Configurable maximum FFDC age along with CVE and other notable bug fixes in Open Liberty 22.0.0.13

Michal Broz on Dec 20, 2022

announcements , release , security ,

Post available in languages: 日本語 ,

Open Liberty 22.0.0.13 provides the ability to automatically purge FFDC log files after they reach a configured age. This release also provides many significant bug fixes, including two that address CVEs in gRPC and gRPC Client. Two new guides, covering the topics of gRPC and WebSocket, also join our extensive list of guides. If you’re interested in features and functionality that we have in progress, like Jakarta EE 10, MicroProfile 6, and InstantOn, take a look at the recent beta blog posts.

In Open Liberty 22.0.0.13:

Configurable maximum FFDC age
Security Vulnerability (CVE) Fixes
Notable bug fixes

Along with the new features and functions added to the runtime, we’ve also made updates to our guides.

View the list of fixed bugs in 22.0.0.13.

Check out previous Open Liberty GA release blog posts.

Run your apps using 22.0.0.13

If you’re using Maven, here are the coordinates:

<dependency>
    <groupId>io.openliberty</groupId>
    <artifactId>openliberty-runtime</artifactId>
    <version>22.0.0.13</version>
    <type>zip</type>
</dependency>

Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty', name: 'openliberty-runtime', version: '[22.0.0.13,)'
}

Or if you’re using Docker:

FROM open-liberty

Or take a look at our Downloads page.

Configurable maximum FFDC age

Open Liberty provides First Failure Data Capture(FFDC) capability, which instantly collects information about events and conditions that might lead up to a failure. In certain scenarios, the number of files in the FFDC directory can grow to a very large amount. Previously, Open Liberty automatically purged FFDC files in excess of 500 and this value was not configurable. This release introduces new functionality that automatically purges FFDC log files after they reach a configured age. You can specify this age with a new configuration attribute, maxFfdcAge.

maxFfdcAge is the maximum desired age before an FFDC file is deleted. At midnight everyday, any FFDC file that has reached the maximum configured age will be deleted. Specify a positive integer followed by a unit of time, which can be days (d), hours (h), or minutes (m). For example, specify 2 days as 2d. You can include multiple values in a single entry. For example, 2d6h is equivalent to 2 days and 6 hours.

Example server.xml configuration:

<server>
    <logging maxFfdcAge="2d"/>
</server>

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2022-3509	5.7	Denial of service	21.0.0.2 - 22.0.0.12	Affects the grpc-1.0 and grpcClient-1.0 features
CVE-2022-3171	5.7	Denial of service	21.0.0.2 - 22.0.0.12	Affects the grpc-1.0 and grpcClient-1.0 features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 22.0.0.13.

NullPointerException in InstallFeatureAction for .esa files

A bug introduced in the featureUtility command caused a NullPointerException to occur when trying to install a feature with using the Enterprise Subsystem Archive (ESA) packaging denoted by an .esa extension.
```
java.lang.NullPointerException
        at com.ibm.ws.install.internal.InstallUtils.getFeatureName(InstallUtils.java:794)
        at com.ibm.ws.install.featureUtility.cli.InstallFeatureAction.esaInstallInit(InstallFeatureAction.java:188)
        ....
```
This is has been resolved, and invoking ./featureUtility installFeature x.esa to install ESA features no longer throws an NPE.
HTTP/2 Intermittent server quiesce failure when stream is closed with an exception

An intermittent issue can occur causing threads to hang when an exception occurs on an HTTP/2 connection. This results in a quiesce warning being issued during a server stop.

The issue has been resolved and the HTTP/2 streams and connections and the threads managing now stop without error, even in exception conditions.
Liberty default HttpAuthenticationMechanisms do not call HttpMessageContext.responseUnauthorized

HttpMessageContextWrapper must override the responseUnauthorized method. Due to a bug, Liberty’s HttpAuthenticationMechanisms did not call HttpMessageContext.responseUnauthorized, which prevented users from enriching the response, for example, by adding headers.

This issue has been resolved and the default HttpAuthenticationMechanisms now properly calls HttpMessageContext.responseUnauthorized for unauthorized requests.
JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion() return incorrect version

If a Pages, formerly known as JSP, application calls JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion(), the wrong version is returned. The value is coded to return 2.1 rather than the correct specification version.

The issue has been resolved, and the correct version is now returned. For example, jsp-2.2 returns 2.2 and pages-3.0 returns 3.0.

OidcClientImpl does not properly declare a dependency on SecurityService

When invoking request.logout() from a ServletFilter that intercepts traffic to the ibm_security_logout form-based logout URL , the following NPE might occur:

java.lang.NullPointerException
Stack Dump = java.lang.NullPointerException
        at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.authenticateSubject(OidcClientImpl.java:749)
        at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.handleOidcCookie(OidcClientImpl.java:722)
        at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.logout(OidcClientImpl.java:663)
        at com.ibm.ws.webcontainer.security.AuthenticateApi.logoutUnprotectedResourceServiceRef(AuthenticateApi.java:244)
        at com.ibm.ws.webcontainer.security.AuthenticateApi.logout(AuthenticateApi.java:189)
        at com.ibm.ws.webcontainer.security.AuthenticateApi.logoutServlet30(AuthenticateApi.java:627)
        at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.logout(WebAppSecurityCollaboratorImpl.java:1212)
        at com.ibm.ws.webcontainer.srt.SRTServletRequest.logout(SRTServletRequest.java:3956)
        at javax.servlet.http.HttpServletRequestWrapper.logout(HttpServletRequestWrapper.java:376)
        at com.ibm.bpm.servlet.filters.GenericSecurityServletFilter.doFilter(GenericSecurityServletFilter.java:327)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)

The issue has been resolved by declaring OidcClientImpl dependent on SecurityService and the NPE no longer occurs.

New and updated guides since the previous release

As Open Liberty features and functionality continue to grow, we continue to add new guides to openliberty.io on those topics to make their adoption as easy as possible. Existing guides also receive updates to address any reported bugs/issues, keep their content current, and expand what their topic covers.

Bidirectional communication between services using Jakarta WebSocket
- Learn how to use Jakarta WebSocket to send and receive messages between services without closing the connection.
Streaming messages between client and server services using gRPC
- Learn how to use gRPC unary calls, server streaming, client streaming, and bidirectional streaming to communicate between Java client and server services with Open Liberty.

Get Open Liberty 22.0.0.13 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

See all blog posts