI75166TAI cannot obtain the SSL endpoint information using direct connection
 PI76699Provide an option to override the default values for the ESI properties in the plugin-cfg.xml
 PI76891Exception from com.ibm.ws.webcontainer.osgi.mbeans.PluginGenerator during server stop
 PI77629NullPointerException if login is required to access a servlet which uses a ReadListener.
 PI78193Returned default html error page has extra closing tags
 PI78633Access control exception due to read permission of a property from Cookie class
 PI79334Unexpected error when an application is initializing during server stop
 PI80313Enable Post Data to be read multiple times.
 PI80668ServletException when creating a servlet, filter or listener from a ServletContextListener with Java2Security enabled
 PI81688Plugin config file generation fails after a configuration update is made to a Liberty server when it is running
Web Services (JAX-WS, JAX-RS) PI77438JAXB context creation is very slow in Liberty during Web service load test
Web Services Security PI76629Add authentication option to JWK endpoint invocation
 PI78760OIDC IDToken updates to the "sub" field do not take effect
 PI80166OIDC provider does not recognize custom realmname from token
 PI80689Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
 PI80741OpenID Connect (OIDC) cookie not fully removed
 PI81403An error may occur if the string representation of a subject includes an ID token that contains a claim with a non-string list
WebSphere Compute Grid PI78436Using batch injection in joblistener results in NullPointerException
 PI79686Slow response when using batchpersistence in Liberty
 PI80634When trying to stop an already completed job the error message does not return with the correct jobInstanceId
 PI80635CDI implementation does not support batch artifact loading via batch.xml
Fix pack 17.0.0.1
Fix release date: 14 March 2017     
Last modified: 14 March 2017     
Status: Superseded     

Download Fix pack 17.0.0.1
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI35470 Message bean instances injected with the CDI @New annotations are not @PostConstruct'ed
 PI55406 IllegalAccessException is emitted from InvocationContextImpl
 PI62583 IllegalArgumentException in CreationalContextImpl only when trace is enabled
 PI73139 CDI would not inject classes from a war file into an ear lib in single classloader mode
 PI75915CDI failover does not work if bundles have different OSGI qualifiers
Database Access, Connection Management, Merant/DataDirect drivers PI73351DSRA0080E refers to original exception message {0} instead of actual message
 PI76168After global transaction ends, the reported auto commit value can be inconsistent with the Oracle JDBC driver
General PI68233 SSLSessionTimeout is not recognized as a valid attribute for sslOptions element
 PI71616 configUtility find or install throws a NoClassDefFoundError when using local repository
 PI73277 EclipseLink 2.6.3 does not support JPA-convertor for primitive data types
 PI74721 Errant timeout can occur with async sends in WebSockets
 PI75015Memory leak in JAX-RS client.
 PI75022Failure to parse a java.util.Date object when creating a new javax.ws.rs.ServiceUnavailableException.
 PI76688Private lifecycle methods in JAX-RS resources are not invoked
Java 2 Connectivity (J2C) PI60146Connection sharing cannot be controlled in Liberty when using direct lookup
 PI71092 java.lang.UnsupportedOperationException when accessing a tested data source
 PI73350Connection manager settings not honored
 PI74533Setting an agedTimeout value of 0 on a connection manager results in J2CA8011E
 PI75426Connection manager configuration intermittently ignored for application defined data source
Java Persistence API (JPA) PI74104EclipseLink might add unused table in generated query
 PI74284The JPA Container calls EntityManager.clear() instead of EntityManager.close() on cleanup
JavaServer Pages (JSP) PI72709 Asynchronous dispatch to a JSP file under the WEB-INF directory fails.
 PI73022JSP comments containing "%>" might throw a StringIndexOutOfBoundsException.
Liberty Application Services PI74321After upgrade to 16.0.0.4. NamingException and ClassCastException occur on JNDI lookup on IBM i
 PI75284Intermittent NullPointerException from ApplicationStateMachineImpl when trace enabled or logging information in response to a failure
 PI75389OSGi Applications can take significantly longer to startup after upgrading Liberty
 PI76368 A class that is both Remote and Serializable is mis-categorized during marshalling
Liberty Debug and Tracing PI62350Some server startup and early messages are not collected by logstachCollector-1.0 feature.
 PI74051Transaction trace lacks PropertyPermission to read system property "com.ibm.tx.tracer"
 PI74318Incorrect message IDs appearing on dashboard when using the Bluemix log collector
 PI76200Stack trace is not included in the message field of liberty_message type
 PI76620Filter tags in logstashCollector & bluemixLogCollector to avoid tags with special characters displaying oddly on dashboard
 PI76621New message IDs need to be assigned to a few existing TRAS messages.
Liberty Kernel PI72686 Removing and adding a feature can result in a warning message about duplicate metatype definitions
 PI73807Some Liberty message IDs conflict with traditional WebSphere Application Server
 PI74527Error CWWKZ0404E can occur when starting an application on Liberty
 PI74586Liberty server does not start if jvm.options file contains spaces, after upgrade to 16.0.0.4
 PI74792java.lang.NullPointerException when starting an .ear application with autoExpand="true" in server.xml
 PI76013Resolution error for optional server config include should not create an exception
 PI76432Exception could be thrown and logged during a server shutdown if listeners timeout during quiesce
 PI76607Features that cannot be loaded because of Java version dependencies may still be reported as being loaded
 PI76755Liberty metatype registry problem - metatype extension duration changed from LONG to STRING in 16.0.0.4
Liberty z/OS PI50828 WLM support is ignored when running z/OS Connect in async mode
 PI66375 SPI for MVS MODIFY command support is documented to be externally available, but in fact is not available
 PI72065 Loop in Liberty z/OS server when AsyncIO is enabled
 PI72566 ABEND0C4 at BBGZSCFM+377E occurs during client bind
 PI72776When WLP_ZOS_PROCEDURE is set the foreground JVM uses the full set of JVM options
 PI73559 WOLA service BBOA1URG fails with RC=12 RSN=240.
 PI73752Suppress FFDC for com.ibm.io.async.AsyncSocketChannel 453
 PI74564WebSocket-1.1 feature does not work in Liberty imbedded in CICS TS 5.3
 PI74875Liberty Server hang in termination after a hard failure on z/OS
 PI74878WOLA feature not started for 16.0.0.4 server using a version 4 Angel
 PI76238Message CWWKB0392W contains no message text in messages.log.
Performance Monitoring Tools PI75368Slow memory leak might lead to OutOfMemory in Liberty
 PI76212Monitor capability breaks when different thread pool name is speicified other than "Dafault Executor".
Security PI72135 An AccessControlException is issued when restoring the security context using the ContextService APIs
 PI72653 Web filters need to receive the AuthModule wrapped request or response when using JASPIC
 PI73266AccessControlException issued even when permission was granted in the permissions.xml file
 PI76359Process default SSL Setting not getting reset on a file update
 PI76408The method signature for java.security.SecureRandom.nextBytes() is no longer synchronized.
Session Initiation Protocol (SIP) Container PI76614SIP Router is initialized more than once.
 PI76615Order of OSGI bundle could cause a class not found exception.
Systems Management Functions PI74526A collective name sporadically changes between its given name and the default name
 PI75433Liberty collective member status becomes stale at the controller.
Web Container PI71999XML transformer factory changed during server start
 PI72223 The pluginUtility displays an untranslated message when using the merge action to merge plugin-cfg.xml files in a directory.
 PI72514 Application start fails to add context root in Virtual Host map
 PI72710 Response committed on return from Forward even when async is started.
 PI74499Server quiesce not cleaned properly when write during close of upgraded connection goes asynchronous.
 PI75475The WebContainer 'enableMultiReadOfPostData' config property was visible but not implemented.
 PI75528The maxRequestSize optional attribute for MultipartConfig is ignored.
 PI76195When the plugin configuration is generated it may not have one of the ports
 PI76271CORS does not handle requests with PATCH methods correctly
 PI76351ServletRequest.getRequestURI() returns inconsistent results after AsyncContext.start().
 PI76364isFinished() could incorrectly return false in some scenarios
Web Services (JAX-WS, JAX-RS) PI70234Custom HTTP header blocks SOAPAction header
  PI76616HTTP servlet requests could be matched to incorrect cross-origin resource sharing (CORS) configuration
Web Services Security PI72558 OIDC client cookie is not removed after it is used
WebSphere Compute Grid PI73040Batch job log REST URLs are incorrect for a failed job execution
 PI73249 The ddlGen script may produce an empty file when run against a server with the Java Batch feature configured
 PI74813When using the batchManagerZos 'status' and 'listJobs' commands, the usage of --instanceId and --jobInstanceId are not universal.
 PI74924Job with Java batch COMPLETED status moves to STOPPING status after shutdown in executor.
 PI76622Provide V2 and V3 versions of existing Batch REST APIs
 PI76632Job executions REST API syntax is misleading
 PI76701Java Batch purge command fails after a job execution did not initialize correctly
 PI76702Java Batch jobs store JES job name and JES job ID with trailing spaces
WMQ messaging providers PI61885postCallWithException throws java.lang.IllegalStateException
 PI71691 BundleException happens when adding a feature to a running server causing a bundle to be reinstalled
 PI72136 Server startup fails with CWRLS0009E error due to failure in the transaction manager's recovery log service
z/OS PI61450 Apache Wink does not remove quotes from the boundary value Content-type: multipart/mixed; boundary="simple boundary"

Back to top

Fix pack 16.0.0.4
Fix release date: 13 December 2016     
Last modified: 13 December 2016     
Status: Superseded     

Download Fix pack 16.0.0.4
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI69193 ContextNotActiveException in SessionScoped bean preDestroy()
 PI70614Clean up all resources on an application startup failure on cdi-1.0 feature
 PI71104@Inject Principal does not work in mutli-threaded environment.
 PI71667Application fails with WELD-001408: Unsatisfied dependencies for type Validator with qualifiers @Default
 PI71734Failover does not work with CDI 1.2
Database Access, Connection Management, Merant/DataDirect drivers PI68418Purge policy ValidateAllConnections does not properly validate connections
 PI71587Data source is not autodetecting MariaDB.
DynaCache PI68741 HTTP status code 200 is returned to a client when the servlet or JSP throws an exception
 PI71752Plugging in an external cache provider does not work with the distributedMap-1.0 feature.
EJB Container PI66621 ReferenceContextImpl caching empty list of targets for JSP classes
 PI67942 javax.servlet.HttpServletRequest.getRequestURI() might return a decoded value after dispatching
 PI69642NullPointerException deleting stateful EJB
General PI42673 Extra information in logs with Datasource custom properties
 PI67034 Access was denied for property org.apache.jasper.constants.jsp_servlet_base.
 PI67099 Provide option to add STS response header for HTTPs request
 PI68432When user applications are using Websocket Decoders a slow memory leak can occur.
 PI69737Errors are not logged when tasks submitted to managed executors fail
 PI70332System property to enable SSL Channel timeoutValueInSSLClosingHandshake property
 PI71359FFDC is produced for a NullPointerException in com.ibm.ws.tcpchannel.internal.SocketRWChannelSelector.updateSelector
Install V8 and above PI68915Default server.xml is incorrect
 PI69133Disk space validator returns NullPointerException.
Java 2 Connectivity (J2C) PI68163MQJCA1011: Failed to allocate a JMS connection
 PI68257Connection manager might remain active after transaction manager has been disabled.
 PI69122 J2C pretest being used despite FailingConnectionOnly option
 PI69887FFDC logged for resource adapter config property with getter that is named with "is" rather than "get"
 PI69957Destination ID erroneously used for JCA 1.7 destinationLookup instead of JNDI name.
 PI70224The value of ConnectionHandleCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
 PI71193Illegal State Exception when transaction timeout occurs and abort is used
Java Persistence API (JPA) PI65593 The database schema name cannot be configured with openjpa.jdbc.SchemaFactory
 PI66770 JPA returns incorrect results when using a native query and @SqlResultSetMapping
 PI67234ServerPlatformException Server platform class is not valid: null occurs with JPA 2.1
 PI67790 java.lang.ClassCastException using JPA
 PI68028EclipseLink throws ValidationException when using nested embeddables with the same attribute name
 PI68805Potential leak of org.apache.bval.cdi.BValExtension$Releasable objects when using JAX-RS, CDI 1.2, and Bean Validation 1.1.
 PI70680Deployment of persistence unit fails with DescriptorException
 PI70841OpenJPA's ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException
 PI75607javax.persistence.PessimisticLockException when javax.persistence.lock.timeout set to 0
 PI75608Add EclipseLink support for Java 2 Security
JavaServer MyFaces (JSF) Apache MyFaces implementation PI67525inputFile tag is not working properly on Liberty
 PI70441FlowBuilderFactoryBean Concurrency Issue
JavaServer Pages (JSP) PI67257 An escaped EL expression is being run if an escaped dollar sign precedes the former expression
 PI69028Null CodeSource location for classes loaded by JSPExtensionClassLoader
 PI69942JSP property useJDKCompiler does not work in Liberty
 PI71436A debugger does not stop at a breakpoint in a JavaSever Page (JSP).
Liberty Application Services PI70600Auto extracted web app files have incorrect timestamp.
 PI70848When application autoExpand is enabled changes to an ear file are not detected by the Liberty server
 PI70870ConcurrentModificationException in AppClassLoader when using the global library
 PI71116When certain features are enabled the application property autoStart has no effect
Liberty Kernel PI68170Users of Liberty's OSGI EventAdmin service cannot change the topics of interest for a registered EventHandler
 PI70104Starting a Web Application Bundle (WAB) can result in a deadlock sometimes when the WAB is installed and started dynamically
 PI70637RuntimeException: Invalid call to WsByteBuffer occurs during shutdown
 PI71457NullPointerException after a failure to bind an IIOP transport port
 PI71607Schema for resource adapters contains an unused attribute.
Liberty System Management PI69561REST API Discovery missing APIs in web applications with multiple JAX-RS application classes
Liberty z/OS PI67718z/OS Connect is unresponsive to the STOP command from the z/OS Console
 PI69625Liberty server at 16.0.0.3 may fail to start when using AsyncIO
 PI69886When using the zosLocalAdapters-1.0 feature to talk to CICS, the CICS container LinkTaskRspContID already exists.
 PI70090WebSphere Liberty "server" and native launcher handle a # in the middle of a JVM property inconsistently
 PI70896Liberty Server hang in termination after a hard failure on z/OS
 PI71417Startup time for Liberty for z/OS is unnecessarily slow.
Messaging Providers PI62816Allow more than one address to be specified in the remoteServerAddress field
 PI70961Corrections to messages in JMS Messaging
Performance Monitoring Tools PI70900Events get lost when the logstashCollector config gets updated
Security PI62070 Full chain created in PKCS12 but not for JKS key store
PI62375 Potential code execution vulnerablity in WebSphere Application Server (CVE-2016-5983)
 PI69141Make sure HTTPS URL connection default is set at the same time SSLContext is set.
 PI69161Constrained delegation works only when Liberty trace is enabled
 PI69277Java 2 Security permissions are not granted to a shared library when using the file element instead of a fileset
 PI69629 CWWKX8136W: Cannot validate the server identity
 PI69840 A NoClassDefFoundError or NoSuchMethodError may be thrown when accessing Swagger annotations.
 PI69870 IllegalAccessException on EL expression that processes isLast() of object referencing varStatus in JSTL for-each tag
 PI71525NullPointerException when registering a Custom User Registry that returns a null realm name
 PI71585NullPointerException when null password is passed into WSCallBackHandlerFactory
 PI71751Provide better message when bad SSL configuration is used by CSIv2.
 PI71789.InvalidNameException: Validation of the Collective DN failed. 0th element type was not dc
Systems Management Functions PI69286Non-ASCII names used in remote operations from a collective controller may become corrupted.
 PI69741Remove extra information from trace file
 PI71792New files added to a controller's configDropins/defaults directory are not replicated to other controllers in the collective.
Virtual Member Manager (VMM) PI71825CWWKS3006E error message seen during server shutdown.
Web Container PI64898AsyncListener onError not being called correctly
 PI65762DestroyJavaVM() method call hangs and JVM fails to shut down when asynch servlet work has been performed
 PI67393 Polish the ReadListener
 PI68061Option to display customized text for some server errors
 PI69220A plugin-cfg.xml is generated with missing applications and future auto-generation fails.
 PI69803A java.lang.NoClassDefFoundError error can occur when using the pluginUtility merge action.
 PI70063A decrease in throughput can occur when many concurrent requests for JSP pages that make use of tag libraries.
 PI70184WebSocket not working if application flushes without obtaining any outputStream or writer
 PI70873java.lang.NullPointerException might occur during a request's cleanup.
 PI71851Missing apostrophes in French and Italian pluginUtility text
Web Services (JAX-WS, JAX-RS) PI70196PI70196: ibm rest servlet cannot be mapped to two different urls:
 PI70313Swagger API Explorer ignores protocol schemes for operations
 PI71238IllegalArgumentException when getHours() is called
 PI71887JAX-RS Client fails when running in OSGi bundles
Web Services Security PI68101JSON bits are missing from a URL when SAML authentication redirects a request
 PI68809WSAS XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
 PI69415Support configurable context root for OIDC client redirect url
WebSphere Compute Grid PI70886Java Batch REST: STOP request may not return JobNotRunningException even when the job batch status returns as COMPLETED.
 PI70887An exception in the batch executor may cause a message to roll-back onto queue (and get re-delivered) instead of consumed.
 PI71718Attempting to purge multiple job instances fails when their executions are not on the same endpoint
 PI71719Batch REST request for job instance job log links fails with remote executions
WMQ messaging providers PI68664 Record-level sharing (rls) is miscalculating the amount of data to be written to partner logs
 PI69183 APAR PI18414 may result in the recovery log service using incorrect sequence numbers.
 PI69314 ELException, Can not find @Transactional annotation
 PI69328CWWKZ0403E error message occurs due to error Unable to acquire the global write lock in time.

