IBM Support

Fix list for IBM WebSphere Application Server Liberty

Product Readmes


Fixes for WebSphere Application Server Liberty are delivered in fix packs periodically.  This is a complete listing of all the fixes for Liberty with the latest fixes at the top.

New fix pack numbering was introduced starting Fix pack for WebSphere Application Server Liberty is the first of a series of common Liberty levels that apply to both Version 8.5 and Version 9.0 of WebSphere Application Server on all supported platforms.


Release Date
Total number of APARs
Total number of Security APARs
Total number of Open Liberty Release Fixes
27 February 2024
30 January 2024
12 December 2023
14 November 2023
17 October 2023
19 September 2023
22 August 2023
25 July 2023
27 June 2023
30 May 2023
2 May 2023
4 April 2023
7 March 2023
7 February 2023
20 December 2022
22 November 2022
25 October 2022
27 September 2022
30 August 2022
2 August 2022
5 July 2022
7 June 2022
10 May 2022
12 April 2022
15 March 2022
15 February 2022
18 January 2022
3 December 2021
5 November 2021
8 October 2021
10 September 2021
13 August 2021
15 July 2021
18 June 2021
21 May 2021
23 April 2021
26 March 2021
26 February 2021
29 January 2021
27 November 2020
30 October 2020
2 October 2020
4 September 2020
7 August 2020
9 July 2020
12 June 2020
15 May 2020
17 April 2020
20 March 2020
21 February 2020
24 January 2020
13 December 2019 1 1 13
15 November 2019 8 2 19
18 October 2019 8 2 18
20 September 2019 6 1 9
23 August 2019 6 0 19
25 July 2019 4 1 14
28 June 2019 5 0 8
31 May 2019 3 0 8
3 May 2019
5 April 2019
8 March 2019
8 February 2019 11 1 24
14 December 2018
21 September 2018
29 June 2018
16 March 2018
21 December 2017
17 October 2017
13 June 2017
14 March 2017
13 December 2016
16 September 2016
24 June 2016
18 March 2016
11 December 2015
11 September 2015
26 June 2015
13 March 2015
8 December 2014
18 August 2014
28 April 2014
11 November 2013
14 June 2013
Fix pack
Fix release date: 27 February 2024
Last modified: 27 February 2024
Status: Recommended

Download Fix pack
APAR Security APAR Description
PH59680 Liberty server using ZOSLOCALADAPTERS-1.0 does not shut down after outofmemory error with ZOSAIO disabled
Open Liberty fixes:
Issue/PR Description
26680 bundle cannot resolve dynamically against the host bundle
26939 Delete lease when peer recovery is unnecessary
27290 [JPA 2.2] EclipseLink Deliver Issue #1981
27294 Memory leak in CXF caused by large number of PidInfo objects
27396 Handling of locked Transaction Log Lease Table needs improvment
27398 Server start fails on OS/400
27421 Resource adapter install fails due to ArrayIndexOutOfBoundsException
27588 EclipseLink for JPA 3.1 may encounter IllegalArgumentException Unsupported api 0
 Back to top
Fix pack
Fix release date: 30 January 2024
Last modified: 30 January 2024
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH55398 OLGH26221 Port MYFACES-4606 (Issuing Element Not Found in Request Parameter Map for Ajax Requests) to Liberty
Open Liberty fixes:
Issue/PR Description
25135 jakarta.el.ELException The class [...] must be public, in an exported package, non-abstract and not an interface
26342 ReactiveMessaging "CDI container is not available"
26831 Bad value in ApplicationManager config cause ApplicationManager service to fail
26832 Server should be able to reclaim its recovery logs on startup
26844 Deadlock reported in sipcontainer when proxybranch times out
27008 [PH55398] [OLGH26221] Port MYFACES-4606 (updated fix)
27062 CWWKC1101E IllegalStateException CWWKC1013E Unable to start task null because the component in application WEB that submitted it is unavailable
27080 Liberty SAML SP fails to generate response to the IdP initiated logout request
27093 mpMetrics-5.0 Feature Returns Response in ISO-8859-1 Instead of UTF-8 when Accessing /metrics Endpoint
27159 Upgrade Jackson 1.6.2 Dependency
27191 On z/OS server start from the bin directory fails
27204 Slow performance in DirectoryRepositoryClient
27208 Date format in log files includes an extra trailing space character with Java versions 20 or later
27249 PasswordUtil throws NullPointerException on certain input
 Back to top
Fix pack
Fix release date: 12 December 2023
Last modified: 12 December 2023
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH57336 zosConnect failure in its XML or JSON parser
PH57878 IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-44487 CVSS 7.5)
PH57933 IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache Santuario (CVE-2023-44483 CVSS 6.5)
Open Liberty fixes:
Issue/PR Description
25467 A better error for the NullPointer we get if WithSpan is on the class level
26655 OpenAPI UI required fields have an extra character
26722 Microprofile Rest Client (CDI) mpConfig property "proxyAddress" not respected
26809 Lease timestamp not updated for home server when recoveryGroups and tran logs in a database is configured and database outage > couple of seconds occurs
26818 Processing dir files alphabetically does not match configDropins behavior
26846 JAX-WS After upgrade to WLP SOAP client generates a SOAP header part in the SOAP body
26893 Space in value of -D option in jvm.options breaks server package command
26911 Registered RestClientBuilderListeners are not called for injected rest client instances for MP Rest Client 1.x and 2.x
26942 Liberty startup script does not resolve symbolic link to bin directory
26943 NO_USER_REGISTRY message is not output properly
Fix pack
Fix release date: 14 November 2023
Last modified: 14 November 2023
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH57110 Remove products with pid value of UNKNOWN
PH57261 [OLGH26375] Update the shared class cache URL used for non jar / zip files
PH57579 IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2023-46158 CVSS 4.9)
Open Liberty fixes:
Issue/PR Description
25786 Update to latest Expression Language 5.0 - 10.1.11
25962 Deadlock reported in sipcontainer when cancelling session in proxy mode
26332 Websocket Null Argument to OnMessage After DecodeException
26375 Stale class content used after updating application archives
26390 Port MYFACES-4628
26419 StackOverflowError when tracing jaxrs-2.0
26596 Memory Leak in
26609 CDI will not create an EJBDescriptor for archive containing bean-discovery-mode=none
26636 JAX-WS: @WebFault annotated Exceptions are not properly serialized as SOAPFaults on and above
26683 Component metadata is not present during CDI Startup events
Fix pack
Fix release date: 17 October 2023
Last modified: 17 October 2023
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH55995 [OLGH26267] Login or Authentication may fail on Z/os when using the IBMJCEHYBRID provider
PH56266 [OLGH25997] Correction fix to PH42468 to remove delay in closing connection in Websocket application
PH56959 Null Pointer Exception when defining empty routing rule
PH57076 [OLGH26341] Failure at server startup of bundle COM.IBM.WS.SECURITY.TOKEN.LTPA
PH57263 [OLGH26357] Springboot 3 thin utility may cause NOCLASSDEFFOUND error
Open Liberty fixes:
Issue/PR Description
25759 Enable user to set CXF's useHttpsURLConnectionDefaultSslSocketFactory property for outbound JAX-RS Client Requests
11453 Potential leak caused by JSTL tags
25640 WithSpanInterceptor doesn't call instrumentation.end()
25781 Liberty cannot be immediately restarted after stopping with localConnector-1.0 feature on Windows with hotspot
25855 When two apps are configured with the same context root, neither is reachable
25997 Websocket close delay
26023 Liberty - 6% Performance Throughput Regression on MicroProfile 6 OpenAPI scenario
26054 CDI can throw NullPointerException if application startup fails
26076 Thread safety issues in may cause problems under load
26158 Telemetry-1.0 Disabled warning message
26216 Port MYFACES-4606
26221 Port MYFACES-4606 (Issuing Element Not Found in Request Parameter Map for Ajax Requests) to Liberty
26306 Fix Documentation for Supported Java versions
26341 CWWKE0701E bundle failure at server startup
26437 Packaging Springboot 3 application embedded with Open Liberty does not work
  Back to top
Fix pack
Fix release date: 19 September 2023
Last modified: 19 September 2023
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH56334 Collective replica communication issue when using OpenJDK
Open Liberty fixes:
Issue/PR Description
22358 Update Social Login redirection processing
23732 startWinService & stopWinService default timeouts in server.bat script too short
25291 Return 400 status for invalid URI
25743 The shutdown order between CDI and EJB is not enforced
25759 Enable user to set CXF's useHttpsURLConnectionDefaultSslSocketFactory property for outbound JAX-RS Client Requests
25782 Calling stop on an already stopped server hangs for 30 seconds and then reports an error on WSL
25834 OpenLiberty with webProfile-8.0 logs messages saying it requires annotations in the jakarta.annotation namespace
25866 Unexpected end of file from server
25927 CWWKS1706E + CWWKS1739E errors occurs when minimal jwks data is provided by Identity Provider
25932 Absolute file paths fail with the file transfer API when running under servlet 6
25958 sed command in server script returning incorrect value on Solaris
25978 The SPI for registering CDI extensions and Beans will scan the entire archive without an extension
  Back to top
Fix pack
Fix release date: 22 August 2023
Last modified: 22 August 2023
Status: Superseded

Download Fix pack
Use OIDC Connect with the strongest flow for web applications using the Authcode with PKCE
APAR Security APAR Description
PH55940 Correction fix to PH53171
PH56004 IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-38737 CVSS 5.9)
PH56052 A bundle in an OSGi application with the following manifest header will fail to start
PH56063 OSGi applications compiled to Java 17 may fail to start
Open Liberty fixes:
Issue/PR Description
25193 Two inaccurate descriptions and one formatting problem in openidConnectProvider
25580 Non-daemon Liberty Timer threads preventing JVM shutdown in CICS (Java 17)
25632 MYFACES-4512
25646 Semicolon inside text parameter in Reason header will result in the sipcontainer dropping the request
25693 MYFACES-4611
25700 Potential memory leak in Liberty version of org.jboss.resteasy.plugins.server.servlet.ServletUtil
25712 NullPointerException when using app-defined javamodule data source for JPA
25804 Unable to make field private final int accessible when using Java 17
Fix pack
Fix release date: 25 July 2023
Last modified: 25 July 2023
Status: Recommended

Download Fix pack
APAR Security APAR Description
PH55130 Collective replica set is not able to communicate each other on AIX and IBM JDK8
PH55181 z/OS data is incorrectly collected for products with an UNKNOWN product ID
PH55442 Update REST API Discovery UI dependencies
Open Liberty fixes:
Issue/PR Description
19861 Concurrency errors when using same JWT access token for inbound propagation
21501 Update the jsf-2.3 feature to MyFaces 2.3.10
21502 Update the faces-3.0 feature to MyFaces 3.0.2
25111 MYFACES-4469 IllegalArgumentException occurs in occurs in FacesConfigurator.purgeConfiguration
25354 Update faces-4.0 to MyFaces 4.0.1
25368 GlobalOpenTelemetry is missing public methods
25429 WithSpan anotation does not work when name or kind is set
25457 Local host/port and remote host/port are reversed in message CWWKO0801
25479 Unable to make field long java.nio.Buffer.address accessible when using Java 17
   Back to top
Fix pack
Fix release date: 27 June 2023
Last modified: 27 June 2023
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH53192 The /api/explorer URL from openapi-3.0 does not return the Content-Security-Policy header
PH54214 WOLA does not recognize IMS regions they are invoked with LOCKMAX=## specified
PH54373 IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867 CVSS 7.5)
PH54810 Liberty on z/OS ECSA storage used by server resmgr are not being released when server stops
Open Liberty fixes:
Issue/PR Description
23838 Invalidating a transaction user can lead to deadlocks in sipcontainer
23938 ExpirationTimer can cause deadlocks in proxy mode
23950 [JPA 2.2] EclipseLink Deliver Issue #1779
24752 Update Expression Language 5.0 to latest 10.1.8 version
24981 server version command ignores JAVA_HOME set in server's server.env
25017 Posting Form-Data with the new Jakarta EE 10 Multipart Support fails
25046 Liberty accesses readonly subject
25168 transport close timing issue when streams are closing and a close/goaway frame comes in
25210 DnsContextFactory not accessible in java 17
25212 Transaction Manager configuration options shutdownOnLogFailure, logRetryInterval and logRetryLimit should be published
25283 JSF Container's Application.getWrapped returns null
25316 Exception when doing trace statement bubbles up to the application
25351 OIDC check_session_iframe does not parse origin correctly when path is included in referer
25352 org.omg.CORBA.DATA_CONVERSION illegal char value for string
25402 Messaging secure CommsOutboundChain may be started with wrong sslOptions
Fix pack
Fix release date: 30 May 2023
Last modified: 30 May 2023
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH53475 [OLGH24864] FRAME_SIZE_ERROR is generated when both http/2 and compression are used
PH54050 [OLGH25097] UI ADMINCENTER correction
PH54100 Use unauth service if auth service product registration fails
PH54173 Add Java 11 check to cacheDirPerm supported check
Open Liberty fixes:
Issue/PR Description
24577 Static fields leaked on application restarts
24599 [JPA 3.0] EclipseLink Deliver Issue #1823
24751 Update Expression Language 4.0 to the latest 10.0.27 version
24864 HTTP/2 max frame size exceeded when compression is used
24939 `requestTiming-1.0` causes elevated (or spiking) CPU performance due to the `SlowRequestManager`
24948 OIDC RP-initiated logout end_session should verify the id_token_hint issuer
24986 SSLHandshakeException occurs while closing HTTPConduit
25008 NullPointerExcetion or ArrayIndexOutOfBoundsException in SearchBridge when using custom input/output configuration
25010 EntryNotFoundException thrown in federated registries when using custom input/output configuration
25097 Update adminCenter
25152 Request Timing metrics not showing up with `mpMetrics-5.0` (when used with `requestTiming-1.0` feature
25169 295651: Concurrent persistent failover timers - server not releasing claim on scheduled task when unable to run it
Fix pack
Fix release date: 2 May 2023
Last modified: 2 May 2023
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH50863 IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998 CVSS 7.5)
PH52912 CWWKO1100E: The ScheduledExecutorService OSGi service is not available
PH53883 IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482 CVSS 5.3)
Open Liberty fixes:
Issue/PR Description
24585 Insufficient Infinispan cache creation for Liberty httpSessionCache
24004 Allow more output to response following exception in forward based on wc parm
24323 SIPcontainer should stop parsing non-utf8 characters when acceptNonUtf8Bytes is set to false
24469 Java 11 NoSuchAlgorithmException SHA1PRNG when FIPS enabled TS012071744
24565 RegistryHelper.getUserRegistry throws an IllegalStateException if no user registries are present
24578 Application can't recover from exceptions thrown during startup
24598 [JPA 2.1] EclipseLink Deliver Issue #1823
24683 Port MYFACES-4594
24730 Cleanup non-daemon threads at the server shutdown
24793 JSP Options to pick up web-ext jsp-attribute values on start up (honor disableTldSearch to improve app start up time)
24804 Encrypted value for internalClientSecret within oauthProvider does not work
24915 Server hangs at startup when enabling trace specification*=all
24938 SOAP 1.1 Web service request to SOAP 1. Provider acting as gateway fails when wsAtomicTransaction feature is enabled
24955 PH53918 UnsupportedOperationException is thrown after upgrading to or later
24958 Configurable option for FileUpload
Fix pack
Fix release date: 4 April 2023
Last modified: 4 April 2023
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH52888 NullPointerException in Singleton EJBs as JAX-RS sub resources
PH53171 Fix Collection replica communication problem on AIX and IBM Semeru
Open Liberty fixes:
Issue/PR Description
24092 Aborted managed connections invoking endRequest and end are causing problems in JDBC driver code
24223 Monitor-1.0 returns strange values for standard deviation
24444 JAX-RS NPE in Singleton EJB Sub Resource
24462 Cleanup any asyncServlet non-daemon threads at the server shutdown
24465 JDBC DB2 values for queryDataSize need to be updated
24543 OIDC client issue in cluster environment, starting version
24566 AcmeCA feature with revocation enabled can fail to initialize on certain OS and JDK combinations
24584 pluginUtility merge action generates incorrect output for some inputs
24585 Insufficient Infinispan cache creation for Liberty httpSessionCache
24631 Fix ClassCastException during the de-serialization of CDI Injected Event
24651 Liberty Server hangs randomly
 Back to top
Fix pack
Fix release date: 7 March 2023
Last modified: 7 March 2023
Status: Superseded

Download Fix pack
Idea Description
LIBERTY-I-40 Add timeout option to server stop command
TWAS-I-43 Admin Center support for datasource configuration validation
APAR Security APAR Description
PH52074 [OLGH24157] Validate header names
PH52079 IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787 CVSS 5.5)
PH52095 IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364 CVSS 9.8)
PH52167 [OLGH24077] DoNotAllowDuplicateSetCookie property not working
PH52364 Check file existence before delete
PH52713 Feature resolver may pick multiple versions of the same singleton feature
Open Liberty fixes:
Issue/PR Description
16007 Runtime injection of detailed method trace fails for a CDI bean
23410 UnrecoverableKeyException occurs when using WS-Security Callback handler on Liberty
23676 Transaction manager unavailable when stopping resource adapters during server shutdown
23954 The authCache->cacheRef and webAppSecurity->loggedOutCookieCacheRef server configuration elements are not included in the documentation
23976 Add option to support old format of start-info in multipart/related SOAP messages
24001 Fix configuration attribute name used in CWWKS1738E message
24007 server dump command fails in WL on IBM i
24047 Memory in when creating thread context class loaders
24048 Possible performance issue in
24056 Batch-2.1 feature content is active even when configuring batch-1.0 or 2.0
24077 DoNotAllowDuplicateSetCookies http channel config option is not working
24155 Memory leak in JaxRsFactoryImplicitBeanCDICustomizer
24157 Validate HTTP header names
24293 Scheduled Futures leak resources from Managed Executor Services on application stop
24371 Server fails to start due to conflict on servlet feature
 Back to top 
Fix pack
Fix release date: 7 February 2023
Last modified: 7 February 2023
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH49341 A race condition of transaction timeout could leave an indoubt transaction at RM side
Open Liberty fixes:
Issue/PR Description
22434 Race condition of transaction timeout could leave an indout transaction at RM side
23273 Scripts do not respect the enable_variable_expansion indicator in server.env
22786 PKCE parameters not copied by oauthForm.js
23392 Stopping liberty Windows service immediately after starting results in hang condition
23425 A syntax error in JSP compile should consistantly output error JSPG0077E
23567 decode url query string before final redirection of the originial request
23582 Messaging client hangs during shutdown
23583 [] Unmarshaller error when Unmarshaller obtained [from pool]
23613 Intermittent NPE at
23690 JTOpen Toolbox driver 11.1 JDBC connections fail from Open Liberty to IBM i
23748 CDI Shared Library bean visibility problems
23771 IndexOutOfBoundsException can occur during a resource outage.
23782 JDBCDriverService; issue with Boolean parameters
23883 Default keystore file not getting detected on file monitoring
23885 Use mininum jdkSourceLevel of 1.8 for JDK 20+
Fix pack
Fix release date: 20 December 2022
Last modified: 20 December 2022
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH49482 HttpSession options issue
PH50057 Connecting a member to a Controller Replica fails
PH50342 IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google protobuf-java (CVE-2022-3171, CVE-2022-3509)
PH50815 Check for webenab products before removing product marker
Open Liberty Release fixes 
Issue/PR Description
22405 OidcClientImpl does not properly declare a dependency on SecurityService
22738 SSLContext defined in ClientBuilder.newBuilder().sslContext(sslcontext) not preserved with restfulWS-3.0
23146 JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion() return incorrect version
23273 Scripts do not respect the enable_variable_expansion indicator in server.env
23310 Additional fixes for JSR375 (javasec) Decorator and Alternative
23326 Liberty default HttpAuthenticationMechanisms do not call HttpMessageContext.responseUnauthorized
23403 HTTP/2 Intermittent server quiesce failure when stream is closed with an exception
23462 NullPointerException in
23478 NullPointerException in InstallFeatureAction for .esa files
Fix pack
Fix release date: 22 November 2022
Last modified: 22 November 2022
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH49719 IBM WebSphere Application Server Liberty is vulnerable to denial of service due to GraphQL Java (CVE-2022-37734 CVSS 7.5)
PH49876 zosConnect failure in XML or JSON parsing
PH50062 MDB class leak on application stop
PH50353 Updates to usage metering to set protocols and ciphers for the connection
Open Liberty Release fixes 
Issue/PR Description
21808 Provide a way for Custom User Registries to use the uniqueId instead of the securityName
22771 In SIP headers, need to handle encoded values (%xx) while not causing error on valid Tag formats ending with %
22865 Datasource changes are not propagating to JPA during dynamic config update
22909 MDB class Java heap leak on application stop
22918 Intermittent NPE at
22933 MP JWT 1.2 and 2.0 TCKs won't run at
22963 lacks a file
22965 Generating ssl key for FilterServer, when running FilterConfigTest takes too long
23017 MP Reactive Messaging: NullPointerException during Kafka partition rebalance
23031 Failed to parse Created TimeStamp in UsernameTokenValidator
23059 Uses constraint violation for org.joda.time packages
23183 EJB Handle deserialization fails with org.omg.CORBA.TRANSIENT: attempt to establish connection failed
23186 IdentityStore validate method not getting called for BasicAuthentication request
23225 IllegalStateException in dynacache when app server is stopping
23252 AmbiguousResolutionException when same class is present twice and certain features are used
  Back to top
Fix pack
Fix release date: 25 October 2022
Last modified: 25 October 2022
Status: Superseded

