back to all blogsSee all blog posts

CVE and notable bug fixes in 24.0.0.5

image of author
David Mueller on May 21, 2024
announcements , release ,
Post available in languages:

Open Liberty 24.0.0.5 provides some significant bug fixes, including several that address CVEs. If you’re interested in features and functionality that we have in progress, such as Jakarta EE 11, take a look at our recent beta blog posts.

In Open Liberty 24.0.0.5:

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 24.0.0.5

If you’re using Maven, include the following in your pom.xml file:

<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>3.10.3</version>
</plugin>

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.8.3'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.

Ask a question on Stack Overflow

Security vulnerability (CVE) fixes in this release

CVE CVSS score by X-Force® Vulnerability assessment Versions affected Version fixed Notes

CVE-2024-27268

5.9

Denial of service

18.0.0.2 - 24.0.0.4

24.0.0.5

Affects the servlet-3.1, servlet-4.0, servlet-5.0, and servlet-6.0 features

CVE-2024-22353

5.9

Denial of service

17.0.0.3 - 24.0.0.4

24.0.0.5

Affects the openidConnectClient-1.0 and socialLogin-1.0 features

CVE-2024-25026

5.9

Denial of service

17.0.0.3 - 24.0.0.4

24.0.0.5

Affects the servlet-3.1, servlet-4.0, servlet-5.0, and servlet-6.0 features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 24.0.0.5.

  • FeatureUtility custom repository connection issue

    In some scenarios, the FeatureUtility connection test to a custom repo (base url) returns a 400 response code and fails to recognize it as a working repository. It’s not good to fail fast because there are cases where users do not have appropriate access to the whole repository, but they do have access to certain artifacts in the repository. In such cases, the response code can be 400, 403, etc.

  • Incompatibility reported between sipServlet-1.1 and WebSockets

    The following ClassCastException exception occurs with sipServlet-1.1 and a WebSocket feature.

    java.lang.ClassCastException: com.ibm.wsspi.sip.converge.ConvergedHttpSessionContextImpl incompatible with com.ibm.ws.webcontainer31.session.IHttpSessionContext31 com.ibm.ws.wsoc.WebSocketServletContainerInitialize

  • FeatureUtility prints warning when user repositories doesn’t have authentication

    When users specify Maven repositories without authentication, the featureUtility command prints the following warning in verbose mode:

    CWWKF1374E: The password is not encrypted. Password must be encrypted using the securityUtility command with the AES cryptography algorithm as the recommended --encoding option.

Get Open Liberty 24.0.0.5 now

Available through Maven, Gradle, Docker, and as a downloadable archive.