Back to top

Fix pack 16.0.0.3
Fix release date: 16 September 2016     
Last modified: 16 September 2016     
Status: Superseded     

Download Fix pack 16.0.0.3
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI38270 NullPointerException in InvocationContextImpl.configureTarget when destroying an already destroyed bean
 PI42311 EJB interceptors not called intermittently
 PI48614 NullPointerExceptions from CDI code
 PI51620 NullPointerException when doing injection with com.ibm.ws.cdi.immediate.ejb.start set to true
 PI58669 CDI javax.decorator.decorator annotation not working as expected
 PI61397 Ensure application scoped context is initalized properly and active during bean preDestroy
 PI64374 Race condition with session scoped contexts
 PI64812Application ClassLoader leaked during application restart from CDI's RuntimeFactory
 PI65337Use of CDI interceptors in stateless EJBs causes exceptions to be wrapped in WeldException
 PI66866Memory leak occurs when an application is restarted
 PI67388Move up Weld level to 2.3.4.Final from 2.2.16.Final.
Database Access, Connection Management, Merant/DataDirect drivers PI66423OraclePreparedStatement.getReturnResultSet and OracleCallableStatement.getCursor fail after unwrapping statement
EJB Container PI60567 New system property to configure the EJB pool wait timeout
 PI62639NullPointerException in CDIEJBManagedObjectFactoryImpl.getEjbDescriptor when creating EJB instance to pre-load the bean pool
 PI63571AccessControlException: "accessDeclaredMembers" from com.ibm.wsspi.injectionengine.MethodMap.getMethods.
 PI63709Application exception thrown from EJB constructor lost when @AroundConstruct interceptors present
 PI63821Resource reference names starting with java:comp/env are ignored in ibm-ejb-jar-bnd.xml
 PI65205FFDC for TransactionRolledbackException when using UserTransaction in stateful bean ejbRemove method
 PI66565com.ibm.wsspi.resource.ResourceInfo not provided to ResourceFactory for <resource-env-ref> XML elements
 PI67070Customer can get EJBExceptions related to non-persistent EJB Timers during server shutdown
General PI60893 Deadlock caused by SIP Subscribe
PI61548 Potential Denial of Service in WebSphere Application Server if using SIP services (CVE-2016-2960)
 PI63871NullPointerException in MemoryPersistenceManager
 PI64472Automatically determine whether a submit or restart should be issued from the batchManager and batchManagerZos utilities.
 PI65456Issuing "job.ended" CWWKY0010I message instead of "job.failed" CWWKY0011W message, upon job failure.
Install V8 and above PI65506Display proper asset list when embedded asset repo is missing during IM modify_add flow
Intelligent Management Component PI59258Dynamic Routing fails to recognize the application until Collective Controllers are restarted
 PI63212Reload of web server with Intelligent Management causes CWWKV0008W messages on a Liberty collective controller
 PI66993Health condition is not set to the Liberty server in the Docker container.
 PI67392DynamicRouting does not have route information for Liberty Docker on initial deployment
Java 2 Connectivity (J2C) PI63520Parked connection created by PoolManager results in setting a pre-existing client ID to a MQ connection
 PI66424J2CA7002E is logged when server is stopped while in the process of installing a resource adapter.
 PI67186The value of FreeConnectionCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
Java Persistence API (JPA) PI58114 ClassCastException when an equals comparison query is run on an entity with a composite @EmbeddedId
 PI64129 CDI applications that inject Validator or ValidatorFactory beans cannot be failed over in a cluster
 PI67305EclipseLink assigns the same object instance to multiple embedded fields
JavaServer Faces (JSF) SunRI implementation PI64899When using the jsf-2.2 and beanValidation-1.1 features an OSGI warning message can be seen.
JavaServer MyFaces (JSF) Apache MyFaces implementation PI63135Custom type conversion is sometimes bypassed in EL 3.0
 PI63633 Thread-safety issue in the underlying (Apache) JSF 2.0 code causes WebContainer threads to hang
 PI64195@PreDestroy methods are not invoked on session invalidation for JavaServer Faces (JSF) javax.faces.bean.ViewScoped beans.
 PI64714JSF message severities always set to ERROR after ValidatorException
 PI64718Validators are not called when using selectManyCheckbox
JavaServer Pages (JSP) PI64004The scratchdir JSP attribute is not documented on Liberty
 PI65333A JSP error "unresolved compilation problem" is thrown during runtime
Liberty Application Services PI62861Server stop runs before the ServletContextListener implementation completes
 PI63542ArrayIndexOutOfBoundsException may occur when doing a JNDI-lookup to a remote EJB that is located in another cell
 PI64494Timing window in generation of Type Code objects from class TypeDescriptors, causes performance problems during JNDI lookup
 PI64806java.lang.StackOverflowError on WAR
 PI65244EJB connection helpers are both null
 PI65637Starting an OSGi Application intermittently causes an endless loop.
 PI66570IllegalStateException thrown on server shutdown
 PI67028AccessControlExceptionthrown from AppClassLoader.getResources() call
 PI67672Extended use of remote EJB may cause error mentioning Phaser parties.
 PI67674Restarting ORB may cause socket bind exception
 PI67719AccessControlException from JTMThreadFactory, JNDI lookup, and JmsManagedConnectionFactoryImpl
 PI67739Configuring a non-default ORB may interfere with application client.
Liberty Archive Install PI66992z/OS IM offering failed to modify asset due to error 'Failed to load bundle com.ibm.was.determine.job.type'
Liberty Kernel PI62609When coreThreads and maxThreads are the same value, CWWKE1200W messages, which indicate a hung thread, may appear erroneously
 PI63436Embeddable Liberty command wlp/bin/server fails to run on old bourn shell used by Solaris 5.10
 PI64318Product validation error when running installUtility install
 PI67017Apache Commons Compress was incorrectly added to Liberty's JVM classpath
 PI67231Inconsistent installUtility/feature error messages when installing features or depending features not found on repository
 PI67665 Path normalization of configuration variables can cause unwanted modifications
Liberty z/OS PI61412HTTP access logs are not tagged on z/OS.
 PI61645CWWKF0015I and CWWKF0014W messages are misleading
 PI63930WEBSOCKET-1.1 feature does not work in Liberty Imbedded in CICS TS 5.3
 PI64823zosRequestLogging-1.0 feature does record the SAF mapped user ID in SMF 120 subtype 11 records.
 PI65658Liberty z/OS unauthenticated ID experiences ICH408I calling HttpServletRequest.login with syncToOSThread enabled
 PI65709Storage leak in subpool 249 key 2 when using the zosLocalAdapters-1.0 feature.
 PI66150Liberty server processes the start of WOLA workload to slowly
Security PI60769IIOP sslRef mismatch not clear in error message
 PI61592Security context not propagated into JCA resource adapter
 PI62626jacc-1.5 feature does not package a separate API jar file even though it exposes the API.
 PI62722Attempting to start or stop a member from the Liberty Admin Center running in a collector on z/OS results in CWWKS2910E
PI63929Potential open redirect security vulnerability in WebSphere Application Server Liberty CVE-2016-3040
 PI63949When auth-method tag is not used in Liberty a NullPointerException is thrown
 PI64065CWWKS9112W: Invalid run-as configuration for security-role name ApplicationRoleName in the application ApplicationName
PI64790Cross-site scripting vulnerability in OpenID Connect client CVE-2016-3042
 PI65716configUtility and collective command line utilities do not support the custom password encryption
 PI66628The message when the custom password encryption is not available is not acculate.
 PI67237AccessControlException issued when an API tries to obtain an internal OSGi service via the kernel service SPIs.
 PI67467An intermittent MalformedURLException is issued during the server shutdown when Java 6 is used and there are permissions defined
Sessions and Session Management
PI60026 Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)
Systems Management Functions PI62640Collective utility help text for --keystorePassword is incorrect.
 PI66520A collective controller shared configuration file is removed after it is renamed.
 PI66522A deploy rule without a defined restart command produces an exception during a deploy operation.
 PI66523The --createConfigFile option of the collective utility allows the config file to be in the configDropins/defaults directory
 PI66524The collective utility writes an unnecessary request to edit server.xml.
 PI67220Liberty member in a Docker container ignores metadata defined in the admin-metadata.xml file included in the container.
 PI67221Docker registry commands in the Docker deploy rule mistakenly prepend the repository with the user name.
Virtual Member Manager (VMM) PI62392Login failure if userFilter contains userAccountControl attribute
 PI63471getUserDisplayName returning null when basicRegistry is configured
Web Container
PI54459Information Disclosure in WebSphere Application Server Liberty CVE-2016-0378
 PI58875Application is started even though there has been a listener exception during application start up
 PI61651An uncaught exception in javax.servlet.AsyncListener.onComplete() might cause threads to hang
 PI63193 SRVE8094W might happen even if invokeFlushAfterServiceForStaticFile=false
PI65853WebSphere Application Server Web Container affected by Apache Struts vulnerability (CVE-2016-3092)
PI67093Information disclosure in IBM WebSphere Application Server CVE-2016-5986
 PI67470 ConcurrentModificationException thrown on getServletWrapper when serveServletsByClassname is enabled
 PI67832FFDC created when a feature is removed from server.xml.
Web Services (JAX-WS, JAX-RS) PI64462NullPointerException in org.apache.cxf.jaxrs.impl.tl.ThreadLocal Providers.getContextResolver()
  PI67586ConcurrentModificationException in org.apache.cxf.jaxrs.JAXRSServiceFactoryBean
Web Services Security PI66148OIDC Client Service is not thread safe
 PI66354OAuth provider does not encode non-ASCII characters properly
WMQ messaging providers PI45254 Collect more serviceability data for transaction log service
 PI65127 Deadlock issue in tranlog database
 PI65412Transaction service may fail to log data correctly when its logs are stored in a database and connection failure occurs
 

Fix pack 16.0.0.2
Fix release date: 24 June 2016     
Last modified: 24 June 2016     
Status: Superseded     