Download Fix pack
APAR Security APAR Description
PH48467 java.lang.ArrayIndexOutOfBoundsException is thrown when purging data while shutting down a connection
PH48810 IBM WebSphere Application Server Liberty is vulnerable to a Denial of Service due to Neko HTML (CVE-2022-24839 CVSS 7.5)
PH49305 Multiple values in request header "X-Forwarded-For" not logged
PH49341 A race condition of transaction timeout could leave an indout transaction at RM side
PH49933 Servers using Intelligent Management intermittently fail to pulbish application endpoints
Open Liberty Release fixes 
Issue/PR Description
22303 On z/OS running Java 11 a FFDC with caused by AttachNotSupportedException occurs when feature localConnector-1.0 is specified.
22361 Cannot start Jenkins 2.346.3 with Java 17 when using AD authentication
22397 MYFACES-4450: tabindex not rendered for outputLabel
22434 A race condition of transaction timeout could leave an indout transaction at RM side
22584 is missing in the Liberty images
22660 java.lang.ArrayIndexOutOfBoundsException when PurgeDataDuringClose=true
22688 HTTP Access logging need to log multiple X-Forwarded-For headers
22721 Update nekohtml version used in openid-2.0
Fix pack
Fix release date: 27 September 2022
Last modified: 27 September 2022
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Channel Framework PH46816 IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to HTTP header injection (CVE-2022-34165 CVSS 5.4)
Intelligent Management Component PH47454 Error 503 returned from ODR after an application update with the war name changed while the ear file name stays the sam
Liberty z/OS PH49234 Attach fails on z/OS running with Java 11 when a started task is used to start a server specifying the localConnector-1.0 feature
Open Liberty Release fixes 
Issue/PR Description
20599 JDBC connection not validated when numConnectionsPerThreadLocal is used
21340 [JPA 2.2] EclipseLink: Deliver Issue #1245
21805 Removed hideMessage logging attribute not dynamically picked
21914 JobOperator.getRunningExecutions output includes job executions that aren't running
22189 Missing NLS strings for allowAuthenticationFailOverToAuthMethod options
22221 Session timing issue during server shutdown
22227 Yoko marshals null fields incorrectly when the field is declared as a non-serializable class
22347 FFDCIgnore not honored on or after
Fix pack
Fix release date: 30 August 2022
Last modified: 30 August 2022
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
General PH48187 LTPAToken validation failure for users with space characters in the user name caused by PH47867
Intelligent Management Component PH48622 DynamicRouting utility fails parsing commandline
Liberty z/OS PH48202 Unpredictable results when cancelling the angel process without registered Liberty Servers first
Open Liberty Release fixes 
Issue/PR Description
21126 Update GSON library dependency to 2.9.0
21666 java.lang.IllegalStateException: Subject is read-only from WebAppFilterManager.invokeFilters
21737 Combine with MicroProfile OpenAPI: Example of date-time in Schema cannot display this format "YYYY-MM-DDTHH:mm:SSZ", will report "OrderedMap" or this "YYYY-MM-DDTHH:mm:SS.MSZ" format
21837 LTPA SSO failure for certain usernames
21845 featureUtility - Not decoding repository passwords when executing
21858 Multiple protocols not always getting honored with the IBMJDK
21880 OpenAPI 2.0+ throws error at startup
21937 MP Fault Tolerance 1.x can log an FFDC when a method times out at the same time as it completes
21955 Liberty does not provide exported packages for java.* packages at runtime in the OSGi framework insteance
21973 Expiration fields are not compared in an LTPA Token
22012 CXF property cxf.ignore.unsupported.policy is not processed correctly in Liberty
22040 Invalid character warning for colon in WorkQueueManagerImplMBeanWrapper objectName
Fix pack
Fix release date: 2 August 2022
Last modified: 2 August 2022
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
General PH45225 CICS link servers do not reconnect to a Liberty profile server after the Liberty profile server is recycled
PH45750 IBM WebSphere Application Server Liberty is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777 CVSS 7.5)
PH46073 Duplicate of PH47867
PH47867 IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476 CVSS 5.0)
Open Liberty Release fixes 
Issue/PR Description
11959 Weld does not mark org.jboss.weld.context.ConversationContext.conversations as dirty when retrieving it from session storage
20939 Classpath visibility unclear -> NoClassDefFoundError: javax.cache.CacheException since (maybe since
20950 Memory Leak with JSF's ViewScopeContextualStorage (MYFACES-4433)
21204 [JPA 2.1] EclipseLink: Deliver Bug #579409
21214 Server start fails when directory has spaces
21398 Add additional details to `exposeWebInfOnDispatch` Server configuration description
21473 ClassCastException FFDC occurs when using audit-1.0 with other features like requestTiming-1.0 or eventLogging-1.0
21526 UI generated by `openapi-3.1` feature doesn't show the link specific endpoints
21601 Port MYFACES-4432 to JSF 2.3 and Faces 3.0 (Resolve request object in facelets)
21615 EJB persistent timers that were deferred during app start do not run when app finishes starting
21651 290399-Fix umask command for IBM i in server script
21664 featureUpdate downloads fail in Windows, due to #20945
21735 PausableComponentException when closing message endpoints on server shutdown
21740 Inactivity timeout value larger than 2147483 seconds causes immediate cache invalidation
Fix pack
Fix release date: 5 July 2022
Last modified: 5 July 2022
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Virtual Member Manager (VMM) PH46082 Add warning message when failed login delay is disabled
Open Liberty Release fixes 
Issue/PR Description
19832 OpenIdConnectClient not working with proxy settings given in jvm.options
20933 FeatureUtility only checks one Maven repository
21148 Transactions summary trace is missing
21441 The openapi-3.1 liberty feature generates wrong property name for annotation @Schema
Fix pack
Fix release date: 7 June 2022
Last modified: 7 June 2022
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Intelligent Management Component PH43910 Liberty routing rules do not always respect a webserver assignment using the '*' wildcard
Liberty Administrative Center PH45086 IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393 CVSS 3.1)
Security PH46072 IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475 CVSS 7.1)
Open Liberty Release fixes  
Issue/PR Description
14425 EclipseLink: Deliver Bug #567087
18844 The class is not visible as an API
20082 CWWKE0702E: Could not resolve module: [852] Bundle was not resolved because of a uses constraint violation.
20908 Default session meta cache name failed with RH DataGrid
20981 ArrayOutOfBounds exception on z/OS with either full or JMX audit events enabled on shutdown
21004 featureUtility viewSettings doesn't show repository settings
21043 Bump netty dependencies to 4.1.77.Final
21050 Liberty OIDC error is being returned with incorrect characters
21060 Correct Service Release and Fixpack processing in JavaInfo
21079 Refresh token is not cleaned up when a JWT access_token had been issued
21097 Custom claims not passed to the back end
21108 Admin center enhancement
Fix pack
Fix release date: 10 May 2022
Last modified: 10 May 2022
Status: Recommended

