Configurable maximum FFDC age along with CVE and other notable bug fixes in Open Liberty 22.0.0.13
Open Liberty 22.0.0.13 provides the ability to automatically purge FFDC log files after they reach a configured age. This release also provides many significant bug fixes, including two that address CVEs in gRPC and gRPC Client. Two new guides, covering the topics of gRPC and WebSocket, also join our extensive list of guides. If you’re interested in features and functionality that we have in progress, like Jakarta EE 10, MicroProfile 6, and InstantOn, take a look at the recent beta blog posts.
In Open Liberty 22.0.0.13:
Along with the new features and functions added to the runtime, we’ve also made updates to our guides.
View the list of fixed bugs in 22.0.0.13.
Check out previous Open Liberty GA release blog posts.
Run your apps using 22.0.0.13
If you’re using Maven, here are the coordinates:
<dependency>
<groupId>io.openliberty</groupId>
<artifactId>openliberty-runtime</artifactId>
<version>22.0.0.13</version>
<type>zip</type>
</dependency>
Or for Gradle:
dependencies {
libertyRuntime group: 'io.openliberty', name: 'openliberty-runtime', version: '[22.0.0.13,)'
}
Or if you’re using Docker:
FROM open-liberty
Or take a look at our Downloads page.
Configurable maximum FFDC age
Open Liberty provides First Failure Data Capture(FFDC) capability, which instantly collects information about events and conditions that might lead up to a failure. In certain scenarios, the number of files in the FFDC directory can grow to a very large amount. Previously, Open Liberty automatically purged FFDC files in excess of 500 and this value was not configurable. This release introduces new functionality that automatically purges FFDC log files after they reach a configured age. You can specify this age with a new configuration attribute, maxFfdcAge
.
maxFfdcAge
is the maximum desired age before an FFDC file is deleted. At midnight everyday, any FFDC file that has reached the maximum configured age will be deleted. Specify a positive integer followed by a unit of time, which can be days (d
), hours (h
), or minutes (m
). For example, specify 2 days as 2d
. You can include multiple values in a single entry. For example, 2d6h
is equivalent to 2 days and 6 hours.
Example server.xml configuration:
<server>
<logging maxFfdcAge="2d"/>
</server>
Security vulnerability (CVE) fixes in this release
CVE | CVSS Score | Vulnerability Assessment | Versions Affected | Notes |
---|---|---|---|---|
5.7 |
Denial of service |
21.0.0.2 - 22.0.0.12 |
Affects the grpc-1.0 and grpcClient-1.0 features |
|
5.7 |
Denial of service |
21.0.0.2 - 22.0.0.12 |
Affects the grpc-1.0 and grpcClient-1.0 features |
For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.
Notable bugs fixed in this release
We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 22.0.0.13.
-
NullPointerException in InstallFeatureAction for .esa files
A bug introduced in the featureUtility command caused a
NullPointerException
to occur when trying to install a feature with using the Enterprise Subsystem Archive (ESA) packaging denoted by an.esa
extension.java.lang.NullPointerException at com.ibm.ws.install.internal.InstallUtils.getFeatureName(InstallUtils.java:794) at com.ibm.ws.install.featureUtility.cli.InstallFeatureAction.esaInstallInit(InstallFeatureAction.java:188) ....
This is has been resolved, and invoking
./featureUtility installFeature x.esa
to install ESA features no longer throws an NPE. -
HTTP/2 Intermittent server quiesce failure when stream is closed with an exception
An intermittent issue can occur causing threads to hang when an exception occurs on an HTTP/2 connection. This results in a quiesce warning being issued during a server stop.
The issue has been resolved and the HTTP/2 streams and connections and the threads managing now stop without error, even in exception conditions.
-
Liberty default HttpAuthenticationMechanisms do not call HttpMessageContext.responseUnauthorized
HttpMessageContextWrapper
must override theresponseUnauthorized
method. Due to a bug, Liberty’sHttpAuthenticationMechanisms
did not callHttpMessageContext.responseUnauthorized
, which prevented users from enriching the response, for example, by adding headers.This issue has been resolved and the default
HttpAuthenticationMechanisms
now properly callsHttpMessageContext.responseUnauthorized
for unauthorized requests. -
JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion() return incorrect version
If a Pages, formerly known as JSP, application calls
JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion()
, the wrong version is returned. The value is coded to return2.1
rather than the correct specification version.The issue has been resolved, and the correct version is now returned. For example,
jsp-2.2
returns2.2
andpages-3.0
returns3.0
. -
OidcClientImpl does not properly declare a dependency on SecurityService
When invoking
request.logout()
from aServletFilter
that intercepts traffic to theibm_security_logout
form-based logout URL , the following NPE might occur:java.lang.NullPointerException Stack Dump = java.lang.NullPointerException at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.authenticateSubject(OidcClientImpl.java:749) at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.handleOidcCookie(OidcClientImpl.java:722) at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.logout(OidcClientImpl.java:663) at com.ibm.ws.webcontainer.security.AuthenticateApi.logoutUnprotectedResourceServiceRef(AuthenticateApi.java:244) at com.ibm.ws.webcontainer.security.AuthenticateApi.logout(AuthenticateApi.java:189) at com.ibm.ws.webcontainer.security.AuthenticateApi.logoutServlet30(AuthenticateApi.java:627) at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.logout(WebAppSecurityCollaboratorImpl.java:1212) at com.ibm.ws.webcontainer.srt.SRTServletRequest.logout(SRTServletRequest.java:3956) at javax.servlet.http.HttpServletRequestWrapper.logout(HttpServletRequestWrapper.java:376) at com.ibm.bpm.servlet.filters.GenericSecurityServletFilter.doFilter(GenericSecurityServletFilter.java:327) at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
The issue has been resolved by declaring
OidcClientImpl
dependent onSecurityService
and the NPE no longer occurs.
New and updated guides since the previous release
As Open Liberty features and functionality continue to grow, we continue to add new guides to openliberty.io on those topics to make their adoption as easy as possible. Existing guides also receive updates to address any reported bugs/issues, keep their content current, and expand what their topic covers.
-
Bidirectional communication between services using Jakarta WebSocket
-
Learn how to use Jakarta WebSocket to send and receive messages between services without closing the connection.
-
-
Streaming messages between client and server services using gRPC
-
Learn how to use gRPC unary calls, server streaming, client streaming, and bidirectional streaming to communicate between Java client and server services with Open Liberty.
-
Get Open Liberty 22.0.0.13 now
Available through Maven, Gradle, Docker, and as a downloadable archive.