Download Fix pack 16.0.0.2
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI58316Changes to JSP in EAR or WAR not picked up if CDI-1.2 feature enabled
 PI61971CDI forces a creation of an extra session, which causes memory usage issues.
DynaCache PI59818Servlet and Object Cache services are initialized multiple times during Liberty startup causing delays and exceptions
EJB Container PI58029 Classloader leak associated with PCRegistry
 PI59443A method named ejbCreate on a managed bean may be treated as a post construct interceptor method
General PI52696 WebSphere Application Server proxy - Too many open files
 PI53321 Using WOLA with CICS version 5.3 causes BBOX abend
 PI54666 NullPointerException when using IPv4/IPv6 loopback addresses
 PI55413 CICS BBO (WebSphere) link server abends with WRITEQ TSQ BBO* error eibresp: 16 eibresp2: 0
 PI57228The HTTP Channel consumes additional memory, in specific circumstances, when processing inbound data.
 PI58457Quotes are automatically added to the cookie Path attribute on version 1 cookies
 PI58692NullPointerException when using batchManager to purge and no arguments specified
 PI58800High CPU utilization can occur for WebSocket sessions that expire using a non-default MaxIdleTimeout value
PI58918Response Splitting Vulnerability using a specific API CVE-2016-0359
 PI59273A job instance with zero executions cannot be stopped or restarted.
 PI61321Serviceability changes for batch feature
 PI61621The persistent user data and metric values are invalid when a job fails in the middle of a chunk step
 PI62053HTTP Channel Access Log does not properly record how much is written to the file
 PI64247For Double Byte languages an FFDC IllegalArgumentException can occur for a WebSocket connection that closes due to an error
Intelligent Management Component PI61807Web Server SSL certificate created by the Liberty dynamicRouting feature needs updating
Java Persistence API (JPA) PI47094ClassCastException using a shared JPA module on JPA 2.1
 PI55889 JPA Merge fails intermittently with FOREIGN KEY constraint error
 PI58092Delay in application startup on Liberty
 PI58523When using jpa-2.1 with Bean Validation, XML constraints are not recognized
 PI59004Criteria Modelgen API is not included for the EclipseLink provider
 PI59757JPA PersistenceUnitUtil.getIdentifier() fails for nested EmbeddedId
 PI59782Eclipselink on Liberty is missing javax.json imports
 PI59999 OpenJPA custom plugins can cause Classloader leaks
 PI62022Bean validation interceptor is invoked twice
JavaServer MyFaces (JSF) Apache MyFaces implementation PI57255MyFaces CDI support is disabled if non-CDI application is loaded first
 PI59422Flow beans are destroyed before the flow is finalized
JavaServer Pages (JSP)
PI56811XXE and RCE via XSL extension in JSTL XML parse and transform tags
 PI59436NullPointerException when using EL expressions returning null
 PI60837A StackOverflowError can occur when com.ibm.ws.el.reuseEvaluationContext is set to true
 PI61400There are unused message properties files packaged in the Expression Language (EL) 3.0 bundle.
Liberty Administrative Center PI58080Admin Center toolbox cannot save bookmarks with Explore search results which search on tags
PI62052Potential security vulnerability in Admin Center for Liberty CVE-2016-0389
Liberty Application Services PI53419Liberty server z/OS: Deadlock adding WABs to web container
 PI58841An OSGi web app using JSP and JSTL by default currently needs to explicitly import the JSTL spec packages.
 PI59010CWWKC2259E: "Unexpected child element defaultDatasource" in WebSphere Liberty for EJB 2.1
 PI60496EBA fails to resolve when blueprint-1.0 is active
 PI60749Common shared library classes return null when calling getProtectionDomain().getCodeSource().getLocation()
 PI61468Application classloaders are leaked by transaction monitoring threads.
 PI61906Classloading trace does not contain details of classpath being traversed.
 PI62078ClassLoader leak in CDI's RuntimeFactory
 PI62240ClastCastException doing a JNDI lookup
 PI62385Classloading perfomance of the Liberty ORB has been slightly improved.
Liberty Archive Install PI60256Failed to testConnection against wlp-feature-8559.zip
 PI62355License jar upgrade returns a confusing message when it fails due to invalid edition.
Liberty Debug and Tracing PI57488Null characters added to logs when truncated by user
 PI58309NullPointerException seen with logstashCollector-1.0 feature when access log source is enabled
 PI58310logstashCollector-1.0 feature reports a NullPointerException during server shutdown operation
 PI58311TRAS0120W message reports incorrect lost events
 PI58386Duplicate FFDC records are sent for the same failure by logstashCollector-1.0 feature.
 PI60821NullPointerException when eventLogging feature is removed
 PI61051Removal of ISADC script
 PI61371High Performance Extensible Logging (HPEL) binarylog view does not sort by time stamp
 PI62013Warning message should be issued when wrong source is specified.
 PI62015Unexpected null pointer exception appearing in FFDC logs with logstash collector whenever updating the source
Liberty Kernel PI48971ActiveMQ properties not being honored in JMSActivationSpec in Liberty
 PI59235Problems with serialization code
 PI59906Server command help is missing the --os option description
 PI60941When installUtility install serverName is run, the server logs and workarea were not created under WLP_OUTPUT_DIR
 PI61175During startup the application manager can cause an FFDC with a ConcurentModificationException causing no applications to start.
 PI61177Spurious error may be logged when bundle starts and immediately stops.
 PI61178Dynamically configuring one or more features from zero features delays starting applications by 30 seconds
 PI61319The help for the productInfo command line tool reports an error rather than provide the help text.
 PI61320Missing attribute message is confusing
 PI61324Server package zips when unpacked lack file permissions for scripts in bin folder.
 PI61451installUtility command may fail with a SocketException: "Too many open files"
Liberty System Management PI57567Merged plugin-cfg.xml generated by ClusterManager mbean generateClusterPluginConfig operation contains dup elements
 PI58426Collective create always treats --keystorePassword as a required argument
 PI61176Using the IBM JMX REST client from Liberty requires setting too many properties
 PI61895Swagger document and UI in apiDiscovery-1.0 did not show non-ASCII characters properly.
Liberty z/OS PI50018linkTaskChanID property does not work when used with z/OS Connect service provider
 PI52665z/OS WOLA CICS BBOC control transaction cannot support long command strings from the console
 PI54756z/OS Connect JSON Parse Error message missing JSON payload.
 PI56919IllegalArgumentException: com.ibm.ws.security.saf.SAFException: CWWKS2910E: SAF service IRRSIA00_CREATE did not succeed
 PI57546UserRegistry.getUsersForGroup() is not implemented in Liberty server
 PI58016Asian characters in UTF-8 encoded payloads are converted to escaped unicode characters
 PI58155Liberty server takes ABENDEC6 RC0000FD1D due to CPU time limit exceeded
 PI58468WOLA fails to reconnet to CICS TS after previous executions have succeeded
 PI59320ABEND 0C4 RSN=00000004 or a CICS ASRA ABEND when you have more than 128 WOLA connections in an address space
 PI61322CICS programs called over WOLA are being passed an incorrect channel or container name.
 PI61323An ABENDDC2/ABENDSDC2 occurs in program BBOATRUE when CICS is configured to use an embedded Liberty server.
Performance Monitoring Tools PI60781NullPointerException being thrown from requestTiming feature if any exception occured
Security PI55373Collective framework needs to support certificates signed by third party signers
 PI59813Improve the exception generated when client does not trust the server.
 PI61090NullPointerException from FeatureWebSecurityCollaboratorImpl
 PI61204NullpointerException when using ibm_securitylogout in Liberty
 PI61253OAuth or OpenID Connect response does not contain state parameter
 PI61622The French help text of the PasswordUtility command line utility contains typographical errors.
Systems Management Functions PI58664Liberty collective member status is incorrect
 PI62453When making a JMX Connection to a collective member, the JVM default for HTTPs connections is updated
Virtual Member Manager (VMM) PI54746Federated repository does not allow a user login with Turkish characters
 PI56819User login failure when uniqueUserIdMapping inputProperty set to non default values
Web Container PI51122 Webcontainer intermittently generates a 500 error with StringIndexOutOfBoundsException
 PI56833WebContainer is setting the Content-Language
 PI57951Line feed code disappears when data is uploaded with enctype="multipart/form-data" in an HTML form
 PI58920 Dispatcher type obtained from HttpServletRequest is not updated on post processes
 PI59415Development version of servlet SPI bundle does not match with runtime webcontainer bundle.
 PI60797 Enable POST only for a form login
 PI61594AsyncContext.dispatch() might dispatch to an incorrect URI if using different versions of ServletRequest.startAsync()
 PI61628A 404 error might be generated when using redirectToWelcomeFile
Web Services (JAX-WS, JAX-RS) PI53319ClassNotFoundException on WebSecurityHelper
 PI56315JAX-RS MessageBodyWriter is not run
 PI56374ClassCastException: java.util.TreeMap incompatible with javax.ws.rs.core.MultivaluedMap
 PI58097HTTP Response header with invalid Date string is added to the response on a WebServices request
 PI58779JAX-RS 2.0 @Context injection from client side provider reports NullPointerException
 PI58799IllegalArgumentException inJAX-RS InjectionUtils.java code
 PI59519Update product.json model to match recent changes in API Connect
 PI59633When using JPA to persist an object, the JAX-RS engine does not correctly catch any exceptions that are thrown
 PI59640Security definition is missing from the filtered Swagger document returned by API Discovery Framework
 PI59643Using @Context to get the HttpServletRequest and changeSessionId() always returns null
PI61936Information disclosure in JAX-RS API
 PI62155Suppress SOAP FAULT error message
PI62450Swagger processor may allow weaker than expected security
Web Services Security PI59665OIDC Relying party auth flow fails with 401 error when security trace is enabled
 PI59677OIDC relying party authentication failure due to CWWKS1704E error
 PI62735The groupId(s) get lost in id_token and introspection
WMQ messaging providers PI59123WS-AtomicTransaction participant recovery after a server crash may never complete
 PI60966Problem distributing transaction between WSAS traditional and Liberty using WS-AtomicTransaction.

Back to top

Fix pack 8.5.5.9
Fix release date: 18 March 2016     
Last modified: 18 March 2016     
Status: Superseded     

Download Fix pack 8.5.5.9
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI50291 Beans searched for through instance interface are not found
 PI51134 NullPointerException if all interceptors are on methods overriden, defined at class level or defined in a different method
 PI51508 Reduce contention in AbstractOwbBean.equals use
 PI52391BeanManger.equals cannot distingiush between two BeanManagers for the same module after a restart
 PI52756 CDI is activated and generates error with no existence of beans.xml
 PI52765Provide a fix for Weld bug in CDI 1.2
 PI57976Objects of class NullInjectionPointImpl are visible in applicaiton code
 PI58021ClassNotFoundException if application contains a jar which contains other archives
Database Access, Connection Management, Merant/DataDirect drivers PI57239Error when multiple threads attempt to authenticate to Mongo at the same time
EJB Container PI49639CWWKC2259E: "Unexpected child element" in Liberty profile for EJB 2.1
 PI50806NullPointerException in AbstractEJBRuntime.bindAllRemoteInterfacesToContextRoot when using ejbRemote-3.2 feature
 PI53807Improve message text when EJB SessionContext fails to serialize
 PI55049Non-persistent EJB Timer created while application is stopping may not be removed
General PI48725 Initial TLSv1.0 application data packet read into the wrong buffer by the SSL channel
 PI49508At startup end users requests routed with HTTP 404 response
 PI49566WebSockets might not close the connection if sessionIdleTimeout is set
 PI51523 HTTP Channel getCookieValue throws ArrayIndexOutOfBoundsException when cookie is only one-digit double quote "
 PI51552Unwanted CWWKC1556W warning when application starting or server shutting down
 PI51740The HTTP Channel could cause the Operating System to send an RST packet when the connection is closed
 PI52417Host name resolution with collectives on z/OS may not resolve properly
 PI52845 SSL handshake fails due to a java.lang.IllegalArgumentException.
 PI54212 Update one class in Apache Commons
 PI55344The job logs are producing a date such as 2016-12-28 as opposed to 2015-12-28 during the last week of the year
 PI55874Jobs containing split-flow may continue executing the (split-flow) even after the job is stopped.
 PI56019The com.ibm.websphere.appserver.api.mediaServerControl.1.0_1.0.11.jar file in the dev/api/ibm directory is empty.
 PI56057The MediaServerControl Javadoc provided contains accessibility issues.
 PI56076Batch job logs do not contain the exception stack trace on step or job failures.
 PI57100Remote partition wrongly ends in COMPLETED state when job is stopped, wrongly bypassing partition execution on restart.
 PI57542IOExceptions is not thrown on inbound connections
 PI58014Message's address is null in SipUdpConnLink
 PI58049The exitStatus after the restart of an executor is not properly being rolled back to the correct value.
Install V8 and above PI51130Updating Liberty using group-mode Installation Manager does not set group-write bits
 PI55969An update to the licenses in IBM WebSphere Application Server Liberty V8.5.5.9 is required.
Intelligent Management Component PI53304Auto scaling does not fully scale in to the minimum number of servers or scale out to the maximum number of servers
 PI57006A scaling controller might not register a scaling member correctly when the member starts.
 PI57007ConcurrentModificationException in com.ibm.ws.scaling.controller.topology.RepositoryMonitor$UpdateHandler
 PI57982In a Liberty collective, not all instances of an application are used when routing with Intelligent Management for Web Servers.
Java 2 Connectivity (J2C) PI53120 Datasource connection pool minimumPoolSize to be 0 by default for newly created datasources
 PI54230ClassNotFoundException when using generic RA in Liberty
Java Persistence API (JPA) PI46699A null value is returned when trying to use OpenJPA's DelegatingConnection's unwrap()
 PI47094 ClassCastException using a shared JPA module on JPA 2.1
 PI47144 Merging an unmanaged entity multiple (3) times leads to an exception.
 PI50341 Using java.sql.Timestamp data type for entity version value requests current timestamp from wrong SYSIBM table on DB2
 PI50694 ClassCastException is thrown in JPA when QueryCache is enabled
 PI51878ddlGen script is shipped in ASCII instead of EBCDIC in Liberty 8.5.5.7
 PI52209 EntityNotFoundException in OpenJPA
 PI53589OpenJPA fastpath broken on Java 8
 PI56340OutOfMemoryError from org.apache.bval.cdi.BValExtension$Releasable objects not being released.
 PI56499AbstractMethodError occurs when using JPA with beanvalidation-1.1 feature
 PI58001NullPointerException from org.eclipse.persistence.queries.ReadObjectQuery under heavy loads
 PI58005With a Liberty image consisting of only EE7 features, importing javax.persistence 2.1 with WDT requires an internal attribute.
JavaServer Faces (JSF) SunRI implementation PI46218DeploymentException occurs if different web modules in an enterprise application have CDI beans with the same name
JavaServer MyFaces (JSF) Apache MyFaces implementation PI45044 JSF problem in a Portlet environment: Form inputs inside a data table lose their values if validation fails
 PI47885 h:selectManyCheckbox and h:selectOneRadio components do not support f:ajax tags.
 PI49486 MyFaces leaking file descriptors when reading stylesheet files
 PI50108JSF component binding with ViewScope beans does not work and causes an exception
 PI51038Fix EL 3.0 ImportHandler support in JSF 2.2
 PI53555JSF ViewScope implicit objects are not resolved in JSP pages
 PI54702Null renderer-type tag causes custom TagLib xml parse error
JavaServer Pages (JSP) PI52851Changing JavaServer Pages (JSP) features between requests can result in a java.lang.NullPointerException.
Liberty Application Services PI51184CWWKG0031E is received after commenting out a JNDI element and then adding it back at runtime
 PI51375Application Manager change to make time waiting for apps at startup configurable
 PI52936Application classes provides incorrect values when calling getProtectionDomain().getCodeSource().getLocation()
 PI54707Intermittent ConcurrentModificationException thrown on startup when two Liberty apps use a privateLibraryRef.
 PI55383Client container application fails to run
 PI55891SPI classes under com.ibm.ws.container.service reference some non-SPI classes
 PI56452NullPointerException in WABInstaller.java results in "Unable to install bundle" message
 PI56644SPI classes under com.ibm.ws.javaee.dd reference some non-SPI types
 PI56831Classloader.getResource("") does not return url to WEB-INF/classes
Liberty Debug and Tracing PI51841Request timing can accidently remove an executing request from the active request list
 PI52003New "JSON" format added to binarylog command
 PI54917ConcurrentModificationException in collector manager
 PI55910Logging in InvocationContextImpl outputs array IDs instead of array contents
Liberty Kernel PI51988Invoking productInfo with valid command but bad option does not give errors
 PI52309WebSphere Liberty default executor auto-tuning is disabled when an embedder overrides the default ThreadFactory.
 PI53867ScheduledExecutorService can temporarily leak classloaders for canceled tasks.
 PI54458Wrong charset returned in page-not-found error when incorrect context root is requested.
 PI55031Fix defect in Equinox framework to incorporate in Liberty
 PI55670Liberty File URLs contain incorrect number of '/' characters
 PI56645Configuration conflict warning message needs improvement
 PI56678FileNotFoundException when application start-up fails.
 PI57314JSP classloading ignores the application parent-last classloader setting
 PI57974OSGi applications may be able to get access to OSGi services provided by Liberty feature bundles which are not considered API.
 PI57975Deadlock may occur when creating a Java util logging Logger
 PI57980Improper error when running Liberty scripts with unsupported Java version.
 PI57981Changing SSLDefault may still require unnecessary configuration of defaultKeystore
 PI58006Feature updates are less likely to result in unnecessary component activation and deactivation
 PI58035When installing features using the installUtility jaccWeb-1.5 and ejbComponentMetadataDecorator-1.0 are not installed
Liberty System Management PI53219Wrong locale in the content when calling REST API to generate schema
Liberty z/OS PI50915More details is provided for some failures in WOLA connections via Liberty
 PI51171Allow WOLA client to re-connect after a Liberty server failure or recycle
 PI51329Default JAVA not read from java.env when server is started with a PROC.
 PI53339Liberty on z/OS fails to route messages to MSGLOG DD card
 PI53469z/OS Connect does not preserve JSON payload element ordering as shown in copybook files.
 PI53842Basic authentication not working z/OS Connect dynamic services
 PI54855Liberty on z/OS does not pick up the IFAUSAGE properties file in the product extension directory
 PI54886When starting a Liberty server that has zoslocaladapters configured the sever abends with a System 106.
 PI55029Liberty started task does not expand @WLP_INSTALL_DIR@ when used in the path specified by WLP_DEFAULT_JAVA_HOME in java.env.
 PI56289Calls to WOLA services BBOA1* may hang when Liberty server is cancelled or ABENDs
 PI56385Message CWWKB0101I does not provide enough information to diagnose problems connecting to an Angel process.
 PI56987WLP_SKIP_UMASK=true is not working when Liberty server is started from a started task on z/OS
Messaging Providers PI47483[WARNING ] CWWKG0032W: Unexpected value specified for property
Performance Monitoring Tools PI55077Monitor group filter does not work with the component which are not using the code intstrumentation.
Security PI50399NullPointerException thrown at com.ibm.ws.transport.iiop.security in Liberty profile
 PI51188Login fails with mixed-case password phrase on z/OS.
 PI52181Liberty incorrectly displays warning message aboutWSGUEST user missing the RESTRICTED attribute
 PI52566Incorrectly returning CWWKS4306E when application URI is unprotected and Liberty receives an expired LtpaToken
 PI57413CWWKE0702E: Could not resolve module: com.ibm.ws.management.security is logged when zosSecurity-1.0 is enabled.
 PI57668Collective member certificate login fails with LDAP or Federated user registry
Sessions and Session Management PI53220Session attribute not stored with Oracle as database session persistence and MultiRowSchema=true
Systems Management Functions PI58002Collective replica restart may fail
Virtual Member Manager (VMM) PI48674LDAP binary attribut handling in VMM
Web Container PI42598Filter with only WebFilter annotation does not get invoked
 PI43752 AsyncContext.dispatch() dispatches to an incorrect URI
 PI52414While using an upgrade request the quiesce operation did not complete
 PI52415isFinished on a stream can return true before the stream is fully read
 PI53854Unable to retrieve the REMOTE_USER from the WSRU header without using any security in Liberty
 PI54235A redirect using an URI relative to the current request URL redirects to the wrong URL
 PI54414Managed thread factory not available in ServletContextListener.contextInitialized
 PI54701The Servlet SPI was refactored to provide a complete set of SPI classes.
 PI57884Blocking write is not allowed once WriteListener is enabled.
 PI58013If an error occurs during a request with a ReadListener and is upgraded, a quiesce operation may not complete properly
Web Services (JAX-WS, JAX-RS) PI48389@PreDestory method invoked twice when @RequestScoped annotated on resource class and no @Context field in the class
 PI50692Data conversion issue for Multi-part MIME on mainframe (z/OS)
 PI51798Liberty JAX-RS implementation may throw NullPointerException
 PI52014User customized provider life cycle annotation @PostConstruct @PreDestroy not work or throw NullPoint Exception when stop server
 PI54152Liberty profile JAX-RS 2.0 Client Side Built-in Providers Installation Performance Issue
 PI55038Injection on implementation of ParamConverterProvider in JAX-RS 2.0 fails with NullPointerException
 PI55547Customized EJB ExceptionMapper cannot be mapped to user defined Exception in more than two JAX-RS 2.0 Applications
 PI56455ClassNotFoundException loading the jaxws-2.2 and appSecurity-2.0 features
Web Services Security
PI49272 Cross site scripting vulnerability in Oauth Service Provider CVE-2015-7417
 PI57265Add OpenID Connect relying party (RP) config option to specify whether to do client side redirect
PI58003Cross-site scripting vulnerablility in OIDC client web application
WMQ messaging providers PI43413 Deadlock in controller due to timing window in the recovery log service; servant times out
 PI53471Extended Unit of Work API may not throw errors back to the application when they occur during transaction end processing.
 PI53472Thread safety defect in Unit of Work manager initialisation
 PI53661When inside an @Transactional declarative transaction, an error is thrown upon entering an @TransactionScoped context.
 PI54151Unable to find the @Transactional annotation
 PI56465@TransactionScoped bean instances do not have their @PreDestroy-annotated destructors called.
 PI56466Access to UserTransaction methods is not correctly disabled within nested @Transactional annotations
 PI56467@Transactional rollBackOn/do not RollbackOn scans the exception class hierarchy in the wrong direction
 PI56529@Transactional annotation processing code emits FFDC when encountering RuntimeExceptions in the dontRollBackOn list