Download Fix pack
Component Security APAR APAR Description
General PH42822 WebSphere Liberty z/OS java.lang.NullPointerException at$ClassloaderReference
Liberty z/OS PH45221 NPE in
PH45329 Liberty server fails to start with JVM gpf after a racroute request=auth call
PH45749 z/OS Product registration message CWWKB0108I does not contain full version
Open Liberty Release fixes
Issue/PR Description
20283 Fix duplicate error messages in RESTful WS (JAXRS)
20306 Bump netty dependencies to 4.1.75.Final
20476 NPE when outputting SimpleTimer close to the end of a full minute.
20509 JSP included jar dependency check incorrect
20522 Update ExpressionLanguage 4.0 API/Impl to 10.0.18
20627 schemaGen improve command line options parsing
20669 Extra text found in description of connectionManager purgePolicy
20693 Springboot application packaged with OL failed to run
20730 Deadlock in memory session and logging handler
20762 Port MYFACES-4431 to JSF (Custom Navigation Handler Thows NPE during Flow Handling)
20782 FeatureUtility isf does not resolve already installed user feature
20818 JaxRS-Client fails performing PATCH-requests with Java17
20858 localConnector problems with some combinations of jdk.attach.allowAttachSelf and
Fix pack
Fix release date: 12 April 2022
Last modified: 12 April 2022
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH44666 OpenAPI UI is missing CSS
General PH45006 During server shutdown OSGi applications may log null pointer exceptions (FFDCs)
JavaServer Pages (JSP) PH44627 Null Pointer Exception in JSP after when skipMetaInfResourcesProcessing=true
Liberty Archive Install PH44289 Install of z/OS Liberty interim fix fails with CRIMA1076E
Liberty Kernel PH45316 Liberty packaging fixes - Ensure the proper set of features are packaged when several valid versions exist
Open Liberty Release fixes          
Issue/PR Description
18177 Liberty OP configured with SAML IdP, logout at OP is not propagated to the IdP
19627 MP JWT 1.2 fails to load all relevant MP Config properties
19767 Bump gRPC dependencies to 1.43.2
19937 context-root for web-ext is no longer honored with WLP
20082 CWWKE0702E: Could not resolve module: [852] Bundle was not resolved because of a uses constraint violation
20247 webContainer property skipMetaInfResourcesProcessing=true can cause NullPointerException in JSP taglib
20293 Add security headers to OpenAPI UI
20298 Avoid ConcurrentModificationException during dynamic configuration updates for federatedRepository and user repositories
20303 NPE during handshake when CLIENT_AUTH or SERVER_AUTH is missing in the certificate extension
20310 OpenAPI UI is broken (missing CSS)
20353 NullPointerException in EJBWARRuntimeImpl when dynamically updating server configuration
20403 LibertyRestClientBuilderImpl nonProxyHosts PatternSyntaxException
20441 Timing window where cancellation of scheduled task is ignored
Fix pack
Fix release date: 15 March 2022
Last modified: 15 March 2022
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
JavaServer MyFaces (JSF) Apache MyFaces implementation PH43113 ClassNotFoundException for SecureSerializedViewCollection during Session Persistence
Liberty Administrative Center PH43817 IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)
Liberty Kernel PH44064 Liberty server command not working on IBM i platform after installing fix pack
Liberty System Management PH43223  IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038 CVSS 4.4)
Open Liberty Release fixes
Issue/PR Description
12050 @RolesAllowed rejects unauthenticated users when they mapped to an allowed (EVERYONE) role
19316 Duplicate message key in
19519 LibertySSLSocketFactory cannot be loaded inside a custom feature
19613 Bump netty dependencies to 4.1.72.Final
19659 Update ExpressionLanguage 4.0 API/Impl to 10.0.14
19673 JWT access token inbound propagation fails when a JWT sent as segments starts with "Bearer"
19780 Adding Monitor Filter increases Startup Time.
19937 Context-root for web-ext is no longer honored with WLP
19960 OpenID Connect: Double URL Encoded State Parameter in Redirect location
19981 ConcurrentModificationException in
19991 featureUtility does not pass all features from server.xml to repository resolver
19999 [JPA 2.2] EclipseLink: Deliver Bug #578262
20003 Update Webcontainer ServletVersion Handling to Avoid SRVE8501E errors
20020 AccessControlException thrown from Yoko calls to Class::getClassLoader
20063 Server commands not working on IBM i after checkpoint changes
20064 Fix server command on IBM i
20070 503 response returned when request contained a 100-continue header
20165 jsonpContainer-2.0 and jsonbContainer-2.0 features incorrectly use default providers.
20206 Servers stop can fail in products that embed Liberty
20277 False artifact io.openliberty.jaxrs30 in mvn repository
Fix pack
Fix release date: 15 February 2022
Last modified: 15 February 2022
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH44762 IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031 CVSS 5.4, CVE-2021-46708 CVSS 4.3)
General PH41660 After upgrade "DefaultHostname" definition in does not overwrite Liberty default
PH43194 Add support for CICS 5.6 to WOLA
PH43281 API Discovery UI will not load
PH43530 NullPointerException in JSP after
Intelligent Management Component PH41615 Intelligent management WebServer plug-in is sometimes unable to route one HTTP session requests to the same member server
Virtual Member Manager (VMM) PH42489
IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031 CVSS 7.5)
 Open Liberty Release fixes
Issue/PR Description
18299 NullPointerException if used with mpMetrics 3.0
18941 NullpointerException in JSP after upgrade
19177 [JPA 2.2] EclipseLink: Deliver Bug #412391
19545 OpenIdConnectClient cookies not getting deleted after logout
19608 Oracle database helper logging `DSRA8207I` too frequently
19688 Empty hides all messages and does not create messages.log
19702 Support for outbound channel selectors to start immediately
19707 Runnable jar hangs after Ctrl + C
19780 Adding Monitor Filter increases Startup Time
19781 Calling `UserRegistry.isValidGroup` or `UserRegistry.isValidUser` when using `federatedRegistry-1.0` can return `true` when `false` should be returned
19785 Federated SAF registries can incorrectly claim a SAF user or group is not in the realm when calling `UserRegistry.isValidGroup`
19826 MP Fault Tolerance annotations at the class level of a Rest Client interface are ignored
19831 The output of ./wlp/bin/productInfo featureInfo missing new lines
19841 defautHostName does not get picked up from for cfw
19860 Updating MicroProfile versions on server.xml causes issues with install manager
19897 "ERROR: Input redirection is not supported, exiting the process immediately" reported with Open Liberty as a service on Windows
Fix pack
Fix release date: 18 January 2022
Last modified: 18 January 2022
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
General PH42908 HTTP/2 streams still accepted after server shutdown despite OLGH19193
Liberty Archive Install PH41986 Product validation fails by feature manager when PH39418 is installed
Runtime and Classloader PH42759 Block class loads for vulnerable classes
Web Container PH42435 SRVE0250I and SRVE0164E no longer emitted due to OLGH18992
Web Services (JAX-WS) PH42074  IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310 CVSS 4.8)
WebSphere MQ messaging providers PH42762 Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server Liberty (CVE-2021-4104 CVSS 8.1)
 Open Liberty Release fixes
Issue/PR Description
16320 OAuth provider Multiple Connections are disallowed in current pre-existing attachment environment error TS003794701
17562 Multiple duplicate element IDs cause excess memory allocations and looping.
18695 Avoid inferring caller in LogRecord.getSourceClassName and LogRecord.getSourceMethodName in Liberty HPEL
19334 Policy attachments file: policy-attachments-server.xml is not processed
19342 [JPA 2.1] EclipseLink: Deliver Bug #463042
19348 gRPC server property "httpEndpoints" is invalid
19366 JMX file transfer errors should not expose resolved file paths
19413 JAX-RS fails with 400 Bad Request when query string contains _type param
19433 JNDI lookup to CORBA URL can hang
19505 SRVE0250I and SRVE0164E messages not emitted unless trace is enabled
19514 Test Failure: AutonomicalPolling1ServerTest.testAddPersistentExecs gets intermittent NullPointerException when transaction timeout aborts the connection
19522 Unresolved gRPC bundles in feature
19547 New HTTP/2 streams still accepted while server is closing
19567 Memory Leak with mpJWT
19585 Classes are still indexed by mpOpenAPI when mp.openapi.scan.disable=true
19589 ArrayIndexOutOfBoundsException during startup with mpOpenApi
19630 Application class loader to ignore designated classes
19631 featureUtility installServerFeature fails when user feature is listed
Fix pack
Fix release date: 3 December 2021
Last modified: 3 December 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Liberty z/OS PH41840 Cannot get a WOLA connection for a client after configuration update
Open Liberty Release fixes
Issue/PR Description
7735 Backport close stream weld properties overlay
17428 OpenAPI 2.0 includes non-public fields in the generated documentation
17599 wsoc connection causes quiesce error
18896 OSGiBeanValidationImpl DS component needs to wait for all config to load.
18992 Application fails to restart in server.xml update scenario
19051 Server script depends on the `which` command
19057 Port bind skipped at server startup
19087 Throughput performance degradation in eclipselink due to Thread.getStackTrace calls
19127 AccessControlException in WebAppSecurityCollaboratorImpl performDelegation(...)
19193 Stop allowing creation of H2 streams if server is closing
19197 ClassCastException in JSP relating to JDT internal classes
19227 Bug Fix: Ensure ServletRequestListener#requestDestroyed is always called
19233 Incorrect PostgreSQL session table query
Fix pack
Fix release date: 5 November 2021
Last modified: 5 November 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
IBM i PH39665 WebSphere Liberty server fails to start on IBM i running with Java 11
System Management Functions PH40204 Deadlock found in SingletonServiceManagerImpl registerService
Open Liberty Release fixes
Issue/PR Description
13990 SAML JSP gets unexpected 500 error due to ClassCastException
16598 ServletContainerInitializer is passed invalid @HandlesTypes classes
16811 Response output may not close at end of dispatch forward
17155 Multiple entries may be added to the Authentication Cache for a custom cache key hashtable login
17972 `@Schema(multipleOf = )` can throw `NumberFormatException` in `mpOpenAPI-2.0` feature
18262 server startWinService & stopWinService commands give incorrect/misleading return codes
18411 Liberty message.log has repeating servlet lifecycle messages
18419 ExpressionFactory#getClassNameServices fails if META-INF/services/javax.el.ExpressionFactory contains comments
18492 gRPC service registration broken for EAR deployments
18663 NullPointerException in JaxRsFactoryImplicitBeanCDICustomizer
18674 HTTP/2 streams closed due to client window update delay
18751 Bump netty dependencies to 4.1.68.Final
18813 Test Failure: testJTATransactionUsedSeriallyWithOverlapAndCommitWithinLastStage NullPointerException
18836 NPE when creating an HttpAuthenticationMechanism with the default package
18866 Fix PasswordUtil.passwordEncode() with "hash" option
18925 Cloudant NLS messages are not used
18973 Investigate weld-osgi-bundle versions in feature files
Fix pack
Fix release date: 8 October 2021
Last modified: 8 October 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Liberty Kernel PH39418 Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517 CVSS 5.5, CVE-2021-36090 CVSS 7.5)
PH40489 SPNEGO fails with 403 error on Java 11 at
Liberty System Management PH39935 CWWKE0701E at Liberty startup reports a ConcurrentModificationException in the APIProviderAggregator class
Web Container PH40879 Server start hangs caused by plugin-cfg.xml generation
Virtual Member Manager (VMM) PH38929 WebSphere Application Server is vulnerable to Information Disclosure (CVE-2021-29842 CVSS 3.7)
Open Liberty Release fixes
Issue/PR Description
17155 Multiple entries may be added to the Authentication Cache for a custom cache key hashtable login
17489 IllegalStateException is thrown when Liberty tries to update a readOnly subject
17950 Fix SRVE8501E Warning
18281 Possible Bug with deferServletRequestListenerDestroyOnError
18282 Bug: AdminCenter SRVE0190E: File not found: /images/tools/wasdev_142x142.png
18299 NullPointerException if used with mpMetrics 3.0
18348 ContainerRequestContext.getAcceptableLanguages() - fails with IllegalArgumentException when invalid locales are specified in the Accept-Language header.
18404 Create PluginGenerator Lock to Address FileNotFoundExceptions
18430 Saml web sso sp initiated login flow resulting in buildup of WASSamlReq_xx cookies
18437 JSF throws ClassNotFoundException for o.a.m.el.convert.ValueExpressionToValueBinding
18475 Servlet ReadListener does not receive all HTTP request data
18503 RuntimeCodebase cannot be located on collocated call
18530 Startup hang caused by plugin-cfg generator changes
18552 JAX-RS 2.0 and 2.1 implementation is executing resource method when Content-Type or Accept header contains invalid values
18663 NullPointerException in JaxRsFactoryImplicitBeanCDICustomizer
Fix pack
Fix release date: 10 September 2021
Last modified: 10 September 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
JavaServer Faces (JSF) Apache MyFaces implementation PH40182 JSF faces-config parser throws NPE when XML namespace missing
JavaServer Pages (JSP) PH38133 Incorrect Expression Language (EL) Method Matching with Varargs
Liberty z/OS PH39946 Liberty logging hideMessage= parameter should also stop messages being written to messageLogDD=MSGLOG
Open Liberty Release fixes
Issue/PR Description
16700 Improve featureUtility performance with remote repository
17444 Pull in BZ 65358 -- Varargs Method Matching (EL Patch)
17591 IdentifyException accidentally externalized as unusable top level config element
17682 Exception stack trace is exposed in error returns from JMX REST apis
17912 Bump netty dependencies to 4.1.66.Final
18002 `@Schema(multipleOf = )` validation check is wrong in `mpOpenAPI-2.0` feature
18009 Wrong char count in ServletOutputStream with non-ASCII characters skips content
18091 Remove system from code
18155 JSF faces-config parser throws NPE when namespace missing
18213 IOException FFDC logged after HTTP/2 stream is closed by client
18237 Unexpectd FFDC from Jackson
Fix pack
Fix release date: 13 August 2021
Last modified: 13 August 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
JavaServer Faces (JSF) Apache MyFaces implementation PH38339 StringIndexOutOfBoundsException Occurs When Creating a Resource
Open Liberty Release fixes
Issue/PR Description
16700 Improve featureUtility performance with remote repository
16994 Dynamic reconfig of discovery endpoint not updating endpoints in all cases
17313 Ubuntu upgrade re-enabled openliberty@defaultServer
17678 Port MYFACES-4065/MYFACES-4187 to JSF 2.2
17757 Passivating remote EJB Stub fails when rmicCompatible=true
17799 gRPC monitoring requires the enablement of both grpc-1.0 and grpcClient-1.0
17828 Update JSP Logic to Avoid Race Condition Regarding trackDependencies
17904 grpcClient-1.0 dynamic enablement unexpected behavior
Fix pack
Fix release date: 15 July 2021
Last modified: 15 July 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH37788 Use first found ejbDescriptor for MD
General PH35877 Session ActiveCount shows a negative value
PH34906 XML External Entity Injection (XXE) in WebSphere Application Server Java Batch (CVE-2021-20492 CVSS 6.5)
PH38224 Invalid command line optional parameters with "featureUtility help installFeature"
Open Liberty Release fixes
Issue/PR Description
14575 OAuth client registration: Client IDs with GB18030 characters do not work
15726 Re-introduce change reverted from 14248
16282 Nullpointer exception during authorization using OidcLogic
17235 FeatureUtility should return RC=20 when invalid action name is specified
17299 Allow multiple version of singleton feature with featureUtility installFeature command
17344 OIDC RP may fail to login if clientSecret is not configured TS005720300
17437 NPE in
17478 Invalid command line optional parameters are shown with "featureUtility help installFeature" and "featureUtility help installServerFeatures"
17482 Unexpected results with JSP trackDependencies in the extended document root
17489 IllegalStateException is thrown when Liberty tries to update a readOnly subject
17576 OIDC Update the description for disableIssChecking
17593 EJB Singleton Lifecycle Deadlock
17635 Bump gRPC dependencies to 1.38.1
17658 ConcurrencyPolicy loses queue slots when managed executor deactivates and erroneously cancels tasks of other executors
17666 JavaMail tries to use a resource file that only exists in the implementation
Fix pack
Fix release date: 18 June 2021
Last modified: 18 June 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
JavaServer Pages (JSP) PH36923 java.lang.NullPointerException caused by PH34711
Liberty Kernel PH37460 Setting 'AutoExpand' to true causes the 'UseJandex' setting to be ignored
Open Liberty Release fixes
Issue/PR Description
12778 mpJWT-1.1 configured by using jwksUri results in CWWKS5523E at the first jwt token presented to the server
15023 WASReqURLOidc cookie encodes the request url but does not decoded it upon successful redirection
16598 ServletContainerInitializer is passed invalid @HandlesTypes classes
16743 Pull in MyFaces 2.3.9
17040 Revision to httpOption maxKeepAliveRequest default value
17047 PluginGenerator FFDC: BundleContext is no longer valid
17117 Test Failure: Failover1ServerCoordinatedPollingTest.testMultipleInstancesCompeteToRunManyLateTasksPC
17177 Failed to locate data source, null Resourcefactory
17203 ORB.init() called simultaneously on two threads during server start
17268 APAR PH37460 useJandex is ignored when autoExpand is set
17294 might be thrown during AsyncContext.complete()
Fix pack
Fix release date: 21 May 2021
Last modified: 21 May 2021
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
Liberty OSGi Applications PH28781 CWWKZ0404E: An exception was generated when trying to resolve the contents of the application
Liberty z/OS PH35442 Smf120 subtype 11 records sometimes missing values when a servlet request takes an error path
PH35542 Abend 0C4 in ntv_registerserver reported on WebSphere Liberty z/OS (wlp-1.0.47.cl201220201111-0736)
PH36576 CWWKB0086E seen in angel in fix pack
Open Liberty Release fixes
Issue/PR Description
13522 Publish the WebContainer property enableMultiReadOfPostData
14174 The WebContainer properties may not be updated accordingly.
14345 ServletContext getContextPath() does not end with forward slash.
15216 JDBC Kerberos problems on IBM JDK 8
16203 IllegalStateException when calling CDI bean with @Transactional(Transactional.TxType.NEVER) from websocketEndpoint
16307 Update Liberty to not block use of Oracle 21c JDBC driver with IBM Java 8 and Kerberos authentication.
16428 Remove Internal From setHtmlContentTypeOnError
16495 Rename plugin-cfg File Using Files#Move
16524 Fix issue with spanning an audit record across audit logs when signing and encrypting of audit logs is enabled
16637 Authorization failure occurs when LDAP or basic user attempts login in SAF federated registry
16661 is not loaded in OASFilter
16694 Avoid virtual host missing warning if server is in the process of shutting down
16764 Deploying two applications with mpOpenApi-2.0 enabled can cause IllegalStateException: SROAP00001: Model already initialized.
16772 [JPA 2.1] EclipseLink: Deliver Bug #573094
16774 PostgreSQL session table check missing qualifier name
16793 Include RelayState in the logout response to IdP initiated slo requests
16808 Issue16807 support new Java policy location per open JDK 9
16843 Cleanup request thread data
Fix pack
Fix release date: 23 April 2021
Last modified: 23 April 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Administrative Console PH34122
Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258 CVSS Score 7.5)
Java 2 Connectivity (J2C) PH33683 EJB timer service does not adjust for daylight savings time
JavaServer Faces (JSF) Apache MyFaces implementation PH34711
Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296 CVSS 8.8)
Open Liberty Release fixes
Issue/PR Description
15336 Replace DNS lookup with regular expression to get the domain name in SSO Cookie Domain function
15989 MyFaces Update State Saving
16054 HSTS Header not added on responses with 404 status
16113 Shared Class Cache not generated on Windows
16118 Create setHtmlContentTypeOnError Webcontainer Property
16160 HTTP/2 ClassCastException during error handling
16184 EJB timer service does not adjust for daylight savings time during fall adjustment
16301 LDAP and Database Identity Stores fail to reprocess deferred EL expressions
16353 Bump netty dependencies to 4.1.62.Final
16364 Premature response completion in Async servlets
16410 Improve messaging in ldapRegistry-3.0 when userFilter and groupFilter do not contain an AVA with %v
16416 Java 2 Security exception when adding custom principal to the subject for Jaspic
Fix pack
Fix release date: 26 March 2021
Last modified: 26 March 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Liberty z/OS PH33563
SAFPasswordUtilityFactory.getInstance().passwordChange results ioException: exception in opening zip file after multiple calls
PH34338 ABEND0C4 during Liberty server shutdown
Open Liberty Release fixes
Issue/PR Description
5470 NLS message CWWKE0031E is inaccurate when emitted from server script
11249 JAXRS leaks memory when applications do not close their Client references
12606 server.bat script does not read path of jvm.options correctly as documented
14926 Bean Validation 1.1 NullPointerException from ValidationReleasableFactoryImpl
15646 Issue15644ProperMergingOfJava2Permissions
15744 Pull in MyFaces 2.3.8
15799 Plugin Generator can cause server shutdown delay
15822 LDAP group members may be ignored when the member's RDN starts with cn (and possibly other attribute names).
15853 Bump netty dependencies from 4.1.52.Final to 4.1.59.Final
15857 EJB client intermittently throws BAD_PARAM after server restart
15869 MP Config AppPropertiesTrackingComponent synchronization
15878 JAX-RS requests that do not specify the port fail with SSL
15927 Cannot inject optional list with mpConfig-1.x
15943 Merge multi-homed environment related changes into Liberty
15975 Create a UDP connection using the selected outbound interface
15985 Threads backing up during transaction processing due to use of Dictionary
16037 Separating ciphers with two spaces results in unspecified behaviour
16060 Eclipselink bundles lack javax.mail.internet
Fix pack
Fix release date: 26 February 2021
Last modified: 26 February 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH33219
AdminCenter web app is not updating status after an operation concludes
Install PH33517 Issue with <INCLUDE LOCATION> tag on Liberty failed to support the WLP_USER_DIR in already built fixes
Java 2 Connectivity (J2C) PH31875 J2CA0079E: getManagedConnection internal illegal state state = state_inactive mcw
Open Liberty Release fixes
Issue/PR Description
11777 prepareJSPThreadCount is not documented in Open Liberty - Investigate if any issues using it and document
12490 IOExceptions thrown after HTTP/2 stream is closed by client
12694 EclipseLink: Deliver Bug #538296
14109 Update gRPC dependencies to 1.35
14175 Expression Language 3.0 value lookup performance improvement
14248 Update WC property suppressHtmlRecursiveErrorOutput
14934 JAX-RS client creates a new SSLSocketFactory for every request
15040 ClassCastException might happen when serving a static resource
15433 System WABs may come online with the web container after server reports started
15550 NullPointerException in HttpServletRequest or HttpServletResponse context proxies
FeatureUtility not parsing Liberty custom environment variables
Fix pack
Fix release date: 29 January 2021
Last modified: 29 January 2021
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Install PH32961 InstallUtility and FeatureUtility are working when the variable is a directory, but not part of a file name
Intelligent Management Component PH31732 Restricting IP access in ssh keys in authorized_keys, results in ssh key being appended when collective member is restarted
Open Liberty Release fixes
Issue/PR Description
10000 HttpServletResponse.sendRedirect(String location) builds absolute URL including protocoll and server-name
12095 PluginGenerator: BundleContext is no longer valid
12417 Fix java.lang.IllegalStateException: jstl facade bundle can not be located
13515 Add addstricttransportsecurityheader WebContainer prop to metatype
14532 Plugin Generator can cause server shutdown delay
14815 Recovery race
14925 OAuth user registry lookups may use incorrect custom cache key
14928 EclipseLink: Deliver Bug #514486
14936 Issue when deploying Open Liberty application to Openshift
14950 Pull MyFaces 2.3.7 into Open Liberty
14975 OIDC RP: creating a subject with allowCustomCachKey=false results in a subject that includes a cache key
15174 Include tag on windows not parsing correctly
15216 JDBC Kerberos problems on IBM JDK 8
15220 Add HTTP/2 IOException for misbehaving client error case
15237 Clear federated repository specific information from AuditManager thread
15242 Stop the ACME Certificate Checker Task when the server is stopping
15263 HTTP TRACE method requests are rejected with a 403, and `enableTraceRequests="true"` does not help
15305 Pull in CXF-8278
15315 Enable server shutdown on recovery log failure
15337 Dynacache initialization issue when ID is missing
15342 CONTAINER_NAME env variable is not reflected in logstashCollector-1.0
15388 Include tag file name unable to be parsed for featureUtility
15390 Various thread safety issues in the Liberty scheduled executor
15550 NullPointerException in HttpServletRequest or HttpServletResponse context proxies
Fix pack
Fix release date: 27 November 2020
Last modified: 27 November 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
General PH30714 PortOpenRetries needs to do retries for hostname lookup failures
PH30744 Increased CPU can occur after moving to Liberty version or higher
Install PH32363 InstallUtility and featureUtility ignores included config files on Windows
Intelligent Management Component PH31277 Health policies do not trigger
Java Persistence API (JPA) PH29720 EclipseLink generates SQL for the coalesce function with incorrect whitespace.
Systems Management Functions PH30558 Do not store Leader ID when server is stopping
Open Liberty Release fixes
Issue/PR Description
14425 EclipseLink: Deliver Bug #567087
14426 EclipseLink: Deliver Bug #463350
14457 EclipseLink: ClassCastException for Boolean-Typed JPS-Query
14540 returns empty map.
14542 Java 15: IllegalAccessError when using MP Rest Client
14555 TCP: add retry logic to hostname loookup when opening ports
14582 Prevent jsonp-1.0 and jsonpContainer-1.1 from both starting.
14597 Increased CPU when moving from Liberty to newer releases.
14650 MP GraphQL does not scan JARs in WEB-INF/lib for GraphQL components
14655 Move participatingBaseEntry check to avoid inaccurate logging of CWIMK0004E message
14657 Fix connection manager deadlock for purgePolicy=FailingConnectionOnly
14735 Fix the Logging metatype description message for hideMessage
14743 Variables in include files not recognized after config update
14781 Wrong FailureScopeController used in peer recovery
14826 Allow Spring Boot app with embedded launcher script to deploy
14828 Server stop hang
Fix pack
Fix release date: 30 October 2020
Last modified: 30 October 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
General PH30494 NullPointerException is received when using the PasswordChange API with more than one UserRegistry
Java 2 Connectivity (J2C) PH29942 Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693 CVSS 5.3)
Open Liberty Release fixes
Issue/PR Description
7056 HTTP/1.1 and HTTP/2 behave differently when a non-standard HTTP method is used
12312 Update to commons daemon breaks windows servicel
12724 Unable to Override JAX-RS SecurityContext in ContainerRequestFilter
13073 FFDC raised when fallback method or handler throws exception
13830 Federated repositories returns the string "null" instead of the value null for several methods
13861 Getting ManagedThreadFactory from JNDI is failing in
13908 Liberty Java security function does not honor JDK's java.policy file.
14003 Test Failure:
14183 Need an option to load a custom JaasLoginModule without going through
14192 Eclipselink: Wrong month is returned if OffsetDateTime is used in JPA 2.2 code
14377 Server.xml config sources do not respect config_ordinal
14421 EJB persistent timer may attempt to run after server stop issued
Fix pack
Fix release date: 2 October 2020
Last modified: 2 October 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Asynchronous beans PH29578 CWWKE0701E: Frameworkevent error org.osgi.framework.serviceExcception
Liberty Kernel PH27428 NullPointerException because wsJarUrlStreamHandler creates unusable input stream
PH27908 Unconverted adapt to web annotations from
PH28816 During server startup, the warning "Unconverted adapt to web annotations" appears in server logs
Liberty z/OS PH28141 Out of memory in cell pool using 500 connections
Web Services Security PH29368 WebSphere Liberty running oauth-2.0 or openidConnectServer-1.0 features is vulnerable to a denial of service attack (CVE-2020-4590 CVSS 5.3)
Open Liberty Release fixes
Issue/PR Description
11646 Concurent Login Issue
11722 mpHealth - readiness check reports UP when application fails to start
11847 Add support for traditional websphere property:
12613 Enabling openTracing with no tracer class configured impacts performance
12790 Need to limit how many times an OIDC refresh token can be used to get new tokens
13404 Kafka connector can report failure for acknowledgements which eventually succeed
13551 NullPointerException when starting an EJB module during server stop
13569 Federated basicRegistry returns inconsistent results for case insensitive direct user lookups in scim-1.0
13613 Support IIOP transmission of Supplemental Multilingual Plane characters (such as emoji) in (wide) Strings
13681 Getting ManagedThreadFactory from JNDI is failing in
13817 PostgreSQL tables are not automatically generated for transaction recovery
Fix pack
Fix release date: 4 September 2020
Last modified: 4 September 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
EJB Container PH27497 CNTR5010E,CNTR0075E Errors after migrating from WebSphere V8.5.5.X TO V9.0.5.X
PH27912 CNTR5104E OR CNTR5102E occurs at EJB start after upgrading WebSphere to V8.5.5.16, V9.0.5.0, V9.0.5.1, OR V9.0.5.2
Install PH30219 <INCLUDE> Tag not being considered when installing server.xml
Java Persistence API (JPA) PH26967 OpenJPA's class transformer needs to respect app classloader concurrency
PH28547 JPA persistence activator retains classloader references, potentially leading to OutOfMemory condition
 Open Liberty Release fixes
11504 Occasional ArrayIndexOutOfBoundsException in JaspiServiceImpl.getDescription during Arquillian Tests
11556 Connection leak when XAResource.recover fails
12832 Bean Validation should consider @ValidateOnExecution when CDI is not enabled.
13027 Jaxrs security not getting SSL Socket Factory updates
13036 mpGraphql Exception allowlist not working. NullPointerException is thrown by mpConfig
13138 tag not being considered when installing server.xml
13170 MDB method restricted from being private final for no methods listener
13309 Application with EJB 2.x local interface that extends java.rmi.Remote fails to start
13331 ignore extra ffdc when application fail to start due to vhost already removed by stop app
13447 Http/2 -clean up connection on error
14183 Need an option to load a custom JaasLoginModule without going through
Fix pack
Fix release date: 7 August 2020
Last modified: 7 August 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Systems Management Functions PH27639 Stopped application may show as started in collective controller.
Security PH34376 RACF RACMAP filter fails to properly match on realm
Open Liberty Release fixes
Issue/PR Description
12074 Webcontainer property decodeUrlPlusSign issue
12312 Update to commons daemon breaeks windows service
12450 Batch: Fixes for remote partition job logs
12523 Failed to parse Created TimeStamp in UsernameTokenValidator
12613 Enabling openTracing with no tracer class configured impacts performance
12695 JAX-RS Application Proxy should override getProperties()
12780 CWMRX1001W seen in messages.log
12865 spring-cloud-starter causes ApplicationStarted event to be fired before the ModuleStarted events for Spring Boot web apps
12967 "peer not authenticated" failures in RP to OP communication on some versions of Java 11
13094 MDB message listener method name restricted from starting with "ejb"
Fix pack
Fix release date: 9 July 2020
Last modified: 9 July 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Liberty System Management PH26177 API Discovery UI fails
z/OS PH23733 Unexpected Transaction CPLT ABEND ASIB when transaction is rolled back
Open Liberty Release fixes
Issue/PR Description
8048 Unable to write multipart data in Jax-Rs
12032 Configuration for sslSessionTimeout is ignored at runtime
12067 PluginUtility currently looks in the workarea for but should look in the logs/state directory
12352 Correct spelling mistake in
12375 IllegalArgumentException occurs when processing SOAP response containing SOAP Fault
12399 HTTP/2 read window not updated
12516 Changes to SSL Session Timeout
12537 H2 NPE HttpOutputStreamImpl.flushHeaders
12545 syncQueryTimeoutWithTransactionTimeout="true" with totalTranLifetimeTimeout="0" results in SQLTimeoutException
12567 Fault Tolerance 2.1: org.eclipse.microprofile.faulttolerance cannot be resolved
12599 HTTP/2 connection termination performance
12708 Entry and exit trace is missing when using OpenJDK with OpenJ9 version 8.
12715 JAX-RS @Context injection into ContextResolver failing with NPE
Fix pack
Fix release date: 12 June 2020
Last modified: 12 June 2020
Status: Superseded

Download Fix pack       
Component Security APAR APAR Description
Administrative Console PH25475 After logging in to admin center console, in the web browser console role is getting exposed
General PH25479 JAXRS resource not injecting objects via CDI constructor injection
Liberty z/OS PH25650 Message CWWKO0230I is issued even if the Asynchronous I/O support was not activated
Virtual Member Manager (VMM) PH24423 With SCIM-1.0 feature and LDAP registry, SCIM queries for group members do not deliver the display name for group members
Open Liberty Release fixes
Issue/PR Description
9157 Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
10067 Update JPA to fix EclipseLink bug 618
10236 Update JPA to fix EclipseLink bug 558283
10240 Update JPA to fix EclipseLink bug 558414
10812 Update printSessionManagerConfigForDebug method to include cookieHttpOnly
11773 [openidConnectServer-1.0] incorrect http status code for error response invalid_grant
11795 EclipseLink: Deliver Bug #561664
11882 Missing FunctionMapper
11927 Include user name in CWWKS1773E error message TS003412433
11977 May get an NPE in URLEncoder.encode when OAuth provder gets bad clientId TS003459997
11984 JNDI lookup fails with org.osgi.framework.ServiceException
12019 Application MBean status is not updated when application fails to start
12024 The JCA SharedPool can leak MCWrapper objects
12212 Cached configuration not used in some circumstances
12297 Correct JSP 2.3. Feature File
Fix pack
Fix release date: 15 May 2020
Last modified: 15 May 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Liberty z/OS PH24366 Liberty fails to remove the client address space level RESMGRs when cleaning up Liberty's client structures
Web Container PH20847 Information disclosure in WebSphere Application Server (CVE-2020-4329 4.3)
Web Services Security PH24154 Identify spoofing in WebSphere Application Server (CVE-2020-4421 5.0)
Open Liberty Release fixes
Issue/PR Description
11475 CWWKG0090E seen when using include that worked in previous version
11550 SSL Channel: double release of WsByteBuffer race condition
11582 NPE in OpentracingUtils.lookupAppName()
11590 MetricProducer provides a simple timer and concurrent gauge with the wrong MetricType
11595 SAML SP should use 401 instead of 403 when redirects user to IdP
11682 Social login feature cookies may not use dynamically updated web app security config
11696 Exception during UserTransaction thwarts @Fallback on @Asynchronous method
11716 Changes for issue 11646
11746 Unable to create logger error in server startWinService when WLP_OUTPUT_DIR set in server.env
11750 Correct redirect location.
11755 Update Weld3 to 3.1.4
11767 Lock contention acquiring applicationTracersLock in OpentracingTracerManager.ensureTracer()
11785 intermittent h2 timing test failure
11870 H2 NPE check modification
Fix pack
Fix release date: 17 April 2020
Last modified: 17 April 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
General PH23757 EJB persistent timer/deserialized context fails with CWWKC1004E (unavailable context) after mpContextpropagation-1.0 disabled
Install V8 and above PH23517 zosConsoleCommandDisplayWork-1.0 as an auto-feature is not installed
Liberty Archive Install PH23233 NullPointerException when installing the required WLP server's features from local repository
Liberty z/OS PH22112 Display work with zosRequestLogging feature does not count servlet requests
PH23817 gpf in liberty server during shutdown
Web Services Security PH22080 Cross-site scripting vulnerability in samlWeb-2.0 (CVE-2020-4303, CVE-2020-4304)
 Open Liberty Release fixes
Issue/PR Description
4040 Make RC consistent for starting liberty as a Windows Service
4873 Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
8933 Authentication cache fails to find existing Subjects, slowing performance.
9692 Non-English characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9986 Application fails to start because of java.lang.IllegalStateException: Configuration pid was deleted
10707 Thread safety problem in JSON logging field name mapping code
10986 Invalid JSON data passed to @Path resource method(@Valid MyPojo) yields H500 instead of H400
11043 Access denied ('java.util.PropertyPermission' 'org.osgi.framework.bootdelegation' 'read')
11044 custom-login-configuration not honored in java:comp/env bindings without binding-name
11108 mpRestClient-1.3 ignoring hostnameVerifier configuration
11199 EJB Persistent Timer/deserialized context fails with unavailable mp.cleared.context.provider after mpContextPropagation-1.0 disabled
11289 ConcurrentModificationException during JSF application startup
11445 The JarFileClassLoader throws an IllegalArgumentException when defining package
11454 Remove lock contention and other perf improvements for starting multiple applications
11478 Minor code issue in LdapHelper.getRDN in
11510 Timing window where server loses the ability to run a persistent timer if config update to disable execution overlaps a poll
11534 Async implementation of MP rest client returns CompletionStage of Collection of HashMap but expected CompletionStage of Collection of a user defined type
11535 AdapterUtil.createXAException utility method garbles message parameters
11543 PH22080
Fix pack
Fix release date: 20 March 2020
Last modified: 20 March 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Liberty log analytics and monitoring PH22677 Logstash error when parsing json
Liberty z/OS PH21809 Liberty on z/OS message routing to msglog dd stops unexpectedly
PH21956 JVM crash in zosLoggingBundleActivator.ntv_writeFile()
PH22759 Abend on the z/OS Hard failure Cleanup Thread during server stop processing
Virtual Member Manager (VMM) PH21704 SCIM fails to search when quotation marks are included in search filter
Web Services (JAX-WS, JAX-RS) PH22079 Vulnerability in Apache CXF affects WebSphere Application Server Liberty (CVE-2019-17573)
 Open Liberty Release fixes
Issue/PR Description
8547 Oracle connectionProperties being traced
9588 Fix JWKS behavior that returns cached JWK despite the JWK not having right KID
10310 EclipseLink: Deliver Bug #347987
10510 Thread fails to complete during the quiesce period
10552 Webcontainer Bundle Deactivation causes IO Exceptions for the Cached Plugin-cfg File
10697 LDAP registry and URBridge are not un-escaping double quotation and apostrophes from the XPATH search expression
10712 AsyncResponseImpl.initContinuation() throws NPE when Continuation is null
10730 Javadoc of ConnectionManagerMBean.getJndiName is not accurate
10732 Context-root attribute for server.xml web-ext element ignored
10762 Missing warning when a server element is not present
10867 German translation for 'Logout' incorrect for OIDC applications
10961 Request URL mismatch between scheme and port
10981 Yoko ORB shutdown thread hangs
10996 Error parsing JSON when using ELK with logstashCollector-1.0
11052 Basic registry throws PatternSyntaxException when search for users or groups includes braces
11105 HTTP/2 stream initialization race conditions
11123 Enhance NCSA access log 'enabled' attribute documentation
Fix pack
Fix release date: 21 February 2020
Last modified: 21 February 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
General PH10461 When using BYO SSH keys, starting a collective controller keeps appending the ssh key to the authorized_keys file
PH11895 PI81056 did not fully resolve the issue resulting in msg CWWKO0224E (hostname resolution error) during server startup
PH19384 Liberty for z/OS server using optimized local adapters abends in method WOLANativeUtils.ntv_getClientService on shutdown
PH19528 Denial of Service in WebSphere Application Server (CVE-2019-4720)
PH19989 Denial of Service in WebSphere Application Server (CVE-2019-12406)
PH20816 Install of common Java SDK for Liberty on z/OS fails with CRIMA1161E
PH20912 Unable to set samesite cookie option with response.addHeader
PH21213 Unable to install WebSphere Application Server Liberty V8.5 version using IBM Installation Manager
PH21281 Warnings showing the text "Unconverted adapt" appears in server logs
PH21564 java.lang.SecurityException possible from messaging component calls to System.getProperty("line.separator")
PI93822 EJB auto-link fails for java:global with beanName provided
Open Liberty Release fixes
Issue/PR Description
8015  Delay TCP Port starts until server is initiailized
9085 ServletCacheEngine ignore cache for App using default context root
9157 Update Eclipselink 2.6_WAS to ASM 7.2 to support Java 14
9512 OIDC RP does not reject requests that match more than one filter
10067 EclipseLink: Deliver Bug #618
10142  Installing mpHealth 1.0 and 2.0 features together causes NullPointerException
10189 Fault Tolerance reports an internal error when an asynchronous method returns null
10196 H2 close with error produces invalid state
10236 EclipseLink: Deliver Bug #558283
10238 Default logging format not being set when using an invalid console/message logging format
10240 EclipseLink: Deliver Bug #558414
10243 Pull in MYFACES-4311 and add a FAT
10248 JsonB provider not found when loaded from library
10293 Test Failure:
10310  EclipseLink: Deliver Bug #347987
10337 Java Batch: Error reported when JMS job dispatch message is redelivered
10384 Support for SameSite attribute in Set-Cookie header is needed
10393 PersistentTimerCoreTest.testDisabledLateTimerMessage FFDC indciates missing doPriv on abort
10397 Retry port opening according to configurable number of retries
10426 requestTiming-1.0: servletTiming server configuration does not work with servlet-4.0
10461 Basic registry throws PatternSyntaxException when search filter contains paren
10462 LDAP registry throws InvalidSearchFilterException when principalName search filter contains paren
10508 Avoid using System.getProperty("line.separator") in messaging code
10559 Need to quit warning about strange cookies sent from IBM ID
10578 oidcclient does not expand ID attribute after 19.011
10582 JAX-RS 2.0 ExceptionMapper is ignored when using mpOpenTracing
10587 Yoko ORB shutdown thread hangs
10604 Wrong encoding for special characters (Swedish language)
10702 Decompression Ratio Support
Fix pack
Fix release date: 24 January 2020
Last modified: 24 January 2020
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Liberty System Management PH20161 OpenAPI Swagger UI vulnerability (CVE-2019-17495)
Web Services (JAX-WS, JAX-RS) PH18762 Add support for gzip encoding
 Open Liberty Release fixes
Issue/PR Description
6956 Liberty depends on the ps command during shutdown
8563 Pull in MyFaces 2.3.6
8773 OIDC Client Requests Tokens with the same auth code
9281 auditUtility command/script file not found in /bin directory.
9307 Error message when MP Open Tracing feature is enabled but not in use
9441 Auto-features which depend on kernel features do not get installed
9943  Map the Spring Boot application's context root to the application's welcome page (index)
9516 Unfriendly user error message displayed and user is blocked from signing in to their application when their liberty session expires
9602 H2 Synchronization problem with tests that are sending duplicate frames
9679 H2 intermittent error when upgrade fails
9708 For a batch job with partitioned step, the PartitionReducer's afterPartitionedStepCompletion gets ROLLBACK on normal completion.
9798 Handling logging out of mp jwt flow introduces an error
9824  Cannot distinguish opaque token that contains two dots from JWT
9848 Resource adapters might fail to start with Bean Validation 1.1 and CDI 1.2 enabled.
9886 Unresolved module
9904 javax.servlet.ServletRequest.getParameterValues returns null in Jaxrs applications
10006 service.ranking can be removed from defaultInstances.xml
10030 H2 connection error causes server timeout
10144 Add additional support for range attributes on Active Directory Ldap searches
10165 Fault Tolerance messages not output
10178 Resource leak when installing features through Gradle on Windows
10215 CXF cannot process a gzip encoded SOAP response
10228  Rest Client for MicroProfile loses entity on POST requests with status code 202 response
Fix pack
Fix release date: 13 December 2019
Last modified: 13 December 2019
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Liberty Administrative Center PH18799 WebSphere Liberty is vulnerable to a Cross-site scripting vulnerability in the Admin Center  (CVE-2019-4663)
 Open Liberty Release fixes
Issue/PR Description
8395 Remove obsolete from Liberty's metadata and web container properties
9228 LDAP registry returns error code 21 when updating boolean values
9293 Opentracing can cause jaxrs exceptions to not be logged
9386 NullPointerException when using dynamic filter to add mapping for servlet name
9455 HTTP/2 malformed requests should cause stream reset
9499 FFDC when Exception thrown by user code proxied using ContextService
9545 Test Failure:
9596 Relax criteria for calling out an FFDC when dealing with the Selector logic
9607 NPE in the SIP Container when a Digest challenge does not contain the `algorithm` field
9625 Unable to load LibertySSLSocketFactory during transaction recovery
9676 Class transformers can fail if a class is loaded from the shared classes cache
9692 Non english characters in logoutRedirectUrl of oauthProvider results in incorrect redirection
9825 JNDI literals parsing too verbose
Fix pack
Fix release date: 15 November 2019
Last modified: 15 November 2019
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
General PH11427 Service call by service.Create() does not time out in 30 seconds
PH17678 Man in the middle vulnerability in OpenSAML (CVE-2014-3603)
PH18113 Add Apache HttpClient library
PH18282 SCIM API fails to retrieve a group or user with a forward slash in the DN
JavaServer Pages (JSP) PH13983 Information disclosure in WebSphere Application Server (CVE-2019-4441)
Liberty z/OS PH18715 java.lang.StringIndexOutOfBoundsException exception in
Security PH18751 Exceptions when using keystore ID="defaultkeystore" after upgrading to fix pack on z/OS
PH29291 NullPointerException might be thrown during EJB invocation on
Open Liberty Release fixes
Issue/PR Description
4387 Runnable JAR execution fails when WLP_USER_DIR env var is set to "other" location with CWWKE0005E
7701 Pull in MyFaces 2.3.4
8152 TAI negotiateValidateandEstablishTrust called twice during authentication.
8404 Confidential for Security Integrity fix CVE-2014-3603
8860 jwkRetriever should not require an sslSocketFactory if using http
8899 federatedRegistry-1.0 group membership may use a repository that does not participate in the realm
9085 ServletCacheEngine ignore cache for App using default context root
9122 Remove additional ; in
9129 Update Commons BeanUtils to 1.9.4
9130 Header Key retrieval fix for case sensitivity
9132 correct certain JSP messages
9143 NullPointerException might be thrown when the security audit is enabled for ejb.
9380 IllegalStateException in JMX Connector RESTHandler from call to getWriter
9416 Add Apache HttpClient v3.1 library
9436 RACF SDBM LDAP registries may encounter OperationNotSupportedException
9437 Test Failure (20180702-1422):
9441 Auto-features which depend on kernel features do not get installed
9451 Fix Intermittent NullPointerException on TCP trace during shutdown
9472 H2 Intermittent NPE in HttpOutputStreamImpl.flushHeaders()
Fix pack
Fix release date: 18 October 2019
Last modified: 18 October 2019
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH05014 Null CDI Bean results in a NullPointerException thrown in Apache WebBeans code
General PH16611 Multiple vulnerabilities in HTTP/2 implementation used by WebSphere Application Server Liberty
Intelligent Management Component PH16337 Liberty OIDC is not working with dynamic routing plug-in
Liberty z/OS PH14100 Out of storage condition caused by a leak in LSCL causing rc12 Reason Code 24 from BBOA1CNG
PH16940 Liberty servers abend with an ABENDSEC3 RSN=20000800 when a Liberty server is shutdown using force or similar
Security PH15518 Multiple vulnerabilities in WebSphere Application Server Liberty (CVE-2019-4304, CVE-2019-4305)
WebSphere Compute Grid PH13367 Job Partitions reported failing due to a deadlock on Java Batch Job Repository tables
WMQ messaging providers PH13286 Provide mechanism to disable 1PC optimization
Open Liberty Release fixes 
Issue/PR Description
7767 Expose JSF MyFaces Implementation classes as third-party
7849 The JWK retriever does not remove stale JWK from cache
8532 Deadlock issue when using persistence batch framework
8597 Federation of a custom UserRegistry (CUR) results in different behavior than when stand-alone
8612 export jsf-2.3 impl classes as third-party
8614 export jsf-2.2 impl classes as third-party
8736 Case TS001514963: requestTiming does not show all SQL queries
8808 OIDC RP does notHTTP Auth header as containing a valid OIDC id_token
8840 CWIML0514W occurs using uppercase group DN on getGroups
8863 Failure to parse multiple comma separated links in an HTTP Link header on a Jaxrs Response object
8886 GA Fault Tolerance - Metrics 2.0 integration
8903 When JACC is enabled, annotated role mapping is not enforced properly.
8951 OperationNotSupportedException: [LDAP: error code 53 - R000128 Filter is not supported (sdbm_search:1413)]
8979 requestTiming-1.0 feature does not work in OpenLiberty
9021 JSF File Descriptor leak in DefaultFaceletFactory
9033 Erroneous CWWKL0058W warning when multiple JARs in library have META-INF/services
9069 Web Admin Security Updates
9079 Terminate misbehaving HTTP/2 connections
Fix pack
Fix release date: 20 September 2019
Last modified: 20 September 2019
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Liberty Debug and Tracing PH15280 Leak of RACF ACEE control blocks in Liberty server
Liberty Kernel PH17088  Apache Commons Compress denial of service vulnerability (CVE-2019-12402)
PH17796 ConfigHash value in plugin-config.xml causing parsing issues
Liberty z/OS PH15877 Angel stops without detecting active Liberty servers
Security PH15505 Collectives keystore mismatch
WebSphere Compute Grid PH10566 Issues with remote partition restart if server crashes
 Open Liberty Release fixes 
Issue/PR Description
7600 social login linkedin flow is broken and needs updating
8169 ProfileManager.getImpl call ignores realm allowOpIfRepoDown setting
8219 Support direct HTTP/2
8473 webAppSecurity overrideHttpAuthMethod set to BASIC or FORM does not function
8546 HTTP/2 trailer improvements
8561 CWIML4564I informational message lists wrong LDAP server.
8647 java.lang.IllegalStateException when running Liberty wlp-webProfile7
8761 Java Batch: Remote JVM partitions not restartable after executor shutdown
8793 Custom fields not logging when using LogRecordContext and field names contain underscores
Fix pack
Fix release date: 23 August 2019
Last modified: 23 August 2019
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
Database Access, Connection Management, Merant/DataDirect drivers PH15281 Postgres SQL Large Object API blocked
Liberty z/OS PH13341 The --clean action is ignored when WLP_ZOS_JOBNAME is set
Security PH15089 A login might be required for unprotected resources when none of TAIs processed a request
Sessions and Session Management PH13932 "Using collection QEJBASSN for session persistence." is always output with startup of Liberty servers
Virtual Member Manager (VMM) PH14786 Using non ASCII characters (ex. Chinese) in an SCIM filter fails
Web Container PH14619 ServletContext.getRealPath() should not return null for nonexistent files
Open Liberty Release fixes 
Issue/PR Description
5035 Update ServletContext.getRealPath() behavior
7521 Call Class.forName() within doPrivileged block from WASURLObjectFactoryFinder
8085 HttpServletMapping.getPattern is not correct for /* mapping
8128 Clean up URIMatcher40 and ServletWrapper
8141 Adding mpConfig-1.3 feature while the server is running does not install the configuration feature properly
8250 OIDC discovery endpoint does not emit the revocation endpoint
8252 Eclipselink: Fix bug 547173
8274 WSOC: fix a read during close timing window.
8277 login process is carried out for unprotected resources even TAI does not intercepts a request
8304 Loose application with MP Health not picking up changes after recompile - GM
8307 Error on edit for OAuth client with no secret
8339 openidconnect emits httpclient spurious log warnings for certain cookies
8346 Liberty Blocks *all* Large Object API functions for Postgres
8401 Add doPrivileged block in WASInitialContextFactoryBuilder for class look up
8449 content-length header should not be required for HTTP/2 requests
8458 Channel framework chains not closing down before timeout
8460 8458 - Loop until cfw chain is closed
8474 PushBuilder should ignore headers with null values
8482 URBridgeEntity uses NLS message key, REQUIRED_IDENTIFIERS_MISSING, which is not defined
Fix pack
Fix release date: 25 July 2019
Last modified: 25 July 2019
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
Liberty Administrative Center PH13994 Clickjacking vulnerability in Liberty Admin Center (CVE-2019-4285)
Security PH13970 After updating to, SESN0008E errors started occurring
Systems Management Functions PH13649 Invalid command line optional parameter (--hostName) with "collective help addReplica"
Virtual Member Manager (VMM) PH13757 SCIM 1.0 returns HTTP 404 return code for user search
Open Liberty Release fixes 
Issue/PR Description
5337 NullPointerException in BridgeUtils seperateIDAndRealm(...)
6158 Pull in MyFaces 2.3.3 once it is released
7539 Federated Repositories LoginBridge does not handle output property mappings that are multi-valued
7552 JPAContainer incorrectly sets App Classloader as the CCL
7612 Scrub error response for unwanted characters
7670 IllegalArgumentException in MP Metrics from timing issue
7854 WSLogManager static fields not properly initialized in jdk7
7871 Fix NPE in WebAppSecurityCollaboratorImpl when invoking web resource using custom HTTP method
7888 socialLogin needs to produce choice menu with one provider and localAuth enabled
7920 WASReqURL cookie path is not set when the context root of an application is set to root
7984 When Auditing function is enabled, it is potential that SRVE0777E error is logged
7986 Memory leak when stopping applications
8034 NullPointerException in UniqueNameHelper.getValidDN
8096 After updating to, SESN0008E errors started occurring
Fix pack
Fix release date: 28 June 2019
Last modified: 28 June 2019
Status: Superseded

Download Fix pack
Component Security APAR APAR Description
Channel Framework PH13269 Delay ALPN init until required and free ALPN resources on connection errors to prevent OutOfMemory
Liberty Debug and Tracing PH11759 Performance drops when writing a large amount of log entries to Liberty console log
Liberty z/OS PH12644 Keys are not stored in ICSF with triple-length PCICC format
Security PH07530 A NullPointerException is thrown during SAFKeyRingNotificationMbeanImpl initialization
Web Services Security PH11031 OAuth runtime emits error when adding EXTENDEDFIELDS column many times
Open Liberty Release fixes 
Issue/PR Description
6317 JAX-RS request context modified after client request
7207 EclipseLink: Deliver Bug #421056
7433 Avoid inferring caller in LogRecord.getSourceClassName and getSourceMethodName when processing System.out calls
7440 Investigate possible difference in values between Prometheus and JSON format metrics
7632 EclipseLink: Deliver Bug #421056 pt2
7634 Session time based write option not honor small time interval
7695 java.sql.Connection's network timeout not getting set to the correct value
7831 Timing issue between deleted configuration and configuration store

Back to top                                                              

Fix pack
Fix release date: 31 May 2019
Last modified: 31 May 2019
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
General PH11801 Liberty cannot start Java health center starting with IBM JDK
Security PH08972 Liberty on z/OS message CWWKS2934E issued during initialization is confusing when it does not reflect final status
Systems Management Functions PH11844 Joining a member to a back level controller fails when the collective uses a collective-wide ssh key
Open Liberty Release fixes 
Issue/PR Description
6095 Ability to extend the size of the log buffer beyond 8k on WebSphere Application Server Liberty Profile
6391 Building .tar.gz server package fails on Windows
7307 redirectcontextroot=true and redirected secure page causes null
7332 remoteIp "proxies" Default Regex Adjustment
7407 Better handle private headers during message deserialization
7434 NullPointerException in MethodAttribUtils.getXMLCMCLockAccessTimeout
7441 NullPointerException in AppDefinedResourceFactory
7448 NPE in LTPAConfigurationImpl.loadConfig
Fix pack
Fix release date: 3 May 2019
Last modified: 3 May 2019
Status: superseded