Back to top

Fix pack 8.5.5.8
Fix release date: 11 December 2015     
Last modified: 11 December 2015     
Status: Superseded     

Download Fix pack 8.5.5.8
Component
Security APAR
APAR
Description
Contexts and Dependency Injection (CDI) PI47250Liberty Profile with CDI 1.2 and CDI enabled application has slow startup
 PI49410Publish the Weld 3rd party version on the repackaged Bundle-Description
 PI49978If CDI 1.2 is enabled then a BeanManager could be returned when resolving any JNDI value.
 PI50790Turn off beans.xml validation by default.
 PI50802ProcessInjectionTarget and ProcessInjectionPoint events are not fired when processing non-CDI Interceptors.
 PI52419Export weld packages so that DeltaSpike Scheduler can be supported
EJB Container PI47475A NameNotFoundException occurs for injection of resource into ManagedBean in EJB module
 PI48390IllegalStateException thrown during server stop when j2eeManagement feature is installed
General PI42523Root not injected on URL containing query but omitted path
PI45266HTTP response splitting vulnerability CVE-2015-2017
 PI47651An OutOfMemory error can occur from a leak in WebSockets when websocket session timeout is set
 PI47954Future.get can hang during ManagedTaskListener.taskStarting for repeating task
 PI48097Cleanup of resources can be missed after Thread.run for threads created by a ManagedThreadFactory.
 PI48327WLP does not handle requests successfully during shutdown
 PI48759The TCP Channel's Host Name Include and Exclude lists are case sensitive
 PI50766ExecutionException raised instead of AbortedException for aborted task
 PI51046BATCHMANAGER SCRIPT WebSphere Application Server SHIPPED IN ASCII ENCODING ON z/OS INSTEAD OF EBCDIC ON LIBERTY 8.5.5.7
 PI51656COMM_FAILURE exception raised during IIOP invocation due to IIOP connection being closed while in use
 PI52303Duplicate IIOP request IDs lead to incorrectly parsed response (from incorrectly handled reply message).
Install V8 and above PI51982LIBERTY 8557 CANNOT ROLLBACK TO LIBERTY 8553 AND BELOW
Intelligent Management Component PI49835java.lang.IllegalStateException: The ScalingMemberReplacementService service is not available
JavaServer MyFaces (JSF) Apache MyFaces implementation PI47095A java.lang.ClassNotFoundException can occur during deserialization of the HTTP session
 PI47578An UnsupportedOperationException is thrown with an eager ManagedBean containing a ManagedProperty in JSF 2.2
 PI47600The "class" attribute cannot be set in a custom tag in JSF 2.2
JavaServer Pages (JSP) PI43036JspTranslationException when using a JSP tag containing another tag with deferred-attributes
 PI44611JSP engine throwing an IllegalStateException when PageContext.findAttribute(string attributename) is called
 PI46827Memory leak in javax.el.BeanELResolver caused by application restarts
Intelligent Management Component PI52161Liberty collective server status is not in sync with DataPower status query
Liberty Application Services PI50370Unnecessary IllegalStateException FFDC created during some server stops
Liberty Archive Install PI50812Some download error messages are shared with install error messages, but the content of the message only mentions install.
Liberty Debug and Tracing PI49056NullPointerException when updating traceSpecification programmatically.
 PI50369NullPointer in MethodInfoImpl tracing
 PI51010Liberty core dumps when -Xhealthcenter:level=inprocess jvm option is used with health center agent version 3.0.5 or above
Liberty Kernel PI46358Problem with notify call for updateTrigger="mbean"
 PI46856Unused server.env file generated when creating client processes using Java 8
 PI47941Liberty featureManager command may hang until killed
 PI48377Unable to use wlp-featureRepo-8.5.5.7.zip as a directory based repository in WDT
 PI49759When setting the trace file name to 'stdout', the distinction between error and general output messages is lost.
 PI49927UPDATE TO COMMAND PRODUCTINFO VIEWLICENSEINFO
 PI50096When Java security is enabled application class loaders may get access to internal packages contained in liberty profile
 PI50775There needs to be a space character preceding the ellipses mark used in some install command line messages.
 PI51403SSL support does not start properly
 PI52579Errors after adding or configuring additional content to server when the server installation path contains unsafe characters
Liberty z/OS PI46937Security identity not propagated from batchManagerZos to batch exectuor in multi-server environment causes JobSecurityException
 PI47050Unintall zosBundle addon fails if use Java7 to run Liberty installUtility
 PI47248PERMISSION ERRORS ACCESSING RESOURCES IN THE SERVER'S WORKAREA DIRECTORY USING APPLICATION SYNCTOOSTHREAD WITH JSP INCLUDE TAG
 PI47476CWWKT0022E IN LIBERTY SERVER WHEN USING DVIPA HOSTNAME DEFINED BY VIPARANGE
 PI47730SERVICEABILITY ENHANCEMENTS TO ENABLE TRACING IN THE TOOLING THAT z/OS CONNECT USES
 PI48362The performance of inbound requests using the zosLocalAdapters feature is poor.
 PI48528z/OS CONNECT USE OF HTTP GET WITH INVOKEURI FAILS WITH WOLA SERVICE PROVIDER
 PI48823HIGH I/O AND CPU USAGE WITH ZOSCONNECTDATAXFORM DATA TRANSFORMER
 PI48987AFTER RESTARTING LIBERTY WITH z/OS CONNECT, NO z/OS CONNECT SERVICES ARE AVAILABLE
 PI50040CWWKE0701E MESSAGES SEEN AT LIBERTY SERVER STARTUP
 PI50389CONVERTTOJSONPRIMITIVE DATA TRANSFORMATION PART OF z/OS CONNECT USES HIGH CPU
 PI50787A z/OS modify command fails when running OSGi console commands.
Performance Monitoring Tools PI42967Excessive appendCustomSetString calls cause high CPU when using VE and PMI.
 PI49140Health manager dumps many files into member server's /tmp directory
Security PI44880Improve serviceability for form-logout processing.
 PI47544Fix keystore file monitoring so it is not polling by default.
 PI47823In Liberty profile ignoreCase=true is not honored for administrator-role entries
 PI48220The hashtable login module does not honor the uniqueId and security name when passing then userId
 PI49157App Server Classic to Liberty profile remote EJB lookup is not working when CSIv2 uses LTPA
 PI50589Liberty profile needs a meaningful message in the NO_PERMISSION exception when failing to decode a GSSUP token.
 PI50717Populating the users to the BasicRegistry might fail due to CWWKS3104E: Multiple users are defined error
 PI50825Access is denied with a WebSphereRuntimePermission for getSSLConfig in CSIv2 during a naming lookup.
Sessions and Session Management PI51030There is a duplicate creating table problem when using Informix as session database on Liberty profile
Systems Management Functions PI50111Automatically deployed member fails to start on Microsoft Windows
 PI50484Multiple clusters concurrently deploying to new host have JRE collision
 PI50768wlpInstallDir and/or jreInstallDir and/or otherInstallDir install to default location instead of to user specified one.
 PI50824Scaling member may change to automatic mode on member restart
 PI50970An improvement is made in the collective replica set management to better handle a network isolation condition.
 PI50985Collective controller does not start
PI52103Vulnerability in Apache Commons Collections used by Liberty
Virtual Member Manager (VMM) PI46476The principal name is listed as null in the error message CWIML4537E
Web Services Security PI36818WebSphere OAuth TAI template cache has a synchronized lock and can block a lot of threads
 PI51540CWWKS1758E: Validation failed for the ID token.
WMQ messaging providers PI48396Performance degradation on application startup
 PI52986In doubt transactions are not recovered on server restart

Back to top

Fix pack 8.5.5.7
Fix release date: 11 September 2015     
Last modified: 11 September 2015     
Status: Superseded     

Download Fix pack 8.5.5.7
Component
APAR
Description
Contexts and Dependency Injection (CDI)PI40544CDI decorator for an interface must directly implement cannot inherit from a super class
PI45878Injected parameters passed in wrong order
PI46326Performance Improvement on application startup
PI46615The same class appearing in multiple war files might cause the wrong bean manager to be returned.
PI46639Name given to a bean with @Named annotation is not the correct default if it begins with two or more capitals
PI47146CDI does not correctly verify and publish events for JEE Component Classes which support injection
Database Access, Connection Management, Merant/DataDirect driversPI45007Allow the user to specify the TLS_CLIENT_CERTIFICATE_SECURITY option on the securityMechanism property on properties.db2.jcc
DynaCachePI45499The webCacheMonitor feature does not work with JSP 2.3.
PI45536The Liberty profile cache monitor does not work with application security enabled.
GeneralPI33395NullPointerException thrown by UDP channel when stopping server.
PI35277Server not responding to Continue message as expected
PI36179ReInvites are frequently canceled with NullPointerExceptions
PI42817HTTP Channel prints FFDCs for MalformedMessageExceptions and IllegalStateExceptions while parsing request message
PI44958Exceptions when requestTiming is re-enabled
PI46281NullPointerException in batch JobOperatorImpl after dynamic server configuration change involving batch or its dependencies.,
PI46300A call to the Batch REST interface to restart a job fails when the job was previously started via the JobOperator.,
PI46303Issuing a STOP command to a Batch job does not result in the job being in the STOPPED state.,
PI46433FFDC is produced for a NullPointerException in com.ibm.ws.tcpchannel.internal.SocketRWChannelSelector.updateSelector.
PI46543Future.get hangs when attempted from taskSubmitted/taskStarting of tasks scheduled via a ManagedScheduledExecutorService.
PI46745A retry with rollback performed before the first checkpoint is taken causes a NullPointerException to be thrown.
PI46747Batch status of an instance is in STARTING when instance state is FAILED
Install V8 and abovePI46415Updating Liberty using Installation Manager on z/OS requires a large amount of disk space.
PI46420Installing Liberty v8.5.5.6 with features or addons using Installation Manager in silent mode fails due to out of disk space
PI46422Installation Manager unable to install assets from instance of the Liberty Asset Repository Service with no internet connection
PI46563Update WebSphere Application Server Liberty profile V8.5.5.7 licenses
Java 2 Connectivity (J2C)PI37749JDBC Wrapper implementation of ResultSet.isClosed returns false after DB2 JCC driver has closed the ResultSet
PI45839Missing translatable message for error path where invalid valid is specified for a numeric connector property
Java Persistence API (JPA)PI45511Expose the org.apache.openjpa.lib.rop package in the jpa-2.0 feature to enable the serialization/deserialization of ResultLists.
PI46623When using the jpa-2.1 feature, an entity containing a lazy field may fail to deserialize
PI47287Potential memory leak when both validation 1.1 and CDI 1.2 features are enabled.
JavaServer MyFaces (JSF) Apache MyFaces implementationPI38788Hung thread caused by MyFaces
PI43692A java.lang.ClassNotFoundException can occur when the session is invalidated and the jsf-2.2 feature is being used.
Liberty Administrative CenterPI44185Stopping Liberty profile 8.5.5.5 controller from the Admin Center causes error
Liberty Application ServicesPI43122ValidationException occurs when using JAX-RS and more than one validation.xml
PI43130Enable strict checking of a single validation.xml file per application classpath.
PI46803Server with IIOP clients fills heap and throws OutOfMemoryError
Liberty Debug and TracingPI44096binarylog command causes java.lang.NullPointerException
PI46922Request timing does not work with Java EE 7 features
Liberty KernelPI28387After a configuration update a web request may temporarily result in an error
PI41611Collective controller returns garbled stdout of ServerCommands to JXM client
PI42400OSGi applications that contain blueprint.xml in bundle fragments do not start after Liberty update to 8.5.5.5
PI43382Product validation error using featureManager to install an add-on, such as extendedPackage-1.0 or javaee-7.0
PI45743ServiceException when stopping the server immediately after a configuration update
PI45777The configuration schema does not include a default value for the 'optional' attribute on the 'include' element.
PI45942Creating a new server can result in a server.env file being generated in the wrong place
PI46475IIOP/CSIv2 may fail to start correctly due to missing UserRegistry
PI46612Server dump command fails when a Java dump file cannot be found.
PI47138Default welcome page uses 'Beta' description for supported server
Liberty System ManagementPI46936FileTransferMBean.deleteFile(String) may not be able to delete an empty directory on IBM i operating systems
PI47155File transfer could sometimes fail due to controller deleting the file before the transfer is complete
PI47206JSONConverter incorrectly de-serializes MBeanServerNotificationFilter
PI47351If the appSecurity feature is installed no application starts unless SSL and a UserRegistry are configured correctly.
Liberty z/OSPI38734Add mapped SAF identity to the SMF 120 subtype 11 records
PI38852z/OS connect in Liberty is not recognizing the mapped RACF userid is a member of a group
PI45470Abend S478 RC=4 when trying to stop the server
PI45472ABEND0C4 when running batchManagerZos from a dataset
PI45842Abend S478 RC=4 when trying to stop the server SP231
SecurityPI37396Potential spoofing vulnerability in WebSphere Application Server CVE-2015-4938
PI43224The authData configuration element needs enhancing to include alias and database in its description.
PI43359Javadoc relating to isServerSecurityEnabled needs to be updated to apply to its function in Liberty profile
PI43583Logout fails due to ConcurrentModificationException in high-stress, multi-threaded environment.
PI43768Remove SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA from the strong cipher list.
PI46545Add exception to security error message CWWKS1102E.
PI46748Enabling security through adminSecurity-1.0 may cause servlets to not configure completely
Systems Management FunctionsPI41230Liberty 'collectiveController replicaPort' limits size of port number
PI42819Collective join or replicate with --useHostCredentials option completes even if host credentials are missing.
PI43401Incorrect error message when host authentication credentials cannot be retrieved by collective controller.
PI45838A scaling member logs an FFDC with IllegalArgumentException during server shutdown
PI46378Collective and cluster member started/stopped state not promptly updated.
PI47142Improve collectives replica reconfiguration performance by improving internal storage structure in Frappe.
Virtual Member Manager (VMM)PI45051LDAP: Error code 53 - R000128 Filter is not supported
PI46454UserRegistry getUsers method does not use LDAP userFilter configuration specified in the server configuration
PI46472LdapRegistry does not work when the search results cache is defined as <searchResultsCache enabled="true" />
PI53797Ignore case configuration is not honored in LDAP repository configuration
PI54153Login fails when ibm-entryuuid attribute value is null for a user
Web ContainerPI38116Provide option to not flush internal response objects in FileServletWrapper.
PI41941Improve error messages SRVE9002E and SRVE8011E
PI42281Suppress SRVE0255E error message in systemout trace
PI44057There is an increased performance overhead for users of the SSL feature in Liberty profile
PI44214getParameter() does not work after getReader()
PI47153Liberty profile performance issue when using @postContruct and @preDestory annotations in servlets
Web Services (JAX-WS, JAX-RS)PI38723NullPointerException generated by Apache wink library when processing HEAD requests
PI40556WebServiceContext is lost, resulting in a NullPointerException
PI42710javax.xml.bind.UnmarshalException: unexpected element can occur on first request
PI46436Wrong media type for the response when using JAXRS-2.0
Web Services SecurityPI44461Must not call getClob for PostgreSQL
 