Download Fix pack            
Component Security APAR APAR Description
Liberty z/OS PH10537 SMF 120 subtype 11 and 12 records should report the value of cvtzcbp
PH10538 The RCVTID is not available to Java applications deployed in Liberty
Messaging Providers PH06340 Potential denial of service vulnerability in WebSphere Application Server (CVE-2019-4046)
Security PI91146 Liberty runs unnecessary authentication logic when TAI is configured
Open Liberty Release fixes
Issue/PR Description
1338 invokeForUnprotectedURI triggers unnecessary authentication
5376 LdapConnection getAttributesByUniqueName() throws EntityNotFoundException for existing user
6756 Initial requests with custom method (including PATCH) fail with HTTP/2
6982 JAX-RS 2.1 Performance
6987 Redirect Scheme and Port Mismatch
7044 Externalize ThrowIOEForInboundConnections httpOptions
7052 mpFT 2.0: Circuit Breaker metrics updated incorrectly when non-failure exception thrown
7071 Outbound SSL Connection IOException
7080 FT 2.0: Circuit breaker does not correctly restrict executions when in half-open state
7083 Using Automatic WorkQueue for Async JAX-RS responses
7102 Improve BNF Header Storage
7171 inherited templated transient views raising "unable to create views" exceptions
7184 Test Failure: EEConcurrencySpecTest.testListenerInvokeAnyWithTimeout Future.get interrupted during taskDone with CWWKC1120E
7211 getManagedConnection: illegal state exception. State = STATE_INACTIVE after abort due to transaction timeout
7260 Problems with resolution of environment variables
Fix pack
Fix release date: 5 April 2019
Last modified: 5 April 2019
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PH09834 java.lang.VerifyError on OpenWebBeans with Java 8 update 11 and 7 update 65
EJB Container PH08828 OutOfMemory in InjectionEngine cache
General PH09657 Usage Metering discards metrics on HTTP 500 response from metering service
PH12825 TransactionScoped observers do not fire
Java Message Service (JMS) PH07036 Potential Spoofing vulnerability in WebSphere Application Server (CVE-2018-1902)
Liberty Administrative Center PH06250 Accessability section 508 compliance for admin center
Liberty z/OS PH09140 Liberty server request failures after the angel process is canceled
Web Container PH08872 The servletRequeset.getContextPath() might return a different context path when using with OIDC client application.
Web Services (JAX-WS, JAX-RS) PH09634 The policy-attachments-server.xml file under WEB-INF is not processed
Web Services Security PH09651 OpenID Connect client authzParameter and tokenParameter values not updated when dynamically removed from server configuration
 Open Liberty Release fixes
Issue/PR Description
4300 DefaultExtensionProcessor file.not.found message does not contain default message that takes a parameter
6019 ApplicationManager startTimeout blocks startup when app is missing
6129 Fix Java 2 Security issues with JSPs
6246 Apply "useAuthenticationDataForUnprotectedResource" to jwtSso cookie
6255 jsonp-1.1 API dependencies incorrect
6295 ClassCastException when using binaryLog with --monitor
6317 JAX-RS request context modified after client request
6360 Filter out embedded server dependencies for Spring Boot 2.1.x
6407 Test Failure (20190101-0221):
6521 Generic types are lost in MP Rest Client and JAX-RS clients due to bug in JsonBProvider
6527 Stack overflow scheduling new ManagedScheduledExecutor task from task
6573 Application exceptions should not be wrapped in EJBException
6628 Command line variables are not working on windows
6641 ClassNotFoundException thrown during sessionPostInvoke
6659 ServletRequest.getContextPath() might return wrong value when OIDC app is in used
6668 Externalize maxOpenConnections tcpOptions
6725 Using slash slash comment in JSP expression spanning lines can get JSP error
6727 JSP slash slash comment fix
6761 Custom JAX-RS ParamConverter does not work for collection and array types
6768 Using slash slash comment in JSP expression spanning lines can get JSP error, Java7 compatible
6790 Loading classes from multi-release jars does not work
HTTP request header "If-Modified-Since" parsing fails with IllegalArgumentException if default Locale is not
6822 Automatic EJB Timer creation skipped if database tables do not exist
6868 WebContainer: make code more service deactivate aware
6951 ClassNotFoundException during JSF initialization
6953 Tolerate missing ps
Fix pack
Fix release date: 8 March 2019
Last modified: 8 March 2019
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
General PH07896 Liberty server start hangs on "CWWKZ0018I: Starting application" when thread pool max size is set
Liberty z/OS PH08209 Add support for CICS 5.5 for WebSphere Optimized Local Adapters
PH08497 Message ICH408I is not generated when user lacks access to profile prefix in appl class
PH08753 Ship assembler DSECT that maps SMF 120 subtype 11 z/OS connect user data
Security PH08030 Changes needed in the SAFAuthorizationService API
Virtual Member Manager (VMM) PH08428 NullPointerException is thrown when creating a SCIM user with missing name
Web Services Security PH06141 Multipart/related SOAP part Content-Type issue
PH08466 OAuth introspect endpoint does not return correct issuer if OpenID Connect provider configures issuerIdentifier
PH09706 Liberty OIDC message numbers CWWKS1754 through CWWKS1759 are duplicated
Open Liberty Release fixes
Issue/PR Description
4975 Destroy of aborted connections and removal from the pool
5094 Fix NPE in servlet cleanup for WebSocket request
5833 The federatedRepositry-->primaryRealm-->defaultParents element should support multiple occurences in the server.xml
6017 Auto plugin generation is inconsistent with OSGI applications
6183 Incomplete SRVE0279E message
6273 JAX-RS clearing RuntimeContext for server side message when resource invokes a client
6287 Add default value to the remoteIp "proxies" attribute in the metatype.xml of the HTTP Channel
6298 Update WebContainer.getCacheManager() to avoid NullPointerException
6323 Invalid archive files no longer prevent apps from starting
6348 Fix 500 error when servletPath is NULL
6371 Handle exception on call to connection.abort
6381 WLP fails to rotate trace log on Windows
6408 Fix for connection wait timeout message not being translated.
6427 Connection wait time does not dynamically change to 0
6452 showPoolContents waiting connection requests value is incorrect
6490 Test Failure (20190203-0423): PolicyExecutorTest.testConcurrentUpdateMaxWaitForEnqueue
6518 Redundant log file in workarea after sever start with errror: java.lang.IllegalArgumentException: The property 'osgi.configuration.area' ... is being overriden ...
6524 SSL Channel throws NullPointerException during stress
Fix pack
Fix release date: 8 February 2019
Last modified: 8 February 2019
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
General PH02684 Add an openIDConnectClient configuration option to allow token reuse
PH07247 Unnecessary HttpHostConnectException FFDC logged for usage metering
JavaServer MyFaces (JSF) Apache MyFaces implementation PH06135 JSF 2.0 throws a NullPointerException during server shutdown
PH06389 JSF can leak JarFiles causing problems with application removal
Liberty z/OS PH05262 Calling request.login() from a servlet does not sync the ID to the thread
PH07190 It is difficult to debug problems when the Liberty server connects to a earlier angel process
PH07213 Ship assembler dsects for smf120 subtype 11 and subtype 12 records
PH07486 Liberty generic MODIFY HELP output is too verbose
Web Container PI80786 Http 500 is returned from a request with too many parent directories (forward slashes) in the url
PH05787 ConcurrentModificationException
Web Services Security PH07297 Denial of Service vulnerability in Guava (CVE-2018-10237)
Open Liberty Release fixes
3553 Set 400 status code for invalid URI
3645 User ID is not synced to the thread during HttpServletRequest.login()
4809 Remove internal designation/updates for servletPathForDefaultMapping/make servlet-4.0 default / tests
5077 3645 sync user during login
5341 Modify default ldapRegistry-3.0 read timeout to be 1 minute
5772 AppClassLoader does not correctly handle null response from ClassFileTransformers
5785 CWWKS9582E: The [defaultSSLConfig] sslRef attributes required by the orb element with the defaultOrb ID have not been resolved within 10 seconds.
5798 H2: Separate Continuation Frame Checking Between Read And Write
5862 ConcurrentModificationException happens when a web application receives a large number of requests immediately after it starts.
5963 DataSourceDefinition, ConnectionFactoryDefinition, and AdministeredObject properties should not be path normalized
5970 trackLoggedOutSSOCookies setting causing multiple login failure
5976 ConcurrentModificationException from ReferenceContext starting web application
5983 5785-orbssltimeout2-commit1
5992 JarFiles never released by JSF
6020 Fix Open Liberty Windows Service name in server.bat
6036 PollingDynamicConfig tasks can be leaked
6042 Hot update broken in
6058 Invalid connection pool Prometheus metric format (monitor, mpMetrics)
6073 OL server package does not package loose application as war
6113 Pull MYFACES-4251 to JSF 2.3
6123 Trace Specification logging level "off" does not work
6152 NamingException masked when listing entries in a JNDI context
Fix pack
Fix release date: 14 December 2018
Last modified: 14 December 2018
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
DynaCache PH02049 Cross-site scripting vulnerability in cache monitor (CVE-2018-1767)
General PH02212 Application with CDI 1.2 in Liberty fail to start
PH02361 WebSphere Liberty OIDC client implementation is proxy-unaware
PH02742 NPE when doing direct forward operation
PH02750 java.lang.classCastException occurs in OidcClientImpl.logout
PH03409 Seemingly erratic thread pool growth during low or no-load situations after upgrading to
PH04652 WebSphere Application Server Liberty for z/OS provides no metrics for usageMetering-1.0
PH04653 Updated CPU limit (--cpus) not recognized by usage metering feature
PH05071 JVM hang when calling GarbageCollectorMXBean.getLastGcInfo for usageMetering-1.0
PH06256 CWWKS1739E: A signing key required by signature algorithm [RS256] was not available when upgrading to
PI97786 eclipselink throws "argument type mismatch" for jpql case expression
PI99263 ServletContext.getRealPath() returns null for resource in extended document root
Install V8 and above PH03040 Fixpack cannot be installed on IBM i
PH04137 Updating WebSphere Liberty for z/OS to fix pack fails with NullPointerException
JavaServer Pages (JSP) PH02063 Potential security bypass in WebSphere Application Server with Expression Language library (CVE-2014-7810)
Liberty z/OS PH02955 Unable to use SAF Keyring for collective SSH communication
PH03549 When the zosWlm-1.0 feature is enabled. the health indicator of the server is only ever set to 2 percent
PH03768 EntryNotFoundException SAFGRP is not a valid group
PH04243 EC3 abend reason code 20F00600 occurs after a 422 abend
PH04282 Error authenticating when Liberty server tries to connect to a back-level angel process
PH05100 OutOfMemory failure in Liberty under CICS when connected to an angel process
Messaging Providers PH00027 After migrating to WebSphere Application Server V9, the CWSID0046E error is seen in the logs
Systems Management Functions PH03232 Incorrect server state reported in a multicontroller collective
Virtual Member Manager (VMM) PH02811 Privilege escalation vulnerability in WebSphere Application Server (CVE-2018-1901)
PH04136 Attempt to create user in SCIM returns 500 HTTP status code with DefaultParentNotFoundException message
PH04147 Attempt to update user ID in SCIM returns 500 HTTP status code with IllegalArgumentException message
Web Services (JAX-WS, JAX-RS) PH02234 Issue when processing the caller token for UsernameToken
PH03014 A property is set in the RequestContext but the interceptor does not read this property resulting in a NullPointerException
Web Services Security PH03004 CWWKS1721E: The resource server received an error it was attempting to validate the access token z/OS Connect EE
PH05414 OpenIdConnect client subject might not contain Id Token
WebSphere Compute Grid PI87244 Firewall prevents the Liberty Java batch tool from displaying job logs

 Open Liberty Release fixes

1438 JAAS login module shared library is missing protection domain
2663 PH00738 Session scoped beans are not updated in the database when liberty is configured to only persist updated session attributes
3113 ArrayIndexOutOfBounds in LdapConfigManager.setFilters()
3919 Future does not return immediately when timeout fires when using timeout with Async
4132 full tmp dir prevents server from reading server.env during startup
4135 Pull in MyFaces 2.3.2 once released
4202 Migration of JMS delivery delay.
4332 Need to fix first line of output from Liberty JSON log format to actually be JSON
4535 LogRecordContext API is missing from /wlp/dev/api/ibm jars
4760 Expose a couple of packages to the thread-context in jsf-2.3
4792 Fix BundleContext is no longer valid error on server shutdown
4853 Provision compatible javax.annotations API for SpringBoot applications
4873 Allow CXF-specific client properties for the JAX-RS 2.X Client APIs
4898 H2: fix some HTTP/2 code and test issues uncovered by further parallel stream stress testing
4912 Fix missing doPriv in unwrap
4913 JSR375: When JASPIC is enabled, a login panel pops up even EVERYONE role is assigned
4955 Externalize multiple httpOptions
4960 Faces servlet mappings defined in web-fragment.xml do not work - jsf-2.2
5045 Add a recursion counter for messagehandlers into BaseTraceService
5076 NullPointerException in ClassLoadingServiceImpl
5088 SpringBoot applications fail to start when a non jar file is in the library directory

Fix NPE in servlet service which may happen when WebSocket is used

5114 Test Failure (Liberty - Mac EBC - 20180915-0112): PolicyExecutorTest.testStartTimeout
5126 HTTP/2 engine must tolerate priority frames received in any state and better handle flow control problems
5149 update openidconnect client way of sending credentials to userinfo endpoint
5154 Flush queued actions when an app is removed
5164 /metrics output got truncated on Japanese locale
5244 MYFACES-4252 Classpath._searchDir can throw NullPointerException
5277 Fix Java 2 Security access issue in kernel DefaultFileStreamFactory
5293 Deadlock in ZipFileArtifactNotifierImpl
5339 H2: Fix race condition in multi-stream writing logic
5345 Improve our serviceability around page search and chasing referrals for Ldap
5363 MP Rest Client does not honor MP Config-specified providers
5383 Occasional HTTP/2 MessageSentException: Message already sent
5395 SSL config not used by RestClient
5425 JAX-RS Client does not pool HTTPS connections
5428 Fix bug in server package server-root command
5441 JMSContextInjectionBean uses deprecated CDI method
5453 Microprofile appProperties element not showing up in schema
5465 Pull MYFACES-4260 to both jsf-2.2 and jsf-2.3 features
5483 release bug: implement PH02361 in development stream
5498 When using advanced connection manager property numConnectionsPerThreadLocal and connection fail during cleanup, the connection managers connection pool may fail to remove failing connections resulting in no connections being available.
5510 Deliver fix for CVE-2014-7810
5557 OpenId Connect clients might exhibit a thread leak
5560 MessageSentException intermittently during flushBuffers
5585 EJB timer ScheduleExpression serialization incompatibility
5590 Failed to createMinimumEscapeHandler for unknown jaxb class
5637 Expose jsf 2.3 org.apache.myfaces.push.cdi to thread context class loader
5647 Fix --include default to have /usr for server and shared folder
5779 Too many threads during low-load operation
6002 CWWKS1739E error may occur when using OpenID Connect in
Fix pack
Fix release date: 21 September 2018
Last modified: 21 September 2018
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
General PH00304 The maximum connections setting of a data source's connection pool is not  always honored
PH01447 Improvement to SSL Closing Handshake
PH01499 APAR for OLGH4402
PH01610 Application fails to start due to JAXBEXCEPTION after upgrading to
PI99176 Information disclosure in WebSphere Application Server Liberty (CVE-2018-1683)
PI99600 AccessControlException thrown when connecting to Health Center with Java 2 Security enabled
PI99672 Remove the first_rows hint from Oracle V10+ pagination queries
Intelligent Management Component PH00735 Null Pointer Exception when HTTP or HTTPS ports blank in server.xml
Java Persistence API (JPA) PH01681 Then and else expressions should be case result instead of case operand type
Liberty z/OS PH01179 Duplicate entries of the BBGZSCFM module are listed in the output of IPCS LPAMAP
PI96910 ICH error messages are not issued during Liberty startup when checking for access to BBG.SECPFX.* and APPLl profiles
PI97659 Display memlimit value and source as well as region information in Liberty log at startup
PI98758 Setting enablefailover to false for the safregistry can produce misleading messages if authorized services are not available
PI99411 The Liberty message log DD is not configurable
PH01295 Information disclosure in WebSphere Application Server Liberty (CVE-2018-1755)
PI97676 Message CWWKS1100A may be misleading
PI99285 User login fails when configuring zOS mapDistributedIdentities
Systems Management Functions PH00435 Collective controller logs NoSuchElementException from LivenessMontiorV2
PH00566 Member should fail over after continuous 2 minutes sendHeartBeat failure
PH00730 The unnecessary information should not be generated in repository dump file
PH00926 Collective repository dump should include non-sensitive host and jmx auth information to help diagnose issues
Virtual Member Manager (VMM) PH00881 SCIM does not return paged results for requests that do not include the 'count' parameter
PH01668 SCIM incorrectly returns 500 on MaxSearchResultsExceeded
PH01863 SCIM updates to users can result in attributes being marked for deletion that were not designated for deletion by the request
PI99257 Requests to SCIM to retrieve a resource by ID that do not include an ID result in an 500 HTTP status code
PI99317 Request to SCIM "groups/{ID}" endpoint specifying "members" attribute does not return the group members
Web Container PH00448 A CWWKE0702E message is printed when the webCache-1.0 feature is enabled
Web Services (JAX-WS, JAX-RS)
PH00401 Potential man-in-the-middle attack in WebSphere Application Server Liberty for JAXWS(CVE-2018-8039)
PH01221 Potential man-in-the-middle attack in WebSphere Application Server for JAXRS (CVE-2018-8039)
Web Services Security PH12959
OAuth provider does not update settings in the consent cache
PH03418 Code execution vulnerability with OpenID connect in WebSphere Application Server Liberty (CVE-2018-1851)
PI95405 Liberty may not find key in JWK by x5t
WebSphere Compute Grid PH02256 File access exceptions when running a Java Batch application with syncToOSThread enabled

Open Liberty Release fixes

2489 Global error when there are no registries available (Ldap,etc) for VMMService
2659 Capture security context from Java Batch thread when syncToOSThread is enabled
3422 Check for override of default configuration and ignore
3489 MP Rest Client does not use Liberty SSL config when making outbound requests
3522 Update Xalan library
3853 basicRegistry-1.0's 'ignoreCaseForAuthentication' attribute does not apply to getUsers(...) method
3952 Add global error when user registry is not found
4002 Incorrect CWWKZ0022W messages printed with VirtualHost Usage
4016 Quiesce should not be blocked by application start
4028 Liberty startup issues with Arabic locale
4040 Make RC consistent for starting liberty as a Windows Service
4044 Server failure before framework startup can leave JVM running
4158 Need to squelch "Could not obtain lock" errors appropriately
4186 Need to improve config dropins processing
4203 In an IllegalArgumentException can occur when "maxParamPerRequest="-1"
4211 Java 2 security issue in org.apache.cxf.transport.https.HttpsURLConnectionFactory
4244 Add global error when user registry is not found
4272 When a thread is interrupted waiting for a connection from the connection manager, maximum connections will be decremented.
4275 NPE in JAXRS client when OpenTracing is included
4310 Spring boot application deployment in Liberty throwing Class cast exception
4341 PageControl's 'startIndex' is not honored when 'size' is greater than results
4345 Add doPrivileged code for InetAddress related activity in messaging
4346 Add doPrivileged code for InetAddress related activity in IIOP
4368 ConcurrentModificationException when a JAXRS API has multiple consume and/or produce MediaTypes
4392 Fix server hang issue when variable is incorrectly specified
4402 Format problem with logs when traceFilename=stdout and traceFormat=ENHANCED / BASIC
4462 NonPersistent EJB timer dying if timeout throws exception on last retry
4465 RejectedExecutionException: Trigger.getNextRunTime: null creating EJB timer
4505 SSL Closing handshake improvement
4521 Install kernel does not throw exception if already installed features are specified again with a different capitalization
4530 Install kernel map installs features without wlp/bin and wlp/dev contents
4531 ManagedScheduledExecutor tries to run tasks during server shutdown
4550 Injection race condition in JAX-RS during startup
4609 Maven features should provide transitive dependencies for stable API, third-party API
4619 PersonAccount's and Group's get(String), isSet(String), and unset(String) methods may throw NullPointerExceptions
4666 Correct getServletPath for default mapping
4712 release bug: mpjwt JsonWebToken.getAudience() return type noncompliant with spec when no audiences present.
4717 Update Yoko to favour CSI endpoints
Fix pack
Fix release date: 29 June 2018
Last modified: 29 June 2018
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
Contexts and Dependency Injection (CDI) PI92477 WELD-2447 ClientProxy serialization support should be container agnostic
PI95074 WELD-2466 null pointer exception in webservice calls
DynaCache PI94514 NullPointerException occurs using a MetaDataGenerator
EJB Container PI95215 MessageEndpoints are notProperly released
General PI95821 StabilizeProduct Insights Enablement
PI96187 Update bluemixUtility command for data sovereignty regulations
PI96735 Access log "maxfiles" attribute not working as intended with value of 0
PI97234 APAR for OLGH2631
PI99031 Garbage collection events not captured by logstashCollector-1.0 for IBM Java 8 SR 5 FP 6 and above
Intelligent Management Component PI92330 CWWKS2910 error when using dynamic routing in Liberty on z/OS with SAF security
Java Persistence API (JPA) PI92847 JPQL with trim is not handledProperly and it results in DatabaseException
PI93064 EclipseLink throws ORA-00932 for CLOB fields in an ElementCollection
PI94027 EclipseLink JPQL generation for nested arrays with 'in' expression
PI95283 EclipseLink InsertObjectQuery concurrency failure
PI95766 db representation of boolean values withPostgres is incorrect
PI97483 Eclipselink re-sorts insert and removes statements within a transaction
PI97786 Eclipselink throws "argument type mismatch" for JPQL case expression
JavaServer MyFaces (JSF) Apache MyFaces implementation PI93972 Classloader issues in JSFExtensionFactory can cause NPE
PI94947 Update of composite component within ui:repeat does not work
Liberty Administrative Center PI98574 If Liberty Admin Center was accessed via reverseProxy,the Liberty server made an unnecessary request back to theProxy server
Liberty z/OS PI82554 WebSphere Liberty AngelProcess does not identify its version and fix pack level during start-up
PI90719 Command line script to detect if commandPort is enabled, for use duringPause/resume request
PI93922 SMF120-11 timeused and starttime is only set for a forwarded servlet
PI95864 Specifying an angel name of "" for the server does not register server to default angelProcess
PI96813 It is difficult to automate WebSphere Liberty from messages on the z/OS console
PI96954 Liberty on z/OS memory leak in 64bitPrivate due to native DirectByteBuffer support
PI97611 ABEND0C1 in ntv_getAngelVersion with WebSphere Liberty version
Security PI89624 CWWKS4106E: LTPA configuration error in Liberty
PI95717 suppressUncoveredHttpMethodWarning configuration does not work
PI96014 Authfilter in Liberty not matching when multiplePaths are defined
PI96597 There is an issue with the cache
Systems Management Functions PI95994 Deploying docker container as liberty collective member failed with error "already appears to be a member."
PI97924 Improve the error handling of a Collective join command using sshPrivateKey option
Virtual Member Manager (VMM) PI96814 SCIM returns HTTP status code 500 whenPassed an invalid filter
Web Container PI93226 SRVE0266E : Error occured while initializing servlets:java.util.ConcurrentModificationException
Web Services (JAX-WS, JAX-RS) PI97288 Attachments behavior change in Liberty after migrating from tWAS
Web Services Security PI94599 Intermittent NPE in SocialLogin feature when a running server is reconfigured
PI96012 Client authentication JWTS require "sub" claim
PI96884 Information disclosure in WebSphere Application Server Liberty (CVE-2018-1553)
WebSphere Compute Grid PI90716 Liberty z/OS CWWKY0035I: An exception occurred while trying toPersist job java.lang.IllegalStateException: no match found
PI90961 Liberty on z/OS: Batch JMS dispatcher change to lazy access of connection factory
PI93514 JobPurge request deletes the batch db records even when the executor JVM is stopped
PI98247 After batch events config change,atchManagerZos hangs waiting for job completion; batch job log events notPublished correctly
PI98295 The dispatch (JMS) message for a stopped job can, if later consumed, cause a later restart execution of that job to fail.
PI99138 Repeated delivery of Batch job dispatch JMS message resulting in ClassCastException each time

Open Liberty Release fixes

1261 LDAP registry with global class mapping in groupMemberIdMap adds "objectclass=*" to Group searches
2792 On restart of a Java Batch job, deserialization fails when checkpoint objects contain array type fields
2877 JSP engine unable to find tag files within loose JAR file
3045 Send and receive Strings in SIB messages using strict UTF8
3102 In, the minify option is not making the runnable JAR package any smaller
3103 Access Log "maxFiles" attribute not working as intended with value of 0
3106 Kernel Service MBeans not properly exposed
3127 Federated repositories does not restrict the names of extended properties
3132 Package `` is not exposed as IBM-API
3140 Default app classloader ProtectionDomain set by common libraries
3160 AsyncIO native direct ByteBuffer leak
3198 Avoid full deserialization within ObjectMessage.toString()
3226 NullPointerException from EJSContainer.postInvoke() method
3233 Close streams for repositories represented by a single JSON file
3248 Add mapping of all JSP files in web module into the generated_web.xml
3280 Test Failure (20180420-0319): LoadTest.testCommitAndRollback RuntimePermission denied for WSJdbcTracer invoking newProxyInstance
3383 ldapRegistry-3.0 does not configure a read timeout for JNDI connections
3490 PI96086 - Nested EJB Async method calls not honoring nested get(timeout, unit) timeouts
3520 suppressUncoveredHttpMethodWarning does not work
3533 Redeploying WABs leads to OutOfMemoryError
3577 fails with IllegalArgumentException when client built with input containing a template variable
3578 Batch runtime should only transition to InstanceState.JMS_CONSUMED from JMS_QUEUED state.
3700 java.sql.SQLFeatureNotSupportedException: Method org.postgresql.jdbc.PgPreparedStatement.getLargeUpdateCount is not yet implemented.
3739 Failure to load JPA PersistenceServiceUnit used by Batch feature using V2 version of JobInstance entity.
3752 Connection leak if failure occurs while managed connection is being constructed
3779 Update EclipseLink binaries from 2.6.6.WAS-3e5c71a to 2.6.6.WAS-0ab4033
3785 Security exceptions thrown when trying to use IIOP with Java 2 security
3851 JAX-RS Client APIs fail when attempting PATCH method over HTTPS on IBM JDK
3889 Validate paths within WAR files

Back to top                                                  

Fix pack
Fix release date: 16 March 2018
Last modified: 16 March 2018
Status: Superseded

Download Fix pack            
Component Security APAR APAR Description
General PI93106 Product insights attempts to send usage after failed registration
Java Persistence API (JPA) PI92398 Under certain conditions OpenJPA can insert an embeddable into the Datacache map
PI95871 Wrong context Classloader in org.apache.openjpa.enhance.pc
JavaServer MyFaces (JSF) Apache MyFaces implementation PI87954 Hung thread issue in MyFaces _getMetaDataTarget
PI90391 Fix bug MyFaces-4045 in IBM myfaces implementation
Liberty Administrative Center PI93411 Saving changes to member's configuration files via Admin Center's Server Config tool get applied to the controller instead
Liberty Kernel PI94763 Fileupload causes NullPointerException on getHeader() call
PI94116 Open Liberty rollup for
Liberty OSGi Application PI88291 Slow start of the web services and error during the startup of the services
Liberty System Management PI92311 Memory leak in liberty swagger library during application stop/start
Liberty z/OS PI91275 Add an informational message to WebSphere Application Server Liberty on z/OS logs to indicate which angel process is used
PI91511 SMF 120-11 UserData added from a filter does not show up in the final SMF record
PI92070 WebSphere Application Server Liberty on z/OS WOLA CICS link server fixes for RTXSYS and RTX parameters
PI92171 An intermittent performance degradation is observed with CICS v5.4 and Liberty compared to Liberty
PI92868 WebSphere Application Server Liberty on z/OS crash in CICS BBOATRUE during shutdown when embedded Liberty servers are at a mix of and
Security PI86784 Enable the function of enforcing URL hostname verification as an attribute on the ssl element of server.xml
PI90980 Potential spoofing vulnerability in WebSphere Application Server (CVE-2017-1788)
PI91500 GetUserPrincipal().getName() returns garbled user ID on
PI92764 Message CWWKS3005E issued when a Federated repository is configured
PI94094 SAF API doc missing from Javadoc package in Liberty
Sessions PI93474 Remove SessionManager instance when application is stopped
Systems Management Functions PI92781 A Liberty collective controller sometimes logs a NullPointerException
PI92828 Liberty collective intelligent management features may fail to function correctly intermittently
Web Container
PI90804 Security vulnerability in Apache Commons FileUpload used by WebSphere Application Server (CVE-2016-1000031)
PI92334 Application class loader is not set correctly in a thread during an async operation
Web Services (JAX-WS, JAX-RS)
PI92494 Potential denial of Service in WebSphere Application Server Liberty for JAXWS(CVE-2017-12624)
PI92886 Policy attachments not working as expected
Web Services Engine PI92386 High CPU usage on Liberty when using IBM JDK
Web Services Security PI88321 Liberty always honors RelayState during IdP-initiated SAMLWeb SSO
PI93303 CICS_REGION_BUT_API_DISALLOWED surfaces using OAuth-2.0 feature
PI93579 exp' is earlier than the 'iat' in OIDC token
PI96273 Some 404 and 500 errors in OAuth or OpenID Connect might expose configuration information

Open Liberty Release fixes

Issue/PR Description
Add stop command to readme file
Informative error message for collision with reserved resource adapter ids
Challenge when using request.authenticate with BasicAuthenticationMechanismDefinition
LDAP paging failure recovery reuses cookie when switching failover servers
Improve CDI performance by not loading too many classes
Readd ability for hot replace for trace injection for IBM Java
MyFaces-4045 JSF 2.2 flow reentrancy fix
RememberMe cookieName needs to support EL expressions
Corrections to AnnotationTargetsImpl_Targets.isInstanceOf
Fix Java 2 Security problems with Bean Validation 2.0 code
Pull in MyFaces-4177 to JSF 2.3
Fix for resetting autocommit for non transactional datasources
Grant Hibernate validator accessPrivateMembers permission by default
Channel.ssl FFDCs thrown during server shutdown
Description of runIfQueueFull should refer to relation with maxPolicy
Pull in MyFaces-4066 to JSF 2.3
Fix and test issue where a connection error occurs on a free connection
Fix JPA 2.2 Bindings Files
Bean Validation CDI extension fixes
Pull in MyFaces-4176 - Search expression fails to resolve component outside of form
PI91306: UriInfo.getMatchedResources() does not return resource class information
Update EL handling in database and LDAP identity stores
PI87504: JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
Release JACC policy context in post invoke
Try to remove an existing SAF map before adding one
Update Bean Validation 2.0 descriptions to mention providers used
Thread context propagation for managed completable future
In beans.xml, element causes ProcessAnnotatedType<> events to not fire
Cannot register a second (synchronized) handler with an already active logging source
ConcurrentModificationException when both Console and Message JSON handlers are configured
If the command port is disabled when issuing a pause or resume request from the server script, issue a message saying so
Fix Java 2 Security errors in LogUtils by ensuring getClassLoader calls are in doPriv
Improve synchronization mechanism between BaseTraceService and MessageLogHandler
Property not honored
Fix NPE that may occur when multiple CDI-injected servlets are specified in the web.xml for a JAXRS application with load-on-startup specified
Fix IOException not closing socket
Fix JSF _ComponentAttributesMap performance issue
Address CVE-2017-1000208 vulnerability in Swagger Parser for MicroProfile OpenApi
Improve performance when JAX-RS applications are updated
Web binding overrides are not properly recognized with autoExpand apps is enabled
Fix exception when parsing faces-config-extension element
Cannot use app-defined for Bean Validation
SQLServer JDBC driver not recognized when defining a dataSource on
Fix for JDBC getClass().getInterfaces() method calls
Fix NPE in EJBAsyncRuntimeImpl.modified when updating asynchronous config
Fix BundleException Cannot connect region 'system.bundle' to itself
ServerEndpointControlMbean returns true when isPaused is called with an empty target
Resource.getRequestPath returns incorrect path in JSF 2.3
JDBC pool manager must avoid caching values obtained from the managed connection factory
Fixed JASPIC error and exception messages
Fix Java 2 Security errors related to JAX-RS getServiceReferences() and getService() methods
Fix context class loader in servlet async dispatch or runnable
Make consoleLogLevel default to an env variable setting first
Fix NPE that could occur during MyFaces validation
AccessControlException from JAX-RS 2.0 when servlet filter is used
No longer WARN on 404 Not Found
Fix writing of single-file-repositories
PushBuilder.push error conditions updated
AccessControlException from the EL API when using JSF 2.3
Java 2 Security issues in batch-1.0 feature
WebSockets for non-secure BASIC_AUTH adhere to session invalidation
Avoid overwriting updates made to the session cache by another thread
Implement HttpServletResponse.getTrailerFields()
PI93226: ConcurrentModificationException during application startup
Fix Java 2 Security issue with package minify
Remove SessionManager instance when app is stopped
Update HttpServletResponse setTrailerFields error conditions
Ensure header names are non empty and accept empty header values
Retrieve all values on multi-valued LDAP properties
Return the correct HttpServletMapping during include, async and when using a named dispatcher
Fix org.apache.myfaces.flow.cdi.FlowScopeBeanHolder incompatible across versions
Handle null/empty contracts in JAX-RS Client.register(...) calls
Fix for garbled User Principal when binary data is retrieved from registry
Throw IllegalStateException in SseEventSink.send when SseEventSink is closed 
Fix batch runtime table version determination
Close JAX-RS sink on exception
Fix ConcurrentModificationException during app startup
Product information for replaced products should not be displayed
Issue warning message when it is determined security not present
Fix ConcurrentModificationException during app startup
Fix JSON output of JSON console (remove duplicate basic messages and abide by consoleloglevel)
Fix java.lang.NullPointerException in AccessLogger
Fix NPE that can occur with certain logging configurations

Back to top

Fix pack
Fix release date: 21 December 2017
Last modified: 21 December 2017
Status: Superseded

Download Fix pack
Security APAR
EJB Container
PI89936 Vulnerability in Apache Commons affects EJB Embeddable Container and JPA Client (CVE-2015-7450)
General PI80333 Support CPU constraints in ProductInsights
PI82233 Non-daemon threads are created with remote EJB using the IIOP transport
PI82510 Liberty appserver automatically decompresses the bodies of incoming http-soap messages
PI82557 TCP Channel access lists not documented
PI84016 OpenJPA orm.xml default schema used over 'openjpa.jdbc.Schema' property
PI84349 Liberty Oauth 2.0 may encounter a SQL syntax error for the option "LIMIT" during cleanup
PI84428 ArrayIndexOutOfBoundsException from OpenJPA for query on EmbeddedId
PI85402 EclipseLink does not recognize Java 9 platform
PI86208 Cannot decode IOR due to ClassCastException
PI86321 Liberty OpenID Connect Relying Party does not handle large id_tokens in implicit logins
PI86840 Eclipselink generates sequence IDs incorrectly for @EmbeddedId classes that are shared across multiple entities
PI86914 Correct mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
PI87557 Null pointer exception when TAI returns NULL TAIResult
PI87565 OutOfMemory issues from webcontainer component WebComponentMetaDataImpl
PI88051 Application reload when a JSP file under WEB-INF is updated
PI88485 The groupProperties membershipAttribute does not work when filters exist
PI88618 CWPMI0010W was found in the messages.log
PI88620 Performance degredation when federating SAF registry
PI89003 Help tet for the BatchManager listJobs command is unclear
PI89041 FFDC java.lang.IllegalStateException: Module has been uninstalled. occurs when dynamically configuring Liberty
PI89278 Incorrect value of FreeConnectionCount
PI89446 Product Insights throws NullPointerException
PI89584 Certain early startup and product script messages are not properly translated into non-English languages
PI89672 OutOfMemoryError in ArrayList containing objects of type
PI90013 30 second delays for remote EJB when running as a collective member
PI90154 BluemixUtility fails to create/delete instances of Watson Discovery service
PI90282 CWWKB015E IWMEJOIN return code 2,135 during servlet read listener
PI90699 ProductInsights errors after resuming from 'sleep' state
Java Persistence API (JPA) PI80863 Issue with the way OpenJPA caches and reuses query parameters for BETWEEN expressions when OpenJPA's QueryCache property enabled
PI81260 OpenJPA does not pass-through SSL connection properties that set using openjpa.ConnectionProperties when creating Db2 connection
JavaServer MyFaces (JSF) Apache MyFaces implementation PI88288 jsf-2.0 MyFaces error handling cannot be enabled in production project stage
PI88850 High CPU issues from org/apache/myfaces/
PI89168 Protected-view not working in Liberty
PI89363 ProtectedViewException for a protectedview access while checking the OriginJeader for appContextpath
PI90507 Instances of action listener in a FaceLet are not being removed until app shutdown
PI90509 Fix for MYFACES-3752
Liberty Application Services PI69483 Removing IBM-App-ForceRestart header causes applications not restarted
Liberty Kernel PI90930 Open Liberty Rollup for
Liberty z/OS PI86596 Removal of possibly misleading FFDC z/OS liberty Async Servlet support
PI90060 Messages occurring very early at startup are not printed to the MVS console when requested in the zosLogging configuration
PI90429 When starting a Liberty server as a started task on z/OS from the server script there is no option to specify a job name
Performance Monitoring Tools PI81367 java.lang.ClassNotFoundException dumped in the FFCD log file when PMI monitor feature is enabled
PI87599 ConnectionPoolStats MBean was not available if enabled the trace with*=all
Security PI88769 Liberty is throwing ClassCastException when calling ibm_security_logout with Extreme Scale feature enabled
Session Initiation Protocol (SIP) Container PI78794 The SIP Container fails to parse a message when the size exceeds 2048 bytes and double CRLF is sent before the message
PI79119 With number.of.parse.errors.allowed set to -1 WebSphere drops well formed requests
Systems Management Functions PI81552 Application state becomes stale at the Liberty collective controller
PI83274 Incorrect collective member status shown in Admin Center
PI88296 Password protected ssh keys cannot be used for remote host authentication
Web Services Security PI84359 OIDC WASReqURLOidcp cookie constantly grow when LTPA token expired
PI89103 OpenSAML used by WebSphere Liberty contains XML external entity (XXE) vulnerability (CVE-2013-6440)
PI89575 LTPA cookie is not created in certain single sign-on scenarios
WebSphere Compute Grid PI88583 In WebSphere Liberty 17.0.0.x Java batch executor fails with CWWKS0800E error

Back to top

Fix pack
Fix release date: 17 October 2017
Last modified: 17 October 2017
Status: Superseded

Download Fix pack
Security APAR
Dynamic Cache PI78148 SRVE0014E from servlet caching
PI78552 DYNA1064E is logged on some dynacache APIs when the underlying cacheprovider does not support disk caching
EJB Container PI87472 EJB remote injection fails with NPE if ORB not yet available
Federated Repositories PI05723 Handle long data type from VMM for extended properties
PI79440 NullPointerException in URBridgeXPathHelper.getExpression()
PI79452 NPE in LdapConfigManager.getSupportedProperties()
PI81497 When one base DN is the subset of another in a federated repository, LDAP failures occur
PM95697 LDAP contexts getting leaked after first connection exception
General PI77400 BBOA1INV Fails with RC = 8 RSN = 44, FFDC invalid group name returned
PI80363 Allow configurable maxFieldLength in the logstashCollector
PI80397 Remote EJB call with the same object in multiple arguments fails
PI80932 WSCredTokenCallbackImpl class is not visible to applications
PI81056 Liberty server needs to retry starting the TCP channel after error CWWKO0224E due to hostname resolution error
PI81124 Closing websocket session throws NullPointerException
PI82101 Task retry not immediate after XAResource rollback
PI82109 Provide support for CICS 5.4 in WebSphere Optimized local Adapters
PI82218 JAX-RSResponses contain unnecessary Cxf-Content-Language header
PI82296 AsyncContext.comple() fails when called from a readListener
PI82327 java.lang.RuntimePermission error when destroying an upgradeHandler
PI82364 For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
PI82556 AppSecurity-2.0 does not include trustAssociation in Liberty
PI82672 productInsights does not register embedded WebSphere
PI82684 During server shutdown, if ProductInsights is trying to complete its first registration it may not cancel all of its tasks
PI82994 filenotificationmbean may not notify the listener
PI83111 Monitor function of AdminCenter does not display the correct value of "used connections"
PI83159 JAX-RS resource methods report as not found when using scientific notation as path parameters
PI83439 ClassCastException thrown when using remote EJBs in servlet with parent-last classloading
PI83516 Using reference-listener along with service factory causes TransactionManager errors
PI83682 ProductInsights not reporting used JVM memory correctly
PI83713 Path template variables in JAXRS 2.0 do not support scientific notation
PI83901 The context ClassLoader is not getting set properly when loading CDI extensions at app startup
PI84036 JAX-RS Client must access endpoints via authenticating proxy
PI84083 Usage data is not queued if connection to Bluemix Product Insights host fails
PI84327 WebSphere Application Server Product Insights does not send in group name translations
PI84487 Certificate login does not work with custom user registry on Liberty
PI84842 The application's classloader is leaked when restarting the app
PI85373 Open Liberty Rollup for
PI85490 Deadlock caused by WsLogManager and SIB trace code
PI85492 Commit of HTTP response in render_response(6)
PI85683 Register Windows service and start/stop service for Liberty fails if it is installed in directories names with a space
PI85783 Accumulation of org.apache.cxf.transport.http.osgi.HTTPTransportActivator objects
PI85910 OIDC does not recognize x5c tag in JWK
PI86198 Inconsistent aliasing between --jobParameterFile and --jobPropertiesFile in the batchManager and batchManagerZos CLI
PI86443 Use of the JAX-RS multipart media type results in a java.lang.ClassNotFoundException:
PI87119 NullPointerException caused by external port component configuration
PI87467 CDI injection into JAX-RS classes is broken when using multiple apps and one app is not CDI-enabled
PI87504 JAXRS server response does not contain a servlet exception when an unmapped checkedException occurs
Install V8 and above PI88170 Block installUtility/featureManager install userFeature '--to=core'
Java 2 Connectivity (J2C) PI82859 Incorrect value of connectionPoolstats
PI86100 Intermittent sharing scope for data sources being created at the same time on two different threads
PI87470 Unable to install resource adapter using loose configuration file
Java Message Service (JMS) PI81329 NCSA access logs %B option output displays "-" instead of the size of the response in bytes
PI81864 ConcurrentLinkedList tailsequencenumberlock garbage collected
Java Persistence API (JPA) PI77555 Eclipselink scrollable cursor results in a ClassCastException
PI80863 OpenJPA caches and reuses the query parameters for BETWEEN expressions when OpenJPA's query cache is enabled
PI81260 OpenJPA does not honor SSL connection properties for DB2
Java SDK PI85250 Hung thread issue in myfaces _getMetadataTarget
PI86494 Messages returned from JSF APIS are in the incorrect order
JavaServer MyFaces (JSF) Apache MyFaces implementation PI82893 JAVAX.FACES.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL value affects display behaviour for required fields
PI87299 Information disclosure in Apache MyFaces affects WebSphere Application Server (CVE-2011-4343)
PI87300 Information Disclosure in WebSphere Application Server in JSF (CVE-2017-1583)
JavaServer Pages (JSP) PI82529 HTTP transport encoding CP943C is used for JSTL params
PI83486 StackOverflowError generated due to the JSP TabLibraryCache recurses into loadWebInfMap with the value "/WEB-INF"
Liberty Application Services PI87139 Configuration updates blocked by application restart
PI87468 Schema lists invalid attributes for resource adapters and EJB applications
Liberty Debug and Tracing PI83872 NullPointerException in MultipleCriteriaFilter when retrieving logs from Liberty binary log
Liberty Kernel PI87138 Synchronization in ConcurrentServiceReferenceElement creates a performance bottleneck
PI87471 Potential NullPointerException ServerXMLConfiguration.parseDirectoryFiles
PI87480 AccessControlExceptions in Liberty kernel code
Liberty System Management PI85828 Correcting algorithm for collective deployment using a local file
Liberty z/OS PI78510 .pid directory created with wrong permission settings
PI78787 WOLA ACEE copied from CICS invalid for TSS
PI79017 z/OS connect cannot read request that came in with transfer-encoding=chunked
PI79034 For products that embed Liberty, some do not take effect at server startup
PI82088 Prevent Error loop when TDQ is unavailable for write
PI83503 WebSphere Liberty servers with zOS connect failing to start with abend 0c4 in wolanativeutils.ntv_activatewolaregistration
PI85520 Message CWWKO0229I is not issued when asynchronous I/O is configured
Messaging Providers PI83027 Default threadpoolstats data cannot be retrieved due to InstanceNotFoundException
Performance Monitoring Tools PI80861 The Japanese translated message for TRAS0115W is incorrect
Security PI73345 Distributed identity mapping not working in Liberty z/OS
PI84335 PasswordUtil API classes are not packaged in a separate PasswordUtil.jar file
PI84597 Liberty z/OS trace includes unnecessary information
Servlet Engine/Web Container PI81052 JSF portlets may not be able to obtain a session ID
PI88642 Information disclosure in WebSphere Application Server (CVE-2017-1681)
Virtual Member Manager (VMM) PI79223 In Liberty VMM user registry cannot get groups for user from LDAP
PI81923 LDAPRegistry contextPool defaults do not match documentation
PI81954 LDAPRegistry attributesCache and searchResultsCache default timeout set too low
PI85208 LDAP registry cache is not used in some cases to retrieve cached attributes
PI85213 Federated repository may not use UniqueGroupIdMapping outputProperty when calling userRegistry.getUniqueGroupID
PI85214 Federated repository passes internal properties to customRepository implementations
PI86719 The LDAPRegistry contextPool timeout setting does not timeout after the configured time
PI87461 Federated Repositories is returning principal name instead of unique name for getUserSecurityName
PI87466 ArrayIndexOutOfBoundsException is thrown when groupMemberIdMap inside ldapRegistry is empty
Web Container PI83141 WebContainer performance issue when under high load
Web Services (JAX-WS, JAX-RS) PI64462 NullPointerException in
PI86914 Correct Mapper is not chosen due to the order and when mapper classes are represented by proxy object due to injection
Web Services Security PI62735 The groupId(s) get lost in id_token and introspection
PI68809 WebSphere Application Server XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
PI78760 OIDC IDToken updates to the "sub" field do not take effect
PI80166 OIDC provider does not recognize custom realmname from token
PI80689 Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
PI80741 OpenID Connect (OIDC) cookie not fully removed
PI80963 Refresh tokens are issued unconditionally even for clients that do not require them
PI94351 Secure flag is not set on the Liberty WASOidcCode cookie
WebSphere Compute Grid PI72923 CDI injection of Java batch jobcontext fails with npe in the absence of an active job on the current thread
PI81200 StepListner.afterStep cannot catch an exception thrown by ItemProcessor.processItem
PI84639 batchManagerZos not available after minified server is extracted
PI86175 Prevent job start and restart of the same job from occurring simultaneously
PI86193 Support message delay/priority for Liberty Java Batch

Back to top

Fix pack
Fix release date: 13 June 2017
Last modified: 13 June 2017
Status: Superseded