Fix pack 8.5.5.6
Fix release date: 26 June 2015     
Last modified: 22 June 2015     
Status: Superseded     

Download Fix pack 8.5.5.6
Component
APAR
Description
Contexts and Dependency Injection (CDI)PI29421 CDI getInjectableReference() is not working as expected
PI36177 PostConstruct method is not called if there is a second method of the same name
PI40778Nulls are being injected in place of EJBs that depend upon an @resource
PI41728An inherited qualifier with a value is overridden but the more distant value's ancestor is applied to a bean.
Database Access, Connection Management, Merant/DataDirect driversPI38333Cleanup fails with an SQLException for unsupported operations
PI38941IllegalArgumentException when attempting to configure DB2 data source property keepAliveTimeOut
DynaCachePI36904Cache provider name description is incorrect and unclear.
EJB ContainerPI39344EJB application update time greater than two minutes when server is under load
GeneralPI31734 HTTP response might have multiple Set-Cookie: JSESSIONID headers
PI32026The message: "BBOA8090E An error occurred during TRUE enablement with reason code 63" is not clear for client self-assist
PI33453 Chunked request might fail to receive all responses caused by delayed last CRLF.
PI36010 Channel framework NCSA access log service time
PI40058Allow for pre-CDI injections to work for websocket Server Endpoints when CDI is disabled.
PI41780The server does not shutdown with an active websocket session in use
IBM iPI35258server start fails with "Command /QOpenSys/QIBM/ProdData/JavaVM/jdk70/32bit/bin/java not found"
Install V8 and abovePI40035Update licenses for IBM WebSphere Application Server v8.5.5.6
Intelligent Management ComponentPI34716Web server server-status page shows STARTED applications under STOPPED servers for Liberty collectives
PI37873Potential server hangs are possible during server stop when using the scalingMember feature
PI39714Dynamic routing in Liberty does not work if applications have an empty url-pattern for a servlet-mapping in web.xml
Java 2 Connectivity (J2C)PI39295IllegalStateException: context is null prevents resource adapter from being stopped
PI40410WorkContextLifecycleListener not notified of contextSetupCompleted
JavaServer MyFaces (JSF) Apache MyFaces implementationPI38066 Request to Prefix mapping of Faces servlet may return a 500 Error.
PI38898The jsf-2.0 feature might fail to start with java2security enabled
PI38977The el-3.0 and jsp-2.3 features should require a minimum of Java SE 1.7.
JavaServer Pages (JSP)PI31922 New JSF applications may fail after deployment if another JSF application is deployed in the server using its own EL parser
PI33328 javax.faces.application.FacesMessage is not serializable
PI37304 Incorrect JSP translation for the expression
PI37485 Comparison between encodings should be case-insensitive JSPG0088E
Liberty Administrative CenterPI39293AdminCenter line graphs plots can get out of sync with the summary field values.
PI39713Alert panel in Admin Centre's dashboard may not display all alerts.
PI39717Invisible close button on background task details dialog
PI39718Misaligned background steps description.
PI39719AdminCenter graphs do not display when using a browser with a Russian Locale.
PI39991If the AdminCenter Graphs slow down because of system load, the X axis labels of some graphs can become unreadable.
PI40192Bidirectional Preference toggle button on Mozilla Firefox browsers does not render correctly
PI40419If edit button is clicked before tools are fully loaded in user's tool box, then there is no remove icon on newly loaded tools.
PI40633A 400 error code displays in the console when loading Admin Center
Liberty Application ServicesPI29785FFDCs with IllegalStateException: Cannot stop from state UNINSTALLED created when Liberty profile server is shut down
PI34959Artifact SPI in Liberty profile missing classes StructureHelper and ArtifactContainerFactoryContributor
PI38923Exception logged during server shutdown
PI39795JNDI Contexts in the java: * namespaces are not serializable
Liberty Debug and TracingPI38281During High Performance Extensible Logging mode TruncatableThrowable exception is logged as wrapped exception
Liberty KernelPI34141An IllegalStateException may be generated by the com.ibm.ws.classloading bundle on shutdown when unregistering a service.
PI34161Liberty profile %D NCSA access logging directive does not record the correct elapsed time for a request
PI34201REST connector can potentially use an invalid endpoint
PI35483400 bad request error from channel component while parsing headers with trailing white space
PI36907Nested elements are not merged if cardinality is 1 or -1
PI36912Updates to nested elements provided by a user extension may not result in a configuration update
PI36944Nested configuration with unresolved references can have incorrect values
PI36999An error parsing a file in configDropins prevents other files in configDropins from being loaded
PI37977Contextual proxy is not usable until the context service that created it is looked up or injected into an application.
PI37978Direct lookup of ManagedScheduledExecutorService sometimes returns wrong type.
PI37983Schema and feature list contain English when locale is set to pt_BR and zh_TW
PI39099Liberty OSGi SPI JARs do not compile with Java 7
PI39798Liberty executor can hang when work is submitted outbound over HTTP and back into the same server.
PI40224Java 8 VM no longer supports MaxPermSize
PI40775Symbolic links to server directories from Liberty usr/servers directory do not work as expected
PI40819File permissions too restrictive when WLP_SKIP_UMASK=true specified for Liberty profile server
PI40996IllegalArgumentException thrown when bootstrap property key is a zero-length string.
PI41012NullPointerException when installing a corrupt jar file
PI41671Files with extensions other than XML are read from configDropins
PI42525Specific application elements may not be removed correctly
Liberty System ManagementPI37984Collective deployment fails when using root directories as write paths.
Liberty z/OSPI33798WebSphere Application Server for z/OS can encounter CML lock contention when under heavy load.
PI37650UNPRINTABLE CHARACTERS IN SCRIPTS BBGJS2LS BBGLS2JS
PI38709Server started on z/OS with a started procedure does not place logs into the location specified by WLP_OUTPUT_DIR.
PI38774Using DFHJSON to format strings with numbers for the data, quotes(") were not placed around the data.
PI38851Distributed ID not properly mapped when used with WOLA in Liberty
PI39623Collectives are unable to start servers on z/OS that run as started tasks
PI41507zosLocalAdapters (WOLA) requests run as the UNAUTHENTICATED user instead of the client user
SecurityPI28455UnsupportedCryptoAlgorithmException is not included in com.ibm.websphere.appserver.spi.containerServices_1.0.0.jar
PI34405Server SSL port is blocked indefinitely when client authentication is used and the truststore is empty.
PI35075The certificateUtility createSSLCertificte tool does not give a useful message if the keystore already exists.
PI37897SSL configuration attribute added to the metatype.
PI38712Enforce the optional nonce parameter in the OIDC Authorization code flow(provider)
PI38713Enforce the optional nonce parameter in the OIDC Authorization code flow(client)
PI38772OpenID connect relying party fails when hostname contains "oidc"
PI39322Fix poorly worded error message that appears when the a keystore fails to load.
PI39325Allow larger ciphers, 256 bit ciphers, to be a part of the HIGH cipher list.
PI39647Support JSON array as custom claim
PI41257The securityUtility tool does not run if only the kernel feature is installed.
Systems Management FunctionsPI36632A FFDC java.util.NoSuchElementException was reported on the collective controller by ServerCommandsMBeanImpl class
PI37256Application ADDED notification being issued during Application removal.
PI38096FFDC with java.lang.IllegalArgumentException is thrown when removing a member from collectives
PI40358Concurrent cluster membership changes can result in a member being removed from a cluster.
PI40550Collective remove command did not handle bad user name correctly
PI40561Java home for the collective join command is not set correctly in a post join action operation with a server deployment.
PI41251Removing a running member from the collective does not stop it publishing its state data to the collective repository.
Virtual Member Manager (VMM)PI38554LDAP filter issues with VMM
PI40564User filter expressions containing a '!' do not work as expected.
Web ContainerPI31292getPathInfo returns a semi-colon for the ";xxxx" appended after the request URI
PI31447 The server adds a /(slash) to the response URI if the inbound request URI has a ;(semi-colon)
PI31622 Privilege escalation with serveservlets CVE-2015-1927
PI38357 Add more details to the WebAppHostNotFoundException
PI38383Unhelpful message in console.log: Uncaught.init.exception.thrown.by.servlet
PI38782Add property to initialize the class during Class.forName()
PI39941Close does not wait for the timeout
PI40414No access to all org.apache.japser.el classes
PI40416Unsupported Operation Exception after programmattically added servlet context listener throws an exception
PI40418WebContainer throws a java.lang.IllegalArgument exception when parsing parameters
PI41465When HttpInputStream.isReady() is called after that same API has already returned false, an IllegalStateException can occur.
PI41894A java.io.IOException is not propagated back to a dispatch caller.
PI42283On an async request, fix the thread context state and transfer the security context between threads.
Web Services (JAX-WS, JAX-RS)PI38077jax-ws-catalog.xml support for META-INF for WAR module
Web Services SecurityPI36866Obtain sensitive information with Apache WSS4J CVE-2015-0226
WMQ messaging providersPI28223NullPointerException in JNDINestedFrameworkSupport (JNDI lookup)
PI35539Potential java.util.ConcurrentModificationException when starting OSGi applications within WebSphere Development Tools.

Back to top

Fix pack 8.5.5.5
Fix release date: 13 March 2015     
Last modified: 11 March 2015     
Status: Superseded     