Download Fix pack
Security APAR
Channel Framework PI85709 Add watchdog timer to write waits on closing
Contexts and Dependency Injection (CDI) PI72811 Allow excluded alternatives
PI77286 Vetoed EJBs throw NullPointerException
PI77514 CDI observer for @initialized(applicationscoped.class) is not called inside jar
PI79787 Prevent WebSphere internal packages from being exposed to applications
PI80901 Version numbers in symbolic names are too fine grained and can cause failover to fail between different versions of Liberty.
PI82020 WeldTerminalListener is not registered
Database Access, Connection Management, Merant/DataDirect drivers PI80335 DSRA8020E Error is thrown when using IBM i Toolbox JDBC driver with WebSphere Liberty
EJB Container PI77856 EJB 3.x Stub class throws RemoteException for communication failure
PI79261 Deadlock with persistent EJB timers for Singleton beans
General PI71956 CWWKE0108I is written to stdout
PI74918 The umask values is not shown in the server logs
PI75258 The CICS Link server abends when unable to write to a TS Queue
PI75280 Attributes missing from the element httpOptions and throws warning message
PI75512 Cleanup up websocket connection when outbound connection attempt fails at the app server
PI75590 Corrections are needed to the documentation in the Knowledge Center
PI77605 JAXRS Client APIs do not use configured SSL settings
PI77615 JAXRS application start fails with ClassNotFoundException when JSPs are specified in web.xml
PI77976 ConstraintViolationException when using @Valid annotation
PI78177 When a websocket connection is closed while reading data an object leak might occur
PI78260 Liberty jaxb-2.2 feature does not expose some xlxp2 packages
PI78738 Loop while closing an SSL connection
PI79260 ProductInsights reports incorrect product version and host name
PI79275 JAX-RS 2.0 Client calls fail when ssl-1.0 feature is enabled without any SSL configuration.
PI79391 ContainerRequestContext.hasEntity() returns true for a GET request.
PI79987 Endpoint MBean information does not update when server.xml <httpEndpoint> is modified
PI80082 JAX-RS 2.0 OPTIONS methods are not invoked when used in sub-resource locator classes
PI80256 AccessControlException thrown when finding resources if Java 2 security is enabled
PI80285 For JAX-RS 2.0, a request may fail with a 404 because a resource class was incorrectly indicated as not found
PI80314 Support for product insights in embedded server
PI80315 The productInsights-1.0 does not support BASE ILAN edition
PI80514 A jndiEntry config element with a value of "0" is parsed as a java.lang.String but should be a java.lang.Integer
PI80631 Access Log file and ELK time stamps are not the same
PI80632 Messages with digits in prefix of message ID have a blank messageId field in logstashCollector
PI80719 Websocket race condition on writing data while closing can hang a thread
PI81082 java.lang.ClassFormatError: JVMCFRE074 no Code attribute specified; is thrown
PI81086 NullPointerException thrown when using a JAX-RS provider class without a public constructor
PI81396 Unable to register a liberty server with product insights though an authentication required proxy
Intelligent Management Component PI80237 Null return codes for health actions cause NullPointerException
Java 2 Connectivity (J2C) PI78463 After configuring a connection factory for CICS RAR, the server issues J2CA8501E
PI80357 JMS connection factories defined through annotations can fail to allocate connections
PI81549 When using SQLJ context caching, auto commit and/or transaction isolation level become inconsistent
PI81717 The WaitTime provided by the ConnectionPoolStats MBean is in nanoseconds when it should be (and is documented) in milliseconds
PI81840 Bean Validation 1.1 @DecimalMin and @DecimalMax constraints inclusive property not working
Java Persistence API (JPA) PI76834 Unable to use DB2 XML data type with EclipseLink JPA; Null pointer produced
PI76902 NoSuchMethodException when a program is using CONCAT function
PI78643 Eclipselink JPA/Auditing capablity in EE Environment fails with JNDI name parameter type
PI79397 org.omg.CORBA.BAD_OPERATION when running a select SQL statement
PI81076 ServerSession numberOfNonPooledConnectionsUsed can become invalid when Exception is thrown connecting
JavaServer MyFaces (JSF) Apache MyFaces implementation PI79562 Leading '/' in JSF context param-value throws StringIndexOutOfBoundsException
PI80535 ClassNotFoundException due to classes not being exported to the thread context
JavaServer Pages (JSP) PI79800 The JSP Engine is not processing EL expressions correctly when they are in large blocks of character data
PI80319 Failure to parse tag library when the taglib is defined in the application
Liberty Application Services PI66702 Multi-address corbaname URLs do not fail over to the second address when the first address server is down
PI81297 Application fails to initialize at startup with error CWWKZ0021E
Liberty Debug and Tracing PI80225 JUL Traces do not show up in logstash collector / bluemix log collector when binary logging is enabled
PI80844 Failure if running binaryLog view serverName from wlp/usr/servers directory
Liberty Kernel PI78072 A server start may receive a java.util.MissingResourceException if started with a disabled command port
PI78444 The server schema incorrectly includes some internal configuration attributes
PI79123 ConfigUtility command line tool loosing equals sign on parameters ending with equals sign
PI79878 Server create command (using Java 8) overwrites server.env file
PI80744 SPI class, PathUtils is not normalizing leading double slashes
Liberty Log Analytics and Monitoring PI80363 Allow configurable maxFieldLength in the logstashCollector
Liberty z/OS PI77988 Update needed in module BBGZAFSM
PI78510 .pid directory created with wrong permission settings
PI78787 WOLA ACEE copied from CICS invalid for TSS
PI78970 When the z/OS connect EE server is stopped and restarted, CICS issues an abend at the time of the WOLA rebind
PI80072 Message CWWKB0392W is issued when the OTMA client name is specified in the zosLocalAdapters connection factory properties
PI80252 The size of the Java heap grows over time when using the MSGLOG DD
PI80650 Memory leak in SP132 KEY8 causes OUTOFMEMORY in Liberty
PI80988 WebSphere OLA(WOLA) service request issues return code=8, reason code=96 when called from an IMS CCTL region
PI82088 Prevent error loop when TDQ is unavailable for write
Performance Monitoring Tools PI79203 The monitor-1.0 feature may not be able to monitor user runtime components
PI80861 The Japanese translated message for TRAS0115W is incorrect
Security PI72472 WSCredTokenCallbackImpl returns null even when token exists
PI75111 Admin center does not work with AccessControlException after enabling Java2 security
PI77129 MYFACES-3415 - [UI:REPEAT] Field value disappears if validation error exists on current site
PI77770 Potential cross-site request forgery with WebSphere Application Server enabled with OAuth (CVE-2017-1194)
PI78245 An authData element without an ID causes a NullPointerException in the logs
PI78445 CWWKS9580E message might be logged after modifying the CSIv2 configuration
PI78730 Intermittent CWWKS9520E message issued when CSIv2 is enabled
PI79444 AccessControlException when using the servlet log method
PI95544 NPE thrown in method authorizeEJB()
Sessions and Session Management PI73188 Session activeCount shows a negative value
PI81007 Incorrect messages were thrown at System output console when using JMX connector
Systems Management Functions PI66988 Running collective command in z/OS results in FSUM7332 syntax error
PI78497 When trace is enabled extra information is being included in the controller's trace file
PI80320 apiDiscovery urls may not update properly on Liberty Admin Center
Virtual Member Manager (VMM) PI78192 UserRegistry methods that throw RuntimeExceptions can cause federated repository failures
PI79888 An sslRef on an LDAPRegistry without matching ssl config causes security init failure
PI80547 Federated Repository's participatingBaseEntry element does not allow name attribute to be empty string
PI81519 In WebSphere Liberty, the context pool timeout value is not honored on the LDAP Registry
PI81555 The ldapRegistry feature does not properly process LDAP entities with RDN values that contain characters that need escaping
PM76997 VMM certificate authentication fails when DN contains non-default X509Certificate attributes
Web Container PI75166 TAI cannot obtain the SSL endpoint information using direct connection
PI76699 Provide an option to override the default values for the ESI properties in the plugin-cfg.xml
PI76891 Exception from during server stop
PI77629 NullPointerException if login is required to access a servlet which uses a ReadListener.
PI78193 Returned default html error page has extra closing tags
PI78633 Access control exception due to read permission of a property from Cookie class
PI79334 Unexpected error when an application is initializing during server stop
PI80313 Enable Post Data to be read multiple times.
PI80668 ServletException when creating a servlet, filter or listener from a ServletContextListener with Java2Security enabled
PI81688 Plugin config file generation fails after a configuration update is made to a Liberty server when it is running
Web Services (JAX-WS, JAX-RS) PI77438 JAXB context creation is very slow in Liberty during Web service load test
Web Services Security PI76629 Add authentication option to JWK endpoint invocation
PI78760 OIDC IDToken updates to the "sub" field do not take effect
PI80166 OIDC provider does not recognize custom realmname from token
PI80689 Database persistence for tokens might not function correctly when the backing database does not support CLOB data types
PI80741 OpenID Connect (OIDC) cookie not fully removed
PI81403 An error may occur if the string representation of a subject includes an ID token that contains a claim with a non-string list
WebSphere Compute Grid PI78436 Using batch injection in joblistener results in NullPointerException
PI79686 Slow response when using batchpersistence in Liberty
PI80634 When trying to stop an already completed job the error message does not return with the correct jobInstanceId
PI80635 CDI implementation does not support batch artifact loading via batch.xml

Back to top

Fix pack
Fix release date: 14 March 2017
Last modified: 14 March 2017
Status: Superseded

Download Fix pack
Security APAR
Contexts and Dependency Injection (CDI) PI35470 Message bean instances injected with the CDI @New annotations are not @PostConstruct'ed
PI55406 IllegalAccessException is emitted from InvocationContextImpl
PI62583 IllegalArgumentException in CreationalContextImpl only when trace is enabled
PI73139 CDI would not inject classes from a war file into an ear lib in single classloader mode
PI75915 CDI failover does not work if bundles have different OSGI qualifiers
Database Access, Connection Management, Merant/DataDirect drivers PI73351 DSRA0080E refers to original exception message {0} instead of actual message
PI76168 After global transaction ends, the reported auto commit value can be inconsistent with the Oracle JDBC driver
General PI68233 SSLSessionTimeout is not recognized as a valid attribute for sslOptions element
PI71616 configUtility find or install throws a NoClassDefFoundError when using local repository
PI73277 EclipseLink 2.6.3 does not support JPA-convertor for primitive data types
PI74721 Errant timeout can occur with async sends in WebSockets
PI75015 Memory leak in JAX-RS client.
PI75022 Failure to parse a java.util.Date object when creating a new
PI76688 Private lifecycle methods in JAX-RS resources are not invoked
Java 2 Connectivity (J2C) PI60146 Connection sharing cannot be controlled in Liberty when using direct lookup
PI71092 java.lang.UnsupportedOperationException when accessing a tested data source
PI73350 Connection manager settings not honored
PI74533 Setting an agedTimeout value of 0 on a connection manager results in J2CA8011E
PI75426 Connection manager configuration intermittently ignored for application defined data source
Java Persistence API (JPA) PI74104 EclipseLink might add unused table in generated query
PI74284 The JPA Container calls EntityManager.clear() instead of EntityManager.close() on cleanup
JavaServer Pages (JSP) PI72709 Asynchronous dispatch to a JSP file under the WEB-INF directory fails.
PI73022 JSP comments containing "%>" might throw a StringIndexOutOfBoundsException.
Liberty Application Services PI74321 After upgrade to NamingException and ClassCastException occur on JNDI lookup on IBM i
PI75284 Intermittent NullPointerException from ApplicationStateMachineImpl when trace enabled or logging information in response to a failure
PI75389 OSGi Applications can take significantly longer to startup after upgrading Liberty
PI76368 A class that is both Remote and Serializable is mis-categorized during marshalling
Liberty Debug and Tracing PI62350 Some server startup and early messages are not collected by logstachCollector-1.0 feature.
PI74051 Transaction trace lacks PropertyPermission to read system property ""
PI74318 Incorrect message IDs appearing on dashboard when using the Bluemix log collector
PI76200 Stack trace is not included in the message field of liberty_message type
PI76620 Filter tags in logstashCollector & bluemixLogCollector to avoid tags with special characters displaying oddly on dashboard
PI76621 New message IDs need to be assigned to a few existing TRAS messages.
Liberty Kernel PI72686 Removing and adding a feature can result in a warning message about duplicate metatype definitions
PI73807 Some Liberty message IDs conflict with traditional WebSphere Application Server
PI74527 Error CWWKZ0404E can occur when starting an application on Liberty
PI74586 Liberty server does not start if jvm.options file contains spaces, after upgrade to
PI74792 java.lang.NullPointerException when starting an .ear application with autoExpand="true" in server.xml
PI76013 Resolution error for optional server config include should not create an exception
PI76432 Exception could be thrown and logged during a server shutdown if listeners timeout during quiesce
PI76607 Features that cannot be loaded because of Java version dependencies may still be reported as being loaded
PI76755 Liberty metatype registry problem - metatype extension duration changed from LONG to STRING in
Liberty z/OS PI50828 WLM support is ignored when running z/OS Connect in async mode
PI66375 SPI for MVS MODIFY command support is documented to be externally available, but in fact is not available
PI72065 Loop in Liberty z/OS server when AsyncIO is enabled
PI72566 ABEND0C4 at BBGZSCFM+377E occurs during client bind
PI72776 When WLP_ZOS_PROCEDURE is set the foreground JVM uses the full set of JVM options
PI73559 WOLA service BBOA1URG fails with RC=12 RSN=240.
PI73752 Suppress FFDC for 453
PI74564 WebSocket-1.1 feature does not work in Liberty imbedded in CICS TS 5.3
PI74875 Liberty Server hang in termination after a hard failure on z/OS
PI74878 WOLA feature not started for server using a version 4 Angel
PI76238 Message CWWKB0392W contains no message text in messages.log.
Performance Monitoring Tools PI75368 Slow memory leak might lead to OutOfMemory in Liberty
PI76212 Monitor capability breaks when different thread pool name is speicified other than "Dafault Executor".
Security PI72135 An AccessControlException is issued when restoring the security context using the ContextService APIs
PI72653 Web filters need to receive the AuthModule wrapped request or response when using JASPIC
PI73266 AccessControlException issued even when permission was granted in the permissions.xml file
PI76359 Process default SSL Setting not getting reset on a file update
PI76408 The method signature for is no longer synchronized.
Session Initiation Protocol (SIP) Container PI76614 SIP Router is initialized more than once.
PI76615 Order of OSGI bundle could cause a class not found exception.
Systems Management Functions PI74526 A collective name sporadically changes between its given name and the default name
PI75433 Liberty collective member status becomes stale at the controller.
Web Container PI71999 XML transformer factory changed during server start
PI72223 The pluginUtility displays an untranslated message when using the merge action to merge plugin-cfg.xml files in a directory.
PI72514 Application start fails to add context root in Virtual Host map
PI72710 Response committed on return from Forward even when async is started.
PI74499 Server quiesce not cleaned properly when write during close of upgraded connection goes asynchronous.
PI75475 The WebContainer 'enableMultiReadOfPostData' config property was visible but not implemented.
PI75528 The maxRequestSize optional attribute for MultipartConfig is ignored.
PI76195 When the plugin configuration is generated it may not have one of the ports
PI76271 CORS does not handle requests with PATCH methods correctly
PI76351 ServletRequest.getRequestURI() returns inconsistent results after AsyncContext.start().
PI76364 isFinished() could incorrectly return false in some scenarios
Web Services (JAX-WS, JAX-RS) PI70234 Custom HTTP header blocks SOAPAction header
PI76616 HTTP servlet requests could be matched to incorrect cross-origin resource sharing (CORS) configuration
Web Services Security PI72558 OIDC client cookie is not removed after it is used
WebSphere Compute Grid PI73040 Batch job log REST URLs are incorrect for a failed job execution
PI73249 The ddlGen script may produce an empty file when run against a server with the Java Batch feature configured
PI74813 When using the batchManagerZos 'status' and 'listJobs' commands, the usage of --instanceId and --jobInstanceId are not universal.
PI74924 Job with Java batch COMPLETED status moves to STOPPING status after shutdown in executor.
PI76622 Provide V2 and V3 versions of existing Batch REST APIs
PI76632 Job executions REST API syntax is misleading
PI76701 Java Batch purge command fails after a job execution did not initialize correctly
PI76702 Java Batch jobs store JES job name and JES job ID with trailing spaces
WMQ messaging providers PI61885 postCallWithException throws java.lang.IllegalStateException
PI71691 BundleException happens when adding a feature to a running server causing a bundle to be reinstalled
PI72136 Server startup fails with CWRLS0009E error due to failure in the transaction manager's recovery log service
z/OS PI61450 Apache Wink does not remove quotes from the boundary value Content-type: multipart/mixed; boundary="simple boundary"

Back to top

Fix release date: 13 December 2016
Last modified: 13 December 2016
Status: Superseded

Download Fix pack

Security APAR
Contexts and Dependency Injection (CDI) PI69193 ContextNotActiveException in SessionScoped bean preDestroy()
PI70614 Clean up all resources on an application startup failure on cdi-1.0 feature
PI71104 @Inject Principal does not work in mutli-threaded environment.
PI71667 Application fails with WELD-001408: Unsatisfied dependencies for type Validator with qualifiers @Default
PI71734 Failover does not work with CDI 1.2
Database Access, Connection Management, Merant/DataDirect drivers PI68418 Purge policy ValidateAllConnections does not properly validate connections
PI71587 Data source is not autodetecting MariaDB.
DynaCache PI68741 HTTP status code 200 is returned to a client when the servlet or JSP throws an exception
PI71752 Plugging in an external cache provider does not work with the distributedMap-1.0 feature.
EJB Container PI66621 ReferenceContextImpl caching empty list of targets for JSP classes
PI67942 javax.servlet.HttpServletRequest.getRequestURI() might return a decoded value after dispatching
PI69642 NullPointerException deleting stateful EJB
General PI42673 Extra information in logs with Datasource custom properties
PI67034 Access was denied for property org.apache.jasper.constants.jsp_servlet_base.
PI67099 Provide option to add STS response header for HTTPs request
PI68432 When user applications are using Websocket Decoders a slow memory leak can occur.
PI69737 Errors are not logged when tasks submitted to managed executors fail
PI70332 System property to enable SSL Channel timeoutValueInSSLClosingHandshake property
PI71359 FFDC is produced for a NullPointerException in
Install V8 and above PI68915 Default server.xml is incorrect
PI69133 Disk space validator returns NullPointerException.
Java 2 Connectivity (J2C) PI68163 MQJCA1011: Failed to allocate a JMS connection
PI68257 Connection manager might remain active after transaction manager has been disabled.
PI69122 J2C pretest being used despite FailingConnectionOnly option
PI69887 FFDC logged for resource adapter config property with getter that is named with "is" rather than "get"
PI69957 Destination ID erroneously used for JCA 1.7 destinationLookup instead of JNDI name.
PI70224 The value of ConnectionHandleCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
PI71193 Illegal State Exception when transaction timeout occurs and abort is used
Java Persistence API (JPA) PI65593 The database schema name cannot be configured with openjpa.jdbc.SchemaFactory
PI66770 JPA returns incorrect results when using a native query and @SqlResultSetMapping
PI67234 ServerPlatformException Server platform class is not valid: null occurs with JPA 2.1
PI67790 java.lang.ClassCastException using JPA
PI68028 EclipseLink throws ValidationException when using nested embeddables with the same attribute name
PI68805 Potential leak of org.apache.bval.cdi.BValExtension$Releasable objects when using JAX-RS, CDI 1.2, and Bean Validation 1.1.
PI70680 Deployment of persistence unit fails with DescriptorException
PI70841 OpenJPA's ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException
PI75607 javax.persistence.PessimisticLockException when javax.persistence.lock.timeout set to 0
PI75608 Add EclipseLink support for Java 2 Security
JavaServer MyFaces (JSF) Apache MyFaces implementation PI67525 inputFile tag is not working properly on Liberty
PI70441 FlowBuilderFactoryBean Concurrency Issue
JavaServer Pages (JSP) PI67257 An escaped EL expression is being run if an escaped dollar sign precedes the former expression
PI69028 Null CodeSource location for classes loaded by JSPExtensionClassLoader
PI69942 JSP property useJDKCompiler does not work in Liberty
PI71436 A debugger does not stop at a breakpoint in a JavaSever Page (JSP).
Liberty Application Services PI70600 Auto extracted web app files have incorrect timestamp.
PI70848 When application autoExpand is enabled changes to an ear file are not detected by the Liberty server
PI70870 ConcurrentModificationException in AppClassLoader when using the global library
PI71116 When certain features are enabled the application property autoStart has no effect
Liberty Kernel PI68170 Users of Liberty's OSGI EventAdmin service cannot change the topics of interest for a registered EventHandler
PI70104 Starting a Web Application Bundle (WAB) can result in a deadlock sometimes when the WAB is installed and started dynamically
PI70637 RuntimeException: Invalid call to WsByteBuffer occurs during shutdown
PI71457 NullPointerException after a failure to bind an IIOP transport port
PI71607 Schema for resource adapters contains an unused attribute.
Liberty System Management PI69561 REST API Discovery missing APIs in web applications with multiple JAX-RS application classes
Liberty z/OS PI67718 z/OS Connect is unresponsive to the STOP command from the z/OS Console
PI69625 Liberty server at may fail to start when using AsyncIO
PI69886 When using the zosLocalAdapters-1.0 feature to talk to CICS, the CICS container LinkTaskRspContID already exists.
PI70090 WebSphere Liberty "server" and native launcher handle a # in the middle of a JVM property inconsistently
PI70896 Liberty Server hang in termination after a hard failure on z/OS
PI71417 Startup time for Liberty for z/OS is unnecessarily slow.
Messaging Providers PI62816 Allow more than one address to be specified in the remoteServerAddress field
PI70961 Corrections to messages in JMS Messaging
Performance Monitoring Tools PI70900 Events get lost when the logstashCollector config gets updated
Security PI62070 Full chain created in PKCS12 but not for JKS key store
PI62375 Potential code execution vulnerablity in WebSphere Application Server (CVE-2016-5983)
PI69141 Make sure HTTPS URL connection default is set at the same time SSLContext is set.
PI69161 Constrained delegation works only when Liberty trace is enabled
PI69277 Java 2 Security permissions are not granted to a shared library when using the file element instead of a fileset
PI69629 CWWKX8136W: Cannot validate the server identity
PI69840 A NoClassDefFoundError or NoSuchMethodError may be thrown when accessing Swagger annotations.
PI69870 IllegalAccessException on EL expression that processes isLast() of object referencing varStatus in JSTL for-each tag
PI71525 NullPointerException when registering a Custom User Registry that returns a null realm name
PI71585 NullPointerException when null password is passed into WSCallBackHandlerFactory
PI71751 Provide better message when bad SSL configuration is used by CSIv2.
PI71789 .InvalidNameException: Validation of the Collective DN failed. 0th element type was not dc
Systems Management Functions PI69286 Non-ASCII names used in remote operations from a collective controller may become corrupted.
PI69741 Remove extra information from trace file
PI71792 New files added to a controller's configDropins/defaults directory are not replicated to other controllers in the collective.
Virtual Member Manager (VMM) PI71825 CWWKS3006E error message seen during server shutdown.
Web Container PI64898 AsyncListener onError not being called correctly
PI65762 DestroyJavaVM() method call hangs and JVM fails to shut down when asynch servlet work has been performed
PI67393 Polish the ReadListener
PI68061 Option to display customized text for some server errors
PI69220 A plugin-cfg.xml is generated with missing applications and future auto-generation fails.
PI69803 A java.lang.NoClassDefFoundError error can occur when using the pluginUtility merge action.
PI70063 A decrease in throughput can occur when many concurrent requests for JSP pages that make use of tag libraries.
PI70184 WebSocket not working if application flushes without obtaining any outputStream or writer
PI70873 java.lang.NullPointerException might occur during a request's cleanup.
PI71851 Missing apostrophes in French and Italian pluginUtility text
Web Services (JAX-WS, JAX-RS) PI70196 PI70196: ibm rest servlet cannot be mapped to two different urls:
PI70313 Swagger API Explorer ignores protocol schemes for operations
PI71238 IllegalArgumentException when getHours() is called
PI71887 JAX-RS Client fails when running in OSGi bundles
Web Services Security PI68101 JSON bits are missing from a URL when SAML authentication redirects a request
PI68809 WSAS XML crypto libraries cause classloader conflict with Java XML crypto in certain scenarios
PI69415 Support configurable context root for OIDC client redirect url
WebSphere Compute Grid PI70886 Java Batch REST: STOP request may not return JobNotRunningException even when the job batch status returns as COMPLETED.
PI70887 An exception in the batch executor may cause a message to roll-back onto queue (and get re-delivered) instead of consumed.
PI71718 Attempting to purge multiple job instances fails when their executions are not on the same endpoint
PI71719 Batch REST request for job instance job log links fails with remote executions
WMQ messaging providers PI68664 Record-level sharing (rls) is miscalculating the amount of data to be written to partner logs
PI69183 APAR PI18414 may result in the recovery log service using incorrect sequence numbers.
PI69314 ELException, Can not find @Transactional annotation
PI69328 CWWKZ0403E error message occurs due to error Unable to acquire the global write lock in time.

Back to top

Fix release date: 16 September 2016
Last modified: 16 September 2016
Status: Superseded

Download Fix pack
Security APAR
Contexts and Dependency Injection (CDI) PI38270 NullPointerException in InvocationContextImpl.configureTarget when destroying an already destroyed bean
PI42311 EJB interceptors not called intermittently
PI48614 NullPointerExceptions from CDI code
PI51620 NullPointerException when doing injection with set to true
PI58669 CDI javax.decorator.decorator annotation not working as expected
PI61397 Ensure application scoped context is initalized properly and active during bean preDestroy
PI64374 Race condition with session scoped contexts
PI64812 Application ClassLoader leaked during application restart from CDI's RuntimeFactory
PI65337 Use of CDI interceptors in stateless EJBs causes exceptions to be wrapped in WeldException
PI66866 Memory leak occurs when an application is restarted
PI67388 Move up Weld level to 2.3.4.Final from 2.2.16.Final.
Database Access, Connection Management, Merant/DataDirect drivers PI66423 OraclePreparedStatement.getReturnResultSet and OracleCallableStatement.getCursor fail after unwrapping statement
EJB Container PI60567 New system property to configure the EJB pool wait timeout
PI62639 NullPointerException in CDIEJBManagedObjectFactoryImpl.getEjbDescriptor when creating EJB instance to pre-load the bean pool
PI63571 AccessControlException: "accessDeclaredMembers" from
PI63709 Application exception thrown from EJB constructor lost when @AroundConstruct interceptors present
PI63821 Resource reference names starting with java:comp/env are ignored in ibm-ejb-jar-bnd.xml
PI65205 FFDC for TransactionRolledbackException when using UserTransaction in stateful bean ejbRemove method
PI66565 not provided to ResourceFactory for <resource-env-ref> XML elements
PI67070 Customer can get EJBExceptions related to non-persistent EJB Timers during server shutdown
General PI60893 Deadlock caused by SIP Subscribe
PI61548 Potential Denial of Service in WebSphere Application Server if using SIP services (CVE-2016-2960)
PI63871 NullPointerException in MemoryPersistenceManager
PI64472 Automatically determine whether a submit or restart should be issued from the batchManager and batchManagerZos utilities.
PI65456 Issuing "job.ended" CWWKY0010I message instead of "job.failed" CWWKY0011W message, upon job failure.
Install V8 and above PI65506 Display proper asset list when embedded asset repo is missing during IM modify_add flow
Intelligent Management Component PI59258 Dynamic Routing fails to recognize the application until Collective Controllers are restarted
PI63212 Reload of web server with Intelligent Management causes CWWKV0008W messages on a Liberty collective controller
PI66993 Health condition is not set to the Liberty server in the Docker container.
PI67392 DynamicRouting does not have route information for Liberty Docker on initial deployment
Java 2 Connectivity (J2C) PI63520 Parked connection created by PoolManager results in setting a pre-existing client ID to a MQ connection
PI66424 J2CA7002E is logged when server is stopped while in the process of installing a resource adapter.
PI67186 The value of FreeConnectionCount on the ConnectionPool MBean is not accurate when in use connections are destroyed
Java Persistence API (JPA) PI58114 ClassCastException when an equals comparison query is run on an entity with a composite @EmbeddedId
PI64129 CDI applications that inject Validator or ValidatorFactory beans cannot be failed over in a cluster
PI67305 EclipseLink assigns the same object instance to multiple embedded fields
JavaServer Faces (JSF) SunRI implementation PI64899 When using the jsf-2.2 and beanValidation-1.1 features an OSGI warning message can be seen.
JavaServer MyFaces (JSF) Apache MyFaces implementation PI63135 Custom type conversion is sometimes bypassed in EL 3.0
PI63633 Thread-safety issue in the underlying (Apache) JSF 2.0 code causes WebContainer threads to hang
PI64195 @PreDestroy methods are not invoked on session invalidation for JavaServer Faces (JSF) javax.faces.bean.ViewScoped beans.
PI64714 JSF message severities always set to ERROR after ValidatorException
PI64718 Validators are not called when using selectManyCheckbox
JavaServer Pages (JSP) PI64004 The scratchdir JSP attribute is not documented on Liberty
PI65333 A JSP error "unresolved compilation problem" is thrown during runtime
Liberty Application Services PI62861 Server stop runs before the ServletContextListener implementation completes
PI63542 ArrayIndexOutOfBoundsException may occur when doing a JNDI-lookup to a remote EJB that is located in another cell
PI64494 Timing window in generation of Type Code objects from class TypeDescriptors, causes performance problems during JNDI lookup
PI64806 java.lang.StackOverflowError on WAR
PI65244 EJB connection helpers are both null
PI65637 Starting an OSGi Application intermittently causes an endless loop.
PI66570 IllegalStateException thrown on server shutdown
PI67028 AccessControlExceptionthrown from AppClassLoader.getResources() call
PI67672 Extended use of remote EJB may cause error mentioning Phaser parties.
PI67674 Restarting ORB may cause socket bind exception
PI67719 AccessControlException from JTMThreadFactory, JNDI lookup, and JmsManagedConnectionFactoryImpl
PI67739 Configuring a non-default ORB may interfere with application client.
Liberty Archive Install PI66992 z/OS IM offering failed to modify asset due to error 'Failed to load bundle'
Liberty Kernel PI62609 When coreThreads and maxThreads are the same value, CWWKE1200W messages, which indicate a hung thread, may appear erroneously
PI63436 Embeddable Liberty command wlp/bin/server fails to run on old bourn shell used by Solaris 5.10
PI64318 Product validation error when running installUtility install
PI67017 Apache Commons Compress was incorrectly added to Liberty's JVM classpath
PI67231 Inconsistent installUtility/feature error messages when installing features or depending features not found on repository
PI67665 Path normalization of configuration variables can cause unwanted modifications
Liberty z/OS PI61412 HTTP access logs are not tagged on z/OS.
PI61645 CWWKF0015I and CWWKF0014W messages are misleading
PI63930 WEBSOCKET-1.1 feature does not work in Liberty Imbedded in CICS TS 5.3
PI64823 zosRequestLogging-1.0 feature does record the SAF mapped user ID in SMF 120 subtype 11 records.
PI65658 Liberty z/OS unauthenticated ID experiences ICH408I calling HttpServletRequest.login with syncToOSThread enabled
PI65709 Storage leak in subpool 249 key 2 when using the zosLocalAdapters-1.0 feature.
PI66150 Liberty server processes the start of WOLA workload to slowly
Security PI60769 IIOP sslRef mismatch not clear in error message
PI61592 Security context not propagated into JCA resource adapter
PI62626 jacc-1.5 feature does not package a separate API jar file even though it exposes the API.
PI62722 Attempting to start or stop a member from the Liberty Admin Center running in a collector on z/OS results in CWWKS2910E
PI63929 Potential open redirect security vulnerability in WebSphere Application Server Liberty CVE-2016-3040
PI63949 When auth-method tag is not used in Liberty a NullPointerException is thrown
PI64065 CWWKS9112W: Invalid run-as configuration for security-role name ApplicationRoleName in the application ApplicationName
PI64790 Cross-site scripting vulnerability in OpenID Connect client CVE-2016-3042
PI65716 configUtility and collective command line utilities do not support the custom password encryption
PI66628 The message when the custom password encryption is not available is not acculate.
PI67237 AccessControlException issued when an API tries to obtain an internal OSGi service via the kernel service SPIs.
PI67467 An intermittent MalformedURLException is issued during the server shutdown when Java 6 is used and there are permissions defined
Sessions and Session Management
PI60026 Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)
Systems Management Functions PI62640 Collective utility help text for --keystorePassword is incorrect.
PI66520 A collective controller shared configuration file is removed after it is renamed.
PI66522 A deploy rule without a defined restart command produces an exception during a deploy operation.
PI66523 The --createConfigFile option of the collective utility allows the config file to be in the configDropins/defaults directory
PI66524 The collective utility writes an unnecessary request to edit server.xml.
PI67220 Liberty member in a Docker container ignores metadata defined in the admin-metadata.xml file included in the container.
PI67221 Docker registry commands in the Docker deploy rule mistakenly prepend the repository with the user name.
Virtual Member Manager (VMM) PI62392 Login failure if userFilter contains userAccountControl attribute
PI63471 getUserDisplayName returning null when basicRegistry is configured
Web Container
PI54459 Information Disclosure in WebSphere Application Server Liberty CVE-2016-0378
PI58875 Application is started even though there has been a listener exception during application start up
PI61651 An uncaught exception in javax.servlet.AsyncListener.onComplete() might cause threads to hang
PI63193 SRVE8094W might happen even if invokeFlushAfterServiceForStaticFile=false
PI65853 WebSphere Application Server Web Container affected by Apache Struts vulnerability (CVE-2016-3092)
PI67093 Information disclosure in IBM WebSphere Application Server CVE-2016-5986
PI67470 ConcurrentModificationException thrown on getServletWrapper when serveServletsByClassname is enabled
PI67832 FFDC created when a feature is removed from server.xml.
Web Services (JAX-WS, JAX-RS) PI64462 NullPointerException in Providers.getContextResolver()
PI67586 ConcurrentModificationException in org.apache.cxf.jaxrs.JAXRSServiceFactoryBean
Web Services Security PI66148 OIDC Client Service is not thread safe
PI66354 OAuth provider does not encode non-ASCII characters properly
WMQ messaging providers PI45254 Collect more serviceability data for transaction log service
PI65127 Deadlock issue in tranlog database
PI65412 Transaction service may fail to log data correctly when its logs are stored in a database and connection failure occurs
Fix release date: 24 June 2016
Last modified: 24 June 2016
Status: Superseded

Download Fix pack
Security APAR
Contexts and Dependency Injection (CDI) PI58316 Changes to JSP in EAR or WAR not picked up if CDI-1.2 feature enabled
PI61971 CDI forces a creation of an extra session, which causes memory usage issues.
DynaCache PI59818 Servlet and Object Cache services are initialized multiple times during Liberty startup causing delays and exceptions
EJB Container PI58029 Classloader leak associated with PCRegistry
PI59443 A method named ejbCreate on a managed bean may be treated as a post construct interceptor method
General PI52696 WebSphere Application Server proxy - Too many open files
PI53321 Using WOLA with CICS version 5.3 causes BBOX abend
PI54666 NullPointerException when using IPv4/IPv6 loopback addresses
PI55413 CICS BBO (WebSphere) link server abends with WRITEQ TSQ BBO* error eibresp: 16 eibresp2: 0
PI57228 The HTTP Channel consumes additional memory, in specific circumstances, when processing inbound data.
PI58457 Quotes are automatically added to the cookie Path attribute on version 1 cookies
PI58692 NullPointerException when using batchManager to purge and no arguments specified
PI58800 High CPU utilization can occur for WebSocket sessions that expire using a non-default MaxIdleTimeout value
PI58918 Response Splitting Vulnerability using a specific API CVE-2016-0359
PI59273 A job instance with zero executions cannot be stopped or restarted.
PI61321 Serviceability changes for batch feature
PI61621 The persistent user data and metric values are invalid when a job fails in the middle of a chunk step
PI62053 HTTP Channel Access Log does not properly record how much is written to the file
PI64247 For Double Byte languages an FFDC IllegalArgumentException can occur for a WebSocket connection that closes due to an error
Intelligent Management Component PI61807 Web Server SSL certificate created by the Liberty dynamicRouting feature needs updating
Java Persistence API (JPA) PI47094 ClassCastException using a shared JPA module on JPA 2.1
PI55889 JPA Merge fails intermittently with FOREIGN KEY constraint error
PI58092 Delay in application startup on Liberty
PI58523 When using jpa-2.1 with Bean Validation, XML constraints are not recognized
PI59004 Criteria Modelgen API is not included for the EclipseLink provider
PI59757 JPA PersistenceUnitUtil.getIdentifier() fails for nested EmbeddedId
PI59782 Eclipselink on Liberty is missing javax.json imports
PI59999 OpenJPA custom plugins can cause Classloader leaks
PI62022 Bean validation interceptor is invoked twice
JavaServer MyFaces (JSF) Apache MyFaces implementation PI57255 MyFaces CDI support is disabled if non-CDI application is loaded first
PI59422 Flow beans are destroyed before the flow is finalized
JavaServer Pages (JSP)
PI56811 XXE and RCE via XSL extension in JSTL XML parse and transform tags
PI59436 NullPointerException when using EL expressions returning null
PI60837 A StackOverflowError can occur when is set to true
PI61400 There are unused message properties files packaged in the Expression Language (EL) 3.0 bundle.
Liberty Administrative Center PI58080 Admin Center toolbox cannot save bookmarks with Explore search results which search on tags
PI62052 Potential security vulnerability in Admin Center for Liberty CVE-2016-0389
Liberty Application Services PI53419 Liberty server z/OS: Deadlock adding WABs to web container
PI58841 An OSGi web app using JSP and JSTL by default currently needs to explicitly import the JSTL spec packages.
PI59010 CWWKC2259E: "Unexpected child element defaultDatasource" in WebSphere Liberty for EJB 2.1
PI60496 EBA fails to resolve when blueprint-1.0 is active
PI60749 Common shared library classes return null when calling getProtectionDomain().getCodeSource().getLocation()
PI61468 Application classloaders are leaked by transaction monitoring threads.
PI61906 Classloading trace does not contain details of classpath being traversed.
PI62078 ClassLoader leak in CDI's RuntimeFactory
PI62240 ClastCastException doing a JNDI lookup
PI62385 Classloading perfomance of the Liberty ORB has been slightly improved.
Liberty Archive Install PI60256 Failed to testConnection against
PI62355 License jar upgrade returns a confusing message when it fails due to invalid edition.
Liberty Debug and Tracing PI57488 Null characters added to logs when truncated by user
PI58309 NullPointerException seen with logstashCollector-1.0 feature when access log source is enabled
PI58310 logstashCollector-1.0 feature reports a NullPointerException during server shutdown operation
PI58311 TRAS0120W message reports incorrect lost events
PI58386 Duplicate FFDC records are sent for the same failure by logstashCollector-1.0 feature.
PI60821 NullPointerException when eventLogging feature is removed
PI61051 Removal of ISADC script
PI61371 High Performance Extensible Logging (HPEL) binarylog view does not sort by time stamp
PI62013 Warning message should be issued when wrong source is specified.
PI62015 Unexpected null pointer exception appearing in FFDC logs with logstash collector whenever updating the source
Liberty Kernel PI48971 ActiveMQ properties not being honored in JMSActivationSpec in Liberty
PI59235 Problems with serialization code
PI59906 Server command help is missing the --os option description
PI60941 When installUtility install serverName is run, the server logs and workarea were not created under WLP_OUTPUT_DIR
PI61175 During startup the application manager can cause an FFDC with a ConcurentModificationException causing no applications to start.
PI61177 Spurious error may be logged when bundle starts and immediately stops.
PI61178 Dynamically configuring one or more features from zero features delays starting applications by 30 seconds
PI61319 The help for the productInfo command line tool reports an error rather than provide the help text.
PI61320 Missing attribute message is confusing
PI61324 Server package zips when unpacked lack file permissions for scripts in bin folder.
PI61451 installUtility command may fail with a SocketException: "Too many open files"
Liberty System Management PI57567 Merged plugin-cfg.xml generated by ClusterManager mbean generateClusterPluginConfig operation contains dup elements
PI58426 Collective create always treats --keystorePassword as a required argument
PI61176 Using the IBM JMX REST client from Liberty requires setting too many properties
PI61895 Swagger document and UI in apiDiscovery-1.0 did not show non-ASCII characters properly.
Liberty z/OS PI50018 linkTaskChanID property does not work when used with z/OS Connect service provider
PI52665 z/OS WOLA CICS BBOC control transaction cannot support long command strings from the console
PI54756 z/OS Connect JSON Parse Error message missing JSON payload.
PI56919 IllegalArgumentException: CWWKS2910E: SAF service IRRSIA00_CREATE did not succeed
PI57546 UserRegistry.getUsersForGroup() is not implemented in Liberty server
PI58016 Asian characters in UTF-8 encoded payloads are converted to escaped unicode characters
PI58155 Liberty server takes ABENDEC6 RC0000FD1D due to CPU time limit exceeded
PI58468 WOLA fails to reconnet to CICS TS after previous executions have succeeded
PI59320 ABEND 0C4 RSN=00000004 or a CICS ASRA ABEND when you have more than 128 WOLA connections in an address space
PI61322 CICS programs called over WOLA are being passed an incorrect channel or container name.
PI61323 An ABENDDC2/ABENDSDC2 occurs in program BBOATRUE when CICS is configured to use an embedded Liberty server.
Performance Monitoring Tools PI60781 NullPointerException being thrown from requestTiming feature if any exception occured
Security PI55373 Collective framework needs to support certificates signed by third party signers
PI59813 Improve the exception generated when client does not trust the server.
PI61090 NullPointerException from FeatureWebSecurityCollaboratorImpl
PI61204 NullpointerException when using ibm_securitylogout in Liberty
PI61253 OAuth or OpenID Connect response does not contain state parameter
PI61622 The French help text of the PasswordUtility command line utility contains typographical errors.
Systems Management Functions PI58664 Liberty collective member status is incorrect
PI62453 When making a JMX Connection to a collective member, the JVM default for HTTPs connections is updated
Virtual Member Manager (VMM) PI54746 Federated repository does not allow a user login with Turkish characters
PI56819 User login failure when uniqueUserIdMapping inputProperty set to non default values
Web Container PI51122 Webcontainer intermittently generates a 500 error with StringIndexOutOfBoundsException
PI56833 WebContainer is setting the Content-Language
PI57951 Line feed code disappears when data is uploaded with enctype="multipart/form-data" in an HTML form
PI58920 Dispatcher type obtained from HttpServletRequest is not updated on post processes
PI59415 Development version of servlet SPI bundle does not match with runtime webcontainer bundle.
PI60797 Enable POST only for a form login
PI61594 AsyncContext.dispatch() might dispatch to an incorrect URI if using different versions of ServletRequest.startAsync()
PI61628 A 404 error might be generated when using redirectToWelcomeFile
Web Services (JAX-WS, JAX-RS) PI53319 ClassNotFoundException on WebSecurityHelper
PI56315 JAX-RS MessageBodyWriter is not run
PI56374 ClassCastException: java.util.TreeMap incompatible with
PI58097 HTTP Response header with invalid Date string is added to the response on a WebServices request
PI58779 JAX-RS 2.0 @Context injection from client side provider reports NullPointerException
PI58799 IllegalArgumentException inJAX-RS code
PI59519 Update product.json model to match recent changes in API Connect
PI59633 When using JPA to persist an object, the JAX-RS engine does not correctly catch any exceptions that are thrown
PI59640 Security definition is missing from the filtered Swagger document returned by API Discovery Framework
PI59643 Using @Context to get the HttpServletRequest and changeSessionId() always returns null
PI61936 Information disclosure in JAX-RS API
PI62155 Suppress SOAP FAULT error message
PI62450 Swagger processor may allow weaker than expected security
Web Services Security PI59665 OIDC Relying party auth flow fails with 401 error when security trace is enabled
PI59677 OIDC relying party authentication failure due to CWWKS1704E error
PI62735 The groupId(s) get lost in id_token and introspection
WMQ messaging providers PI59123 WS-AtomicTransaction participant recovery after a server crash may never complete
PI60966 Problem distributing transaction between WSAS traditional and Liberty using WS-AtomicTransaction.

Back to top

Fix release date: 18 March 2016
Last modified: 18 March 2016
Status: Superseded

Download Fix pack
Security APAR
Contexts and Dependency Injection (CDI) PI50291 Beans searched for through instance interface are not found
PI51134 NullPointerException if all interceptors are on methods overriden, defined at class level or defined in a different method
PI51508 Reduce contention in AbstractOwbBean.equals use
PI52391 BeanManger.equals cannot distingiush between two BeanManagers for the same module after a restart
PI52756 CDI is activated and generates error with no existence of beans.xml
PI52765 Provide a fix for Weld bug in CDI 1.2
PI57976 Objects of class NullInjectionPointImpl are visible in applicaiton code
PI58021 ClassNotFoundException if application contains a jar which contains other archives
Database Access, Connection Management, Merant/DataDirect drivers PI57239 Error when multiple threads attempt to authenticate to Mongo at the same time
EJB Container PI49639 CWWKC2259E: "Unexpected child element" in Liberty profile for EJB 2.1
PI50806 NullPointerException in AbstractEJBRuntime.bindAllRemoteInterfacesToContextRoot when using ejbRemote-3.2 feature
PI53807 Improve message text when EJB SessionContext fails to serialize