Download Fix pack 8.5.5.5
Component
APAR
Description
Contexts and Dependency Injection (CDI)PI15310StackOverflow error or NullPointerException occurs under heavy load
PI27526The @Produces annotation method on class results in a non-null injectionpoint instance on first invocation.
PI30964EJBs conflicting with listener configuration and CDI events
Database Access, Connection Management, Merant/DataDirect driversPI28913DSRA0304E and DSRA0302E messages with cause and exception as null creates confusion.
PI34199Connection cleanup fails when using an unsupported JDBC driver.
PI34376Unable to specify empty port number for DataDirect Connect for JDBC and Microsoft SQL Server JDBC Driver
DynaCachePI28515DynaCache CWWDY1064E or DYNA1064E is written for containsKeyDisk() operation
EJB ContainerPI27706Intermittent FFDC of IllegalStateException when stopping a Liberty profile server with a message-driven bean application
PI27924UserTransaction cannot be used from a CDI instance created within the context of an EJB
GeneralPI17680SipApplicationSession accumulate after BYE transaction if reINVITE transaction not responded to
PI21665WebSphere can use the same from tag and via branch in two different requests even if call-ID is different.
PI23787While using the B2bUAHelper the branch becomes longer when the UAS sends the re-Invite. This fix is to shorten the branch.
PI24850 Inbound 412 response not counted in PMI
PI26722SIP container splits the reason header into two headers due to a comma inside a quoted string
PI27022Print the levels of CICS modules to allow customer verification
IBM iPI26461On Japanese IBM i partitions, when console.log exists, server start fails.
Install V8 and abovePI31113Installation Manager requires accepting license terms twice to install the Liberty offering with additional assets.
PI33671Update legal license for IBM WebSphere Application Server V8.5.5.5
Intelligent Management ComponentPI32944Dynamic Routing to some application instances might fail when the application is installed in multiple clusters.
PI33067Liberty profile server may hang when using the scalingController feature
PI33071Auto scaling not monitoring host-level cpu or memory usage
PI33123Intelligent Management enabled WebSphere Plug-in does not route requests for Liberty servers with empty clone ID
PI33124"dynamicRouting setup" creates JKS formatted keystore instead even when,-keystoreType=PKCS12 parameter is specified
PI33793Scaling controller does not start a server to meet minimum instances when a host with capacity becomes available
Java Persistence API (JPA)PI16847Schema setting in the ORM file does not propagate to the generated sequences
PI18178NullPointerException in QueryKey.createKey using criteria with QueryCache enabled
PI19732 First JPQL with left join fetch for lazy loaded specified and data cache enabled. Subsequent does not get loaded.
PI20433JPA pagination is not working
PI24575Use of JoinColumn targets to another JoinColumn key exposed as an attribute causes a ConstraintViolation exception
PI26049OpenJPA PersistenceException: LongId cannot be cast to <class name>
PI35626ApacheValidationProvider class not found when using third party packages that utilize Bean Validation.
JavaServer Faces (JSF) SunRI implementationPI29457The jsf-2.0 bundle is unnecessarily declaring the org.apache.commons.logging.impl package as API.
JavaServer MyFaces (JSF) Apache MyFaces implementationPI27290Multi-window usage with server-side state saving throws a javax.faces.application.ViewExpiredException
PI30335Dependency injection of a JSF ManagedProperty comes after a @PostConstruct on Liberty Profile
JavaServer Pages (JSP)PI24001The JspWriterImp is not properly cleaning up resources in memory after a request completes.
PI29973Log the value of the jdkSourceLevel attribute used by the JSP container
PI30519Issue with duplicate JSP attributes
Liberty Administrative CenterPI33313Screen scrolls down to the bottom while typing in the input fields in deploy tool
PI34787Wrong message when deploying server package file located on the collective controller in Admin Center
PI34806Extra line shown in browser when going from the toolbox to any tool
PI34808Can not display server's actual status, always displays a straight line on monitor panel on Microsoft Internet Explorer
Liberty Application ServicesPI26941Installing and uninstalling an application many times causes OutOfMemory
PI27843Deleting and re-adding the same zip application to the dropins folder can result in an IllegalStateException.
PI30922The server does not automatically restart a running application after annotation-based metadata has changed
PI31351The description of the autoStart attribute on the application config element is misleading.
PI33384Value of context root configuration is silently ignored when not applicable
PI35537Inability to resolve JSP modules due to incorrect internal feature dependencies for javax.jsp
Liberty Debug and TracingPI35310Timed Operations which are not available are displayed as null.
PI35314isAnyTracingEnabled should evaluate object as a precondition then the primitive boolean type.
Liberty KernelPI20344Liberty embedded server writes .cache files to the incorrect location
PI28126NullPointerException or IllegalArgumentException thrown during runtime class scanning or class weaving.
PI28337FFDC error when updating configuration to remove a feature
PI28560Add httpDispatcher property to control padding of a 404 message.
PI28985WDT show "base instance from which to inherit context" under the main "Thread Context Propagation" section.
PI29210ManagedServiceFactoryTracker/BundleContextImpl throw IllegalStateException when server is being stopped
PI31002Error deleting configuration for context service
PI31143The default executor of a WebSphere Application Server Liberty Profile server can deadlock in rare cases.
PI31247Server takes 5% longer to start after moving the Liberty profile wlp install directory.
PI31531Invoking the 'server' script from a shell with the CDPATH environment variable set may fail.
PI31565If users use a script to run multiple install actions, they may not know which messages are for installing which feature.
PI32074NullPointerException in thread pool code occurs during server shutdown
PI32690Using symbolic links to applications outside of the WLP install directory could result in an IllegalStateException.
PI32778Feature jca-1.6, jms-1.1, and mdb-3.1 cannot be installed from offline local directory
PI32942Websocket client code can miss processing incoming data that is received immediately after HTTP upgrade response headers.
PI32943Spurious FFDC reporting javax.management.InstanceNotFoundException
PI33015Applications containing symbolic links do not always restart when the linked content is changed.
PI33376Server shutdown hangs when using the sessionDatabase-1.0 feature
PI33526collectiveMember-1.0 exposes third-party JAX-RS APIs
PI34128When Liberty profile starts from a cached state the logs do not indicate the features that are installed.
PI34335Incorrect lookup of provisioned public Liberty profile features
PI34797A CWWKG0074E error message might be unnecessarily generated when certain server.xml elements are not properly configured.
PI34969The SPI package com.ibm.wsspi.http references non-SPI types.
Liberty System ManagementPI32646Structure of collective repository has changed in fix pack 8.5.5.4
PI34002Unable to invoke file transfer operations on paths terminating with slashes on collective host
Liberty z/OSPI20582Application attempt to do authorization with SAF fails w/error code of 03008XXX (if SyncToOSThread is enabled)
PI26263The OLA load modules shipped by z/OS Connect Liberty Profile V8.5.5.2 are not compatible with same modules in WebSphere Application Server 8.5.5.2
PI26630Liberty Profile on z/OS supports LDAP but does not propertly map LDAP identities to SAF-based Ids
PI26950Message "IRR012I Verification Failed. User profile not found"
PI27338Wildcards are not allowed in service URLs for z/OS Connect on z/OS Liberty
PI29459Storage leak of ACEE objects in native storage when using zosSecurity-1.0 with certificate authentication
PI29823Excessive contention of the MVS local lock is seen when using WOLA in WebSphere Application Server for z/OS Liberty Profile.
PI31147Requests fail when Driving requests through z/OS Connect using data transformation.
Performance Monitoring ToolsPI31214ServletStatsMXBean is reporting errorneous data when thread terminates.
SecurityPI27787Cannot encode password with leading/trailing spaces
PI27898JaasLoginContextEntries with same name causes wrong behavior.
PI31523NullPointerException when specifying both OAuth20Mediator and data source in oauthProvider
PI31809CWWKE0701E when security ID value is null
PI33008Privilege escalation with IBM WebSphere Application Server Liberty profile
PI33281Making the information returned by the certificateUtility to include the SubjectDN the certificate was created with.
PI33357Privilege escalation vulnerability with Run-as user for EJB
PI35581Possible performance degradation when doing programmatic login.
Systems Management FunctionsPI30931Avoid creating member node path when cluster name is empty or null.
PI30985On z/OS environment, ServerCommandMBean failed to make remote connection as it used wrong encoding when is reading ssh key.
PI34003Under some conditions, a request to the CollectiveRepositoryMBean exceeds a time out and results in a null pointer exception.
PI34011After recovery from a failure Collective Repository Report: not ready
PI34012Collective controller unable to establish a TCP connection with its replicas
PI34184Adding or removing an application does not always reflect the correct final state of the application.
PI34417Message CWWKX8000E can be erroneously logged when a collective member loses its connection to a collective controller
PI34486Under extreme load, the controller cannot service all of the incoming http requests.
PI34573java.io.IOException: The filename, directory name, or volume label syntax is incorrect
PI34796Add National Language Support (NLS) for the default post transfer action.
PI34982Provide backward compatibility for admin metadata publishing
PI35001Repository monitor could not get service from repository member
PI35166Prevent a multi-replica collective controller replica set from reaching an inconsistent state in the data under rare conditions.
PI36241Server package deploying using host credentials failed with an ArrayIndexOutOfBoundsException
Virtual Member Manager (VMM)PI27333Property case sensitivity is not handled properly in search expression.
Web ContainerPI15886An invalid cookie name causes an IllegalArgumentException to be thrown.
PI23529ServletConfig returns null on empty mappings list
PI26908Error page handling is broken when the web application is CDI enabled.
PI28910ServletRequest.isAsyncStarted() incorrectly returns false on a thread after AsynContext.dispatch() has been called.
PI29275A java.lang.NullPointerException occurs when attempting to add a listener programatically that does not exist.
PI29820Liberty profile SSL client certificate authentication does not work with IBM HTTP Server
PI31038An IllegalStateException is thrown on calling setWriteListener when getOutputstream is called from the readListener.
PI31717ServlerResponse.flushbuffer() does not work correctly.
PI34052When running an upgraded request the application cannot run a JNDI lookup.
PI34145Do not Invoke onAllDataRead() once onError() is called from ondataAvailable()
PI34857Need Plugin log file location as part of server.xml pluginConfiguration stanza
Web Services (JAX-WS, JAX-RS)PI22432java.lang.NullPointerException in JaxWsInjectionMetaDataListener interface
PI27318Applications using Apache Wink on WebSphere Application Server Liberty generate spurious ICH408I messages noting insufficient authority for guest user ID
PI30173JAXRS1.1 declares 2 APIs and 1 SPI, but the packages are not encountered at runtime.
PI31063There are no jars for javax.wsdl.* packages under the dev folder, although they are declared as spec API in the jaxws-2.2.mf.
PI33107Upgrade Apache http client to the latest version 4.3
PI33130@HandlerChain annotation cannot work with @WebServiceClient annotation
PI33206Liberty profile wsdlLocation attribute not working together with jax-ws-catalog.xml
Web Services SecurityPI32329Access token not deleted in database when using custom mediator class
PI32912ResourceOwnerValidationMediator.init() is never invoked
PI33202Potential privilege escalation with OAUTH2
WMQ messaging providersPI19361Application server failed to start because transaction recovery failed
PI29167EBA start issue due to OSGi framework NullPointerException in Liberty Core
PI34587XmlPullParserException when Liberty profile is configured with a local bundle repository
 

Fix pack 8.5.5.4
Fix release date: 8 December 2014     
Last modified: 4 December 2014     
Status: Superseded     

Download Fix pack 8.5.5.4
Component
APAR
Description
Contexts and Dependency Injection (CDI)PI18530Interceptors are ignored on generic methods defined in an interface and then overriden in a subclassi
PI25563CDI issue is observed when an application is deployed with ScheduledExecutorService scheduled tasks
PI26680CDI application gets error: passivation capable beans must satisfy passivation capable dependencies
PI32674On extremely rare occasions a concurrent modification exception may be thrown during resource injection.
DynaCachePI24250Error appears in message log using WebSphere Development Tool (WDT) generated cachespec.xml.
PI28117Message observed message.log DYNA0044E: XML parsing warning: cvc-elt.1 when using a WDT generated cachespec.xml
PI28487Apichk errors in distributedMap-1.0 and webCache-1.0
PI28503distributedMap does not inherit properties of baseCache
PI28507ExternalCacheGroup does not work in distributedMap-1.0
PI31235DynaCache does not delete OSGi configuration of application defined caches when the application server is stopped.
PI31236Web caching does not support cachespec.xmls generated by WebSphere Developer Tools (WDT)
EJB ContainerPI23290EJB sessionContext.getCallerPrincipal() call not working in asyncbeans
PI25789Reference binding fails for a service that implements an interface but does register it
PI25888EJB container error scenarios should be improved
PI26025Reference and injection error scenarios should be improved
PI31041Adding an activationSpec or admin object for a started MDB fails intermittently
PI31045persistence.xml fails if property names contain leading or trailing whitespace
PI31046Extended persistence contexts are not joined to container-managed transactions
IBM iPI26623server start status message is missing process Id on the IBM i platform
Install V8 and abovePI28168Update license notices files for Liberty Profile
PI31174Improved the warning messges for invalid features that fail to be installed using the featureManager command.
Java 2 Connectivity (J2C)PI28115Resource adapter installation is aborted prematurely during shutdown, leading to other problems
PI31210Applications can be started before connection factories and administered objects from standalone resource adapters are ready.
Java Persistence API (JPA)PI28881Some l10n feature names are missing information
JavaServer Faces (JSF) SunRI implementationPI25638JSF MyFaces WebSocket issue
JavaServer MyFaces (JSF) Apache MyFaces implementationPI27409JSP and JSF TLD jar export-package and version Issues
PI32405An UnsupportedOperationException is encountered when initializing an eager application-scoped JSF ManagedBean
JavaServer Pages (JSP)PI12666Getting the IllegalStateException: component with duplicate ID message when using the shipped MyFaces 2.0
PI18404The JSR 303 implementation of BeanValidation cannot be configured as expected.
PI18025JSPG0046E: Unable to locate tagfile
PI25445A performance degradation can occur under heavy load for applications using the EL
PM81849Issue with JSP tag file compiled into invalid package/class name
Liberty Application ServicesPI20988Problems when running the server package command
PI23168java.lang.ClassNotFoundException in data sources after upgrading to Liberty Profile V8.5.5.2
PI24221Application name or module filename containing the # character fail unexpectedly
PI24783Setting classloader delegation mode to parentLast can result in JNDI lookup failures
PI25838Application archive errors are unclear
PI26102The javadoc for the com.ibm.wsspi.resource package is missing
PI26149FileNotFoundExceptions when file paths include spaces.
PI27080Message with prefix CWWKC0044W may be missing an insert.
PI27366Need to throw NameNotFoundException for invalid names for parity with full profile
PI27414Javadoc needs improvement
PI27693Javadoc changes to make methods use correct list structure
PI28245StateChangeException: CWWKS9110E when changing application deployment
Liberty Debug and TracingPI20149Access logging shows incorrect time taken to process the request
PI20363Error message enabling trace specification in runtime even though the trace specification is valid.
PI21485StackOverFlowError or Infinite loop using HPEL logging.
PI26064Logging needs to be improved
PI26811Logging of Throwable parameter for which getStackTrace() returns null fails
PI26813When e.printStackTrace() is called, the output can be missing some lines of user code
PI27085Expose logging SPI
PI27291Binary log attribute cleanup
PI32852HPEL API not visible from applications
Liberty KernelPI22215Liberty profile server uses excessive CPU when TCPIP is stopped
PI25220Need improved messages for common parsing failures
PI25283Potential hang in server stop
PI25294Port listeners can be restarted twice when configuration is updated
PI25376Versioning of repository content does not work so any breaking changes to the data breaks old clients
PI25530Error message when you try to install a feature from the Liberty repository does not indicate the first failure
PI25861Path arguments to the featureManager tool are always relative to install directory
PI25863Errors in command-line utilities
PI25869Incorrect processing of configuration elements in the server.xml configuration file
PI26034Toleration for Java 7 and 8
PI26041Kernel programming interfaces should be improved
PI26048Kernel error scenarios should be improved
PI26065The server command needs to be improved
PI26079The handling of MIME types needs to be improved
PI26810NullPointerException in HandlerHolder line 240 during server shutdown
PI27073ProductUtility validate outputs errors multiple times
PI27210Deployment of a large application with very detailed trace enabled may cause a tracing loop
PI27213Running the ws-productutil.jar version command on z/os results in a missing property error.
PI27294NullPointerException in ConfigSigner
PI27296Minifying an empty server and installing an ESA feature causes a NullPointerException
PI27299RuntimeException: Invalid call to WsByteBuffer method. Buffer has already been released.
PI27413Liberty profile steals focus on Macs
PI27415Unable to find out which configuration attributes can be overridden by variables
PI27418Workarea paths too long
PI27431Avoid extraneous warnings and errors during configuration processing
PI27558Tolerate Equinox osgi.clean property
PI27697Intermittent IllegalStateException in AtomicServiceReference
PI27702IllegalStateException in FeatureManager
PI27737Server dump does not include shared configuration files
PI28120Private features are allowed to be included by features from different Liberty profile product extensions.
PI28124Application reports java.io.IOException: Exception in opening zip file,
PI28125OSGi application can fail to start with java.lang.Exception: ORPHANED,
PI28154Insufficient error messaging for ServerLock waitForStart()
PI28265Intermittent exceptions in org.apache.felix.scr.* classes
PI28380Need improved error messages for file permission problems
PI28382Liberty profile server incorrectly allows 2 data sources to be configured with the same JNDI name
PI28546Suppress erroneous error messages during server shutdown
PI28547NullPointerException in ThreadPoolController during server shutdown
PI28551Default landing and some error pages provided by the server load slowly.
PI28776Fix several kernel issues
PI28780Incorrect class name in error reporting from DynamicVirtualHost
PI28880NullPointerException during shutdown while updating features
PI28894Liberty embedded server fails to notify the user if the server fails to start
PI29008Feature display labels are translated into local language
PI30972ClassNotFoundException: com.ibm.ws.kernel.productinfo.ProdctInfo when using featureManager
PI31047The install directory cannot contain a plus sign
PI31059The server start command sometimes uses jvm.options for non-server processes
PI31165java.util.concurrent.RejectedExecutionException when default executor is dynamically updated
PI31266CWWKE0701E java.lang.ExceptionInInitializerError thrown from [com.ibm.ws.http.internal.VirtualHostImpl((79)]
PI32649Auto features that required an iFix were not previously installed by the featureManager install command but now are
Liberty System ManagementPI28128Pax archives not supported in file transfer upload through a collective
Liberty z/OSPI19688Outbound service from WSAS to CICS via WOLA hangs
PI23547When REU=Y some requests to override a link succeed when all should fail
PI24444WebSphere WOLA API calls failing with abend BBOX in CICS for CICS TS 5.2
PI24692The WOLA three-part name allows mixed case while the CBIND class profile they must match requires upper-case
PI26809java/lang/StackOverflowError with loop in ntv_mapDirectByteBuff
PI27687java.lang.IllegalStateException: Native service for RRS transactional support is not active or available
PI28915CWWKB0227E message should be more accurate
PI30941An FFDC reporting a CTX4SWCH RC=368 is generated during server shutdown.
Messaging ProvidersPI28278Enabling Messaging Security may cause com.ibm.websphere.sib.exception.SIResourceException: uniqueUserId is null
PI28473Fix usability defects in JMS
Performance Monitoring ToolsPI28558Monitor attribute cleanup
PI28567Application deployment occurs before all the system bundles are started while removing the monitor-1.0 feature
PI28572When SUN Java is used for Liberty server, the processCPUUsage metric does not report the right CPU usage
PI32796ClassNotFoundException occured while querying monitoring data with traditional PMI Mbean (Perf MBean)
Plug-inPI27023Intelligent Management enabled WebSphere Plug-in stops routing after an application is removed and added.
SecurityPI08268Information Disclosure in WebSphere Application Server
PI17688WASReqURL cookie might be overwritten if multiple login processes are performed
PI17836CWWKS4106E: LTPA configuration error when setting keysPassword in the server.xml,
PI25808Principal names or unique IDs containing special characters are not handled properly
PI25813Fix double-encoding of "state" parameter in OAuth flow
PI25819Parameter order should not matter for securityUtility command line tool
PI25834Exception could be thrown getting user registry during shutdown
PI25843Cancel button on default OAuth/OpenID Connect consent form pages does not work
PI25853Possible race condition could prevent access to keystore
PI26165The periodic Authentication Cache cleanup stops under certain OSGi DS timing conditions
PI26166Improvements to Javadoc accessibility for security SPIs and APIs
PI26513Change to make sure the RC4 ciphers are not used by default.
PI26514Improve the processing of multiple SSL configurations
PI26947User registry updates: Add getUsersForGroup method, do not require a user registry with appSecuirty-2.0 feature
PI26962NullPointerException from security collaborator
PI27195Intermittent SSL problem where the keystore information seems to be missing.
PI27775Remove unnecessary FFDC data while stopping the user registry
PI27778Support Japanese CP1399 codepage on z/OS
PI28061Add an option to track logged out LTPA tokens on a server so they cannot be used login on that server again
PI28127A Trust Association Interceptor cannot commit an HTTP servlet response to send a redirection
PI28264Expired tokens not cleaned from the token cache
PI28371Fix issue with OAuth/OIDC consent no longer being cached
PI28395User registry service is not ready for service and it causes creating the LTPA key to fail
PI28432Fix NPE during authorization.
PI28600Warning message CWWKS9112W may flood the logs when a security-role does not have valid run-as configuration
PI29911Potential Information Disclosure with Liberty profile servlets
PI31385Meta type is wrong for token limit per user and client
PI31388The OIDC and OAuth response on HTTP needs to be URL Encoded
PI31396An OAuth error message was hard-coded and did not exist in the message file
PI31415No message indicating OAuth endpoint service has started/is ready
PI32465Inconsistent behavior when OAuth20 configuration contains more than one identical filter.
Session Initiation Protocol (SIP) ContainerPI10457Allow configuring response code when a non-confirmed session is invalidated
PI14132SIP container does not handle error case where a UA uses the same to-tags in different responses.
PI17820SIP custom property dip.no.route.error.code is ignored if the application is down
PI18729SIP transaction is not being destroyed when application is un-deployed because of a timer
PI20221SIP container removes data from reason header if it contains white space
PI20350Unable to add Require: precondition to reliable 18x response
PI20505Negative PMI counter
Systems Management FunctionsPI26676Collective messages improvement
PI26678Singleton service fixes
PI26826Resolved multiple Frappe service registry and utility problems
PI26840Resolve multiple collective repository test failures
PI26843Resolve multiple collective member test failure problems
PI26848Failed to remove cluster member
PI26855Resolve multiple collective replica problems
PI26858Security utility writes XML files using default charset without XML declaration
PI27277Collective MBeans better report errors that occur when dependent services deactivate while in use.
PI27588Remote file transfer via collective controller not working with backslash path on Microsoft Windows
PI28123Extra information in log file
PI29528Wrong cluster member is being removed during startup of a different cluster member within the collective.
PI31359Resolved multiple Collective replication service issues
PI32466Resolve multiple collective repository issues
PI32474Resolve multiple collective singleton issues
PI32622Failed to deploy zip to a remote host
Virtual Member Manager (VMM)PI25203Propagation Login via external LtpaToken2 cookie does not create correct SecurityName when using Custom LdapRegistry
Web 2.0 and Mobile ToolkitPI24470 Update to IBM Dojo Toolkit (idt) version 1.10.0
Web ContainerPI08280Tag file is not found in loose configuration deployment
PI20210Request's parameters can be modified by the application (via string object modification).
PI20514If servlet init() method throws an exception then the remaining servlets in the web module are not initialized during startup.
PI22830404 not found error generated for a request without trailing slash
PI24225The servlet name was not output in the SRVE8500W message.
PI25531FFDC might be thrown by a filter when the server is shutting down
PI25625com.ibm.ws.webcontainer.webapp.WebApp.handleRequest NullPointerException
PI26080The configuration attributes for HTTP sessions should allow duration strings
PI26812ServletContext.getServerInfo() does not return version
PI26852Untranslated messages in the severe trace points
PI27348An empty string "" as the URL pattern of a servlet causes an unwanted 302 redirection and an exception
PI27361WebContainer Objects get nullified before final use, resulting in a NullPointerExceptions
PI27362The expected java.lang.IllegalArgumentException is not thrown when <distributable> element is added to web.xml
PI27372Call to getRequestDispatcher inside Filter init method causes an exception
PI27373General changes and updates to com.ibm.ws.webcontainer-8.0's metatype-mbeans.properties
PI27556Use of incorrect names in references in web.xml cause a NullPointerException
PI27557NullPointerException when there is an active request and the server is shutting down
PI28404Unable to generate a plugin-cfg.xml file when there is no http port declared in server.xml
PI28603ServletRequest.getRequestedSessionId() returns null for a client created jsessionId.
PI31004Cannot delete JSP using REST call
Web Services (JAX-WS, JAX-RS)PI22648PreDestroy method is not being called when class is to be destroyed
PI26093Info center documents use of LtpaAuthSecurityHandler, but we do not have this class available when using JAX-RS 1.1
PI26609The com.ibm.websphere.appserver.thirdparty.jaxrs_1.03 bundle cannot be resolved when loading jars under dev folder
PI26611If there are multiple path parameter in a resource method, there is only one path parameter generated in its corresponding wadl
PI27070Support third-party JAX-RS providers when jaxrs-1.1 feature is configured
PI28137Redundant error message might be displayed if user defines different URL mapping in web.xml for webservice endpoint.
Web Services SecurityPI26957Cannot resolve com.ibm.websphere.appserver.thirdparty.wssecurity_1.0.1 bundle when using only wlp/dev directory.
PI26959Cannot read local cache file used in web services security configuration
WMQ messaging providersPI12571WorkCompletedException occurs when importing transaction via JCA
PI16613NullPointerException in FFDC coming from RecoveryManager.preShutdown
PI19445OSGi EBA applications intermittently fail to resolve
PI25862The osgi.jpa-1.0 feature is inexplicably superseded
PI26314Various small bug fixes related to OSGi Applications
PI28889Transaction log is created in the wrong location
PI28983XAFlowBackControl L3 diagnostic facility enabled in Liberty
PI33257Revised com.ibm.wsspi.uow javadoc to document new override of runUnderUow method on UOWManager
 

Fix pack 8.5.5.3
Fix release date: 18 August 2014     
Last modified: 12 August 2014     
Status: Superseded     

Download Fix pack 8.5.5.3
APARDescription
PI05046No thread pool stats MBean available when checking the MBeans thru JConsole
PI05668Bottom-up web services fails to generate the WSDL on the Mac using Java 1.7 hotspot 64-bit
PI06904Issue with JSF and WSRP
PI07204VerifyError JVMVRFY012 using OSGi applications
PI08569404 happens intermittently in Portal/WCM
PI09148Redeploying OSGi apps without restarting generates a ClassCastException
PI09474Default webapp error page is not provided
PI09594Potential Information Disclosure with Exception handling
PI09596NoClassdefFoundErrors for a particular JSP servlet. Causes permanent failure of loads
PI09875Not all JVM javax packages are available to applications
PI09896SRVE0288E appears at server startup
PI09981Explicitly configured RDN properties are not retrieved for users during login.
PI10102Subsystem-content with type=file in product extensions does not resolve relative to product extension location using with minify
PI10300Honor the searchTimeout property for login
PI10769AJAX form update with PrimeFaces 4.0 not rendering correctly
PI10792OpenJPA FetchJoin does not always get the correct result.
PI11018FileTransferMBean.deleteFile(String) method cannot delete an empty directory as documented in the javadoc.
PI11348CWWKS3002E message might be logged while switching user registry.
PI11393UIComponent.findComponent ignores overridden method findComponent of a NamingContainer.
PI11569NullPointerException from a JSF MyFaces implementation
PI11628OptimisticLockException may occur when JPA application uses Timestamp in @Version field
PI11642CWWJP9992E: openjpa.Enhance: Error
PI11738Spring load time weaving does not work with Liberty profile.
PI11788Blueprint bundles using JPA fail to start.
PI12201Application is redirected to HTTPs port of the applicaton server instead of IHS server port when confidential is set
PI12245Inserting facets causes IllegalStateException
PI12399Liberty server productInfo validate script fails after interim fix is installed
PI12496EmptyStackException when accessing an Instance that is created by a producer method that has an InjectionPoint as parameter.
PI12546Setting com.ibm.ws.logging.console.log.level=off still results in one line of output
PI12549When JAVA_HOME environment variable is set, Liberty Profile server does not start
PI12737OpenJPA runs superfluous select statement when calling EntityManager.persist(..)
PI12939JSP gets re-compiled redundantly if the owner of the JSP class is different than server ID that runs the server.
PI13004Serviceability apar to enhance dynacache tracing.
PI13207Transactional listeners added too late to observe begin event
PI13291NullPointerException generated when trying to get a file with spaces using getResourceAsStream()
PI13560Problems updating an application after a bad EBA has been installed
PI13592Server start fails to create default server on IBM i
PI13616OpenJPA-2286 ArgumentException: Attempt to compare incompatible types.
PI13641The secure JFAP chain does not start on time
PI13914java.sql.SQLException when performing a JPA query
PI14007Persistence unit defaults are ignored when there is more than one "mapping-file" element in persistence.xml.
PI14034Problem handling CDI interceptors
PI14205Prevent NullPointerException during WebApp shutdown
PI14236Deliver common install for Liberty profile repository features
PI14290Remove temporarily deployed artifacts
PI14316Liberty Profile restConnector does not release file handle after a file upload
PI14340No option to set Secure attribute for WASPostParam cookie
PI14458Quick restart of a Liberty Profile server results in port already in use error condition on Linux
PI14513Parent naming-container not reflected in client-ID
PI14544Blueprint application startup deadlocks when using a bean for a reference-listeners and the bean uses the reference
PI14746Memory leak in J2C PoolManager due to reaper alarms not being cancelled.
PI14747Parsing of ibm-web-ext.xml might fail using some XML parsers
PI14841z/OSMF V2R1 generates spurious ICH408I messages on user login
PI15121Liberty Profile is locking certain war files on Microsoft Windows preventing the undeploy process.
PI15289Issue with validation of strings with escaped commas
PI15291The package command fails with message CWWKE0070W indicating an invalid loose configuration file.
PI15496A join operation halts when the resouces/collective directory exists, but is empty.
PI15513No default charset is specified for a post transfer join action
PI15549Invoking isClosed() on native JDBC connection results in NullPointerException
PI16286Controller flight recorder missing from server dump
PI16375UnrecoverableKeyException: Cannot recover key: Invalid password for file
PI16382CertificateUtility tool does not provide a parameter for the user to set the key size
PI16432REST connector error "Argument type mismatch" when using CompositeData with byte []
PI16626Basic authentication requests fail in Liberty Profile
PI16652Configuration support needed for z/OS Connect
PI16667Resource adapter stops immediately after it is started.
PI16669Liberty sets incorrect product registration values when running in CICS
PI16677z/OS local adapter support is missing
PI16678Abend 0C1 reported in Liberty Profile V8.5.5 when trace on and zosSecurity enabled.
PI16718java.lang.StringIndexOutOfBoundsException occurs when starting OSGi application
PI16751Help for "collective addReplica" does not explain "endpoint"
PI16845Install time for resource adapter or start up time for application is not formatted correctly for some languages.
PI16961Memory leak occurs for JAX-WS managed client if using ibm-ws-bnd to customize properties
PI16987Memory leak when WAB bundles are stopped and restarted
PI17042Unable to customize unique ID attributes for LDAP servers
PI17233The output of the --createConfigFile option for the collective command should use a variable rather than an absolute path.
PI17246The MBean information stored within the collective repository does not remove stale data across a restart.
PI17399The initial state of a joined or replicated server is not set for a new server registered to the collective.
PI17457Javacore file is packaged into the server dump in an incorrect encoding.
PI17600Collective members are unregistered unexpectedly.
PI17624The Apache foundation's CMS migration required modifying the xml schema namespace for OpenJPA extended ORM documents..
PI17634Liberty server may hang when using the AdminCenter.
PI17830Changing the configuration of shared libraries can result in NoClassDefFoundError or ClassNotFoundException
PI17879Liberty generateClusterPluginConfig operation creates a plugin-cfg.xml file with extra entries that are not need
PI18177Add additional check in session manager to remove incorrect cloneIds if HttpSessionCloneId property is set.
PI18279z/OS local adapter support is missing
PI18352VMM makes too many LDAP JNDI calls with ibm-allGroups configured.
PI18357Add serviceability message to indicate missing login page or error page for form login
PI18437Failure to switch RRS context onto thread
PI18467binaryLog command missing expected results on filtering based on IncludeMessage filter.
PI18548SSL context gets changed during execution of application, causing handshake issue between servers
PI19025ClassNotFoundException in Liberty Profile when traditional PMI is enabled
PI19123The output of ws-schemagen.jar is incorrect for some child elements.
PI19130Server package command does not handle relative paths gracefully
PI19143Plugin config generation fails when no applications are defined
PI19277z/OS Connect service configured serviceGroupingName entry is missing from SMF 120 subtype 11 records.
PI19790NullPointerException during a z/OS Connect's attempt to access HTTP request data after the asynchronous request timed out.
PI19830Provide stack trace in FFDC when response already committed (SESN0066E) scenario occurs.
PI19831Applications fail to start when running Liberty servers in embedded mode without the Java agent.
PI19843getUserDisplayName is not returning the correct result per the configured attribute for user display name
PI19845Stop time for server is not formatted correctly for some languages.
PI19901On a restart the controller can end up in a bad state and not be able to start up.
PI20025A server package deployed through admin center deploy uses the host's default name, and not the deploy target host name.
PI20027No MBean exists to identify which Liberty server is being used.
PI20170Improve error message for installing wrong edition feature
PI20176Admin center explore visual representation improvements.
PI20910java.lang.IllegalStateException: BundleContext is no longer valid when undeploying application
PI21284Weaker than expected security when installing features with Liberty Repository
PM96440Bad login performance for the user if its is member of more number of groups.
PM98767When using Data-Direct Connect JDBC Driver for Oracle, the connection cleanup fails
PM98768Using CustomDataStoreHelper, TestConnection operation on Network Deployment edition fails with exception
PM99129Injection of datasource into CDI bean does not work correctly
PM99163A tag file is not found when an application is deployed with the option "Run server with resources within the workspace"
PM99381WSAT transaction failed when using JDBC and JPA together

Back to top

Fix pack 8.5.5.2
Fix release date: 28 April 2014     
Last modified: 25 April 2014     
Status: Superseded     

Download Fix pack 8.5.5.2
APARDescription
PI11264Files without group write permission when installing from a group mode installation manager on z/OS
PI05059Fail to login to an application with SSLHandshakeException
PI05139Support certificate authentication to fail over to a form base logon
PI05324Potential Security vulnerability with JavaServer Faces (JSF) 2.0
PI05359Tag attribute creates unnecessary string objects
PI05419FeatureUpdate failure in zos Liberty profile
PI05509Change description of maxConcurrency property to convey more details
PI05525StringIndexOutOfBoundsException thrown when URI is not normailzed
PI05575java.lang.NullPointerException may be thrown from the JAXB unmarshaller under load.
PI05661Potential Cross-site scripting vulnerability on OAuth
PI05673OpenJPA persistence.xml parameter roundTimeToMillisec causes cut-off of milliseconds in dates
PI05703Race condition in Liberty profile server on z/OS
PI05749Application resources are shut down before the application when shutting down a Liberty profile server
PI05837@Inject into non-CDI managed instances can intermittently fail
PI05940Liberty profile fails to package core dump on Linux
PI05956Provide an option to disable running of 'ALTER SEQUENCE ... INCREMENT BY' statement for sequences
PI05977EJB-in-WAR injection (JAX-RS) causes a ClassCastException
PI06080CDI application fails to start with WebBeansConfigurationException when a decorator bean class
PI06211Liberty Profile on IBM i does not properly load classes via a symbolic link
PI06340An applied interim fix is not detected and is not available at runtime.
PI06613A controller in a multiple-controller replica set fails to start. It never produces the 6011i message.
PI06687The initial placeholder configuration is not canceled resulting in an unneeded file in the controller's fdb directory.
PI06699The collective utility gives incorrect directions when a controller is replicated more than once to the same server.
PI07519Criteria API creates INNER JOIN instead of the expected LEFT OUTER JOIN
PI07608JSF MyFaces NavigationHandler throws a NullPointerException if current ViewId is null
PI07636Error changing server application publishing option from loose to non-loose config when using Oracle JDK causes failure.
PI07726Unclear error message when authentication data fails for JMS activation specification.
PI07811Cannot use SSL termination
PI08109When servlets are running premature deactivation of DataSourceService causes hangs and app restart
PI08267Potential denial of service with XML parser
PI08333The generated report message for timed operation need to be updated
PI08354Timed operation junk collection
PI08401Liberty Profile does not find the applications HandlerChain.xml file
PI08455Running collective join in a non-English language the signer trust prompt does not accept the non-English confirmation options.
PI08462Incorrect misleading error message output when installing Liberty Profile extensions archive on a incompatibly licensed Liberty install.
PI08476Common install kernel for WebSphere Liberty profile repository
PI08496Support for disabling the console bundle with Liberty profile on z/OS (Liberty/CICS)
PI08641java.lang.ArrayIndexOutOfBoundsException when using restConnector.jar
PI08871Support installing artifacts from WebSphere Liberty profile repository
PI08874Conversion errors from JMX REST connector
PI09183Allow container managed authentication for database session persistence
PI09206Some ESAs have an empty line in the OSGI-INF/SUBSYSTEM.MF file which causes extended content installation to fail
PI09253Third party security integration in Liberty profile server on z/OS
PI09492500 error occurs if serializing a cache object to persist to disk fails.
PI09651NullPointerException from LogViewer command
PI09696Self-extracting jar created using 'server package --include=usr' fails with error Failed to find license agreement files
PI09715Should be able to set up ISA DC wherever you want when installing Liberty core.
PI09925Port conflict message is not generated on Liberty profile collective controller
PI09972Cannot enable timedOperations report dynamically
PI10049Base enablement for JCA support
PI10103Support Certificate authentication to fail over to a Form Base Login
PI10134Potential Information Disclosure
PI10294JSP compile errors due to regular expressions
PI10340Restore com.ibm.ws.session.service.SessionManager interface
PI10342There are permission errors when accessing resources in the server's workarea directory using application syncToOSThread
PI10505ClassNotFoundException when the ServleltStatsMxBean is accessed from the Liberty Profile JMX client
PI10925Access logging does not appear to be dynamic
PI11516Re-enabling the HttpEndpoint on Liberty profile server does not work
PI11949WS-Adressing feature did not work correctly with JDK7
PI12051Pooled threads have unexpected context class loaders
PI12116Application reports java.io.IOException: Exception in opening zip file
PI12632Allow defaultHttpEndpoint host to be overridden without configuration change.
PI12926commons-upload.jar vulnerability
PI12983Web request failure due to a NumberFormatException while decrypting an LTPA token.
PI12984Collective member servers do not have read access to the collective repository outside of /sys.was.*
PI13273Creating the collective configuration writes to WLP_OUTPUT_DIR but reads from WLP_USER_DIR
PI14355Authentication errors when running under stress
PM43415Registering tag library in JSPx with default XML namespace causes a NullPointerException
PM62691Native Query with specified result class can throw NullPointerException when return data contains a null-valued column
PM81674ELexpressions are not evaluated when preceded by two backslashes
PM86470Timing window causing java.lang.IllegalStateException
PM87133Performance Monitoring Infrastructure (PMI) ActiveCount may be inaccurate when a session is accessed by multiple threads.
PM87880Slashes used in OpenJPA method EntityManager.createNativeQuery is removed in the resulting JDBC query
PM88291Transactions rolled back silently when coordinated by the UOWManager
PM89272Liberty Profile server opens extra listener on ephemeral port and localhost
PM89432Isolation level is not working properly for JPQL queries with nested sub-queries. It is generating incorrect query.
PM90293Session manager makes an unnecessary call to the database to retrieve session information when multi-row session persistence.
PM90626function publishEvent is called with UIComponent.class instead of source.getClass according to spec Java doc
PM90664NullPointerException when using AnnotatedType via ProcessAnnotatedType on @stateless EJB
PM91408Result of aggregate function max is 0 on empty table (instead of null)
PM91573CDI app fails to start with AmbiguousResolutionException due to how parameterized types are detected for injection
PM92677The cookie does not get set in the browser
PM92967Issues with download of files greater than 8gb.
PM92983Custom feature is not loaded
PM93750JPA finder cache does not account for dynamic FetchPlans
PM93829Async servlet lost original identity after resume
PM94033Incorrect locking behavior with JPA PESSIMISTIC_LOCK mode
PM94199Servlet <error page> processing incorrect for <error-code> <exception-type>
PM94792Exceptions are thrown if there is a new line after ${. The JSP does not load correctly.
PM95013Creating OAuth 2 custom mediator sees NoClassDefFoundError
PM95057GPF in Liberty Profile server in ntv_registerProduct
PM95097Poor performance using WMQ JMS in Liberty Profile server only
PM95110Liberty Profile throws IllegalStateException when browser closed connection.
PM95209Configuration validation for the repository client heartbeat and timeout do not report when the configuration is out of bounds
PM95293The url connection created when using the wsjar protocol does not properly implement the getContentLength() method.
PM95300When servers leave or join a cluster group no notification is printed in the log file.
PM95424Add secure flag to WASReqURL cookie for Liberty Profile
PM95534When the aged timeout is set beyond integer range a negative value is returned
PM95662The attribute 'ID' is not a recognized attribute for the element 'wasJmsEndpoint'
PM95964CWWKB0105E error when loading z/OS native code in a Liberty profile server.
PM96057No cache control headers were received from WebSphere Application Server OAuth.
PM96140Configuration in web.xml to load JSP during application initiation is not working.
PM96163JSPs with references to tag files fail with SRVE0777E
PM96235Unhandled exception during the initialization of the ServletContainerInitializer
PM96357OpenJPA: Version field returns NULL when explicity projected from a JOIN in select clause
PM96443Liberty Profile server starts despite port conflict failure in http endpoint/channel.
PM96445OpenJPA ExternalValue mapping works incorrectly with CriteriaAPI multiselects
PM96464NullPointerException thrown when determining the active user registry from the user registry service
PM96532Setting converterId breaks converter selection by type.
PM96613JSF.js: Calling JSF.getViewState() with a direct reference to a element throws an exception
PM96659Entity object instance generated by native SQL query may have null embeddable field
PM97023Console output for server start command does not currently indicate server startup failures.
PM97079Expose receive action permission for temporary destination queue
PM97228An exception can occur when an LTPA token timeout occurs and the CDI WebBeansConfigurationListener accesses the session
PM97353Compilation errors when a JSP contains an auto increment variable.
PM97510Stackoverflow in OpenJPA due to endless recursive calls in 'isLoaded'
PM97514Unable to associate different applications to differing HTTP endpoints
PM97549Liberty Profile for z/OS registers with IFAUSAGE using the wrong product owner.
PM98149Liberty Profile throws a NullPointerException from HttpDispatcherLink.sendResponse.
PM98238Inconsistent resolution of the variables in f:ajax@listener MethodExpressions
PM98245Liberty Profile web container does not destroy servlet when UnavailableException occurs
PM98301z/OS Liberty Profile server does not unregister with IFAUSAGE at server shutdown
PM98409NullPointerException occurred on Liberty Profile when performing programmatic isUserInRole check.
PM98421CData section in web.xml causes Liberty profile RuntimeException
PM98653Queries with a sort clause return fewer entries than the same query that does not have a sort clause.
PM98732Web services caching does not work properly dynacache changes the configuration value of required in components
PM99374JPA version field in a projection always returned as an integer
PM99378Allow Liberty profile to return jar URLs rather than wsjar URLs from classloaders.
PM99775Interim fixes do not apply new feature manifests
PM99783Batch update fails due to java.sql.SQLException: Unsupported feature and -2 return code from Oracle JDBC driver

Back to top

Fix pack 8.5.5.1
Fix release date: 11 November 2013     
Last modified: 10 November 2013     
Status: Superseded     

Download Fix pack 8.5.5.1
APARDescription
PM86094Liberty Profile fails to connect to LDAP when using SLDAP (SSL)
PM86131Error message CWWKS2910E with internal error code 0x02008002 may occur in stress environment with SAF security enabled.
PM90352SRVE0315E: An exception occurred: com.ibm.ws.webcontainer.webapp.web
PM98907Remove unneeded data in database analyzer and logs
 

Refresh Pack 8.5.5
Fix release date: 14 Jun 2013     
Last modified: 13 Jun 2013     
Status: Superseded     

Download Refresh Pack 8.5.5
APARDescription
PM73545Authorized handler for the HTTPs protocol not found.
PM77507OSGi applications using JPA can fail to start and issue no error messages.
PM78466Properties files in a directory in an ear file are not added to the classpath of a war inside the ear
PM78567java.net.MalformedURLExceptions are thrown when attempting to access URLs when multiple non-OSGi applications are installed
PM79227No property to disable the Liberty Profile Server welcome page
PM80457Server.xml is not honoring attributes for logging tag
PM82758Unable to retrieve list of users from LDAP registry when using getUsers()
PM82831Java.lang.NoClassDefFoundError during startup of Liberty Profile, shared library not available.
PM83557IllegalStateException while processing transactions.
PM83572Type2 datasource transactional="false" fails
PM84523CWWKC0060W for VT_CLASS_RESOURCE in WLP not documented
PM85517Message CWWKC0044W does not contain information necessary to debug problem
PM85520JSPs inside directories are not pre-compiled
PM85563FFDC reports contains excessive redundant information
PM85564EJB application exceptions not output to messages log
PM85565Unable to resolve included nested configuration located outside wlp\usr directory
PM85566IllegalStateException when removing transaction feature from the server configuration
PM85567IllegalMonitorStateException observed in trace incident reports
PM85568httpOnlyCookies configuration attribute not honored
PM85569Minor updates to transaction functionality
PM85570Configuration validation error when there is whitespace in empty elements
PM85571Configuration changes can be lost
PM85574JSP taglibs not available to the tools
PM85653Some HTTP requests are not served correctly
PM85656NoClassDefFoundError: com.ibm.ws.jsf.util.FacesMessages
PM85657Unexpected java.lang.IllegalArgumentException FFDC
PM86037SRVE8043E error when Liberty Profile is installed in path that has spaces
PM86263A web application throwing a RuntimeException prevents the servlet from being loaded
PM86268Application stop waits for 30 seconds when stopping server
PM86271Tools add wrong jars to client classpath
PM86272Extra information in trace.log
PM86273Untranslated message in log CWRLS0010_PERFORM_LOCAL_RECOVERY
PM86275Java.lang.ClassNotFoundException running SecurityUtility and ProductInfo commands
PM86277Some extra annotated fields are appearing in ffdc reports
PM86278File monitor returns duplicate entries for deleted directories
PM86279JPALookupDelegateImpl deactivate is not the inverse of activate
PM86281Error: Could not find or load main class when running isadc command
PM86285When using simple TAI Liberty Profile returns a 401 error when expecting a 403 error
PM86287System properties not applied over bootstrap properties
PM86288BundleException is thrown when there is only the beanvalidation-1.0 feature enabled
PM86289Throwing a RuntimeException from FileMonitor can stop all file monitoring
PM86290Translation error in help in French securityUtility
PM86291SecurityUtility fails with 0 exit value
PM86292Can not override the default JSP expression factory implementation.
PM86293Log message CWWKZ0019I incorrectly suggests the application is not completely started
PM86294JSP includes <%@include file="xxx.jsp" %> reports no error if file not found
PM86299Liberty Profile support for one way hash
PM86304REST connector client has JSONConverter marshalling problem for empty HashMap
PM86305Error CWWKZ0056E if there are spaces in the drop-ins location filename
PM86306Incorrect class version loaded by OSGi
PM86307productInfo compare does not take interim fixes on target into account
PM86308Running with session in memory and using the HTTP plugin, sessions may be lost
PM86309z/OS native launcher does not support PID_DIR and PID_FILE
PM86310OSGi application performance issue
PM86311State mismatch running Oauth with multiple iterations
PM86315Need to support the png mime-type by default
PM86316A dump or javadump action directed to a server with an empty --include= generates an incorrect error message.
PM86318Organize session config options into groups for Eclipse tooling
PM86319Server JMX connection fails if the network connection is changed while the server is started
PM86321Kernel launcher issues
PM86322A redirected HTTPs request with invalid port number receives a vague error message
PM86323ApplicationMonitor config element not dynamic
PM86324CWWKS2911E appears in logs 5 times for one error
PM86325Service difficulties due to bundle ordering issues
PM86326Excessive FFDC for BundleException
PM86328Inaccurate timestamps
PM86329NullPointerException in DropinMonitor.tidyUpMonitoredDirectory
PM86330Unconditional xx:MaxPermSize warning when using server script
PM86332Command "server start <server>" fails when umask is set to other than 000
PM86333Server.env does not override system.env if it contains an uncommented string in first line (liberty.env)
PM86334CWWKS security messages unclear
PM86336Tools show "Classloader Service" for the config entry for classloader
PM86337AuthCache sizes do not specify a valid range
PM86339Server config reports a nested element is removed when present
PM86342Default error page does not show HTML
PM86343Trace specification not using current format
PM86345NullPointerException in jpaemfactory.isOpen if EM factory not created
PM86346Applications attempt to start twice using RAD "RunAs" for JEE ear
PM86348The exception message was null when using unknown tags in server.xml
PM86349Keystore problem does not give a clear exception message
PM86350Improve message for missing data-source configuration
PM86353ABEND0EC3 with reason code 20F00400 in Liberty Server
PM86629Enable transaction logging to an rdbms
PM86635Application does not appear to have started
PM86636Server config application element type attribute picks up default from location attribute
PM86895java.lang.NoClassDefFoundError for javax.ws.rs.core.Application
PM87131Oauth could allow a remote attacker to obtain someone else's credentials
PM87412ProductInfo compare command output can be confusing when checking APAR inclusions.
PM87511NullPointerException when web.xml has a reference mismatch.
PM87603ExecutorService does not handle incorrect configuration nicely.
PM87604Missing JNDI feature diagnostic improvement
PM87718Improve performance for session database multi-row
PM87719Javax.faces.el.MethodNotFoundException: java.lang.NullPointerException
PM87724Improve values in generated plugin-cfg.xml file
PM88023Numerous FFDC files are being created for an exception.
PM88040Improvements to stack trace and logging

Back to top

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z0000001ipVAAQ","label":"Download Documents (Bulletins, iFixes, Fixpacks)"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;CD0","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Document Information

Modified date:
02 December 2025

UID

swg27043863

Page Feedback