MicroProfile 7.0 and improvements for SameSite cookie handling in 24.0.0.12

David Mueller on Dec 3, 2024

announcements , microprofile , release , security ,

Post available in languages: 日本語 ,

The 24.0.0.12 release introduces support for MicroProfile 7.0, a major MicroProfile release. It also provides a way to handle incompatible client versions when you use SameSite cookies.

In Open Liberty 24.0.0.12:

Develop your microservice applications with MicroProfile 7.0
Check for SameSite=None incompatible clients
Security Vulnerability (CVE) Fixes

View the list of fixed bugs in 24.0.0.12.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 24.0.0.12

If you’re using Maven, include the following in your pom.xml file:

<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>3.11.1</version>
</plugin>

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.1'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging, and application management all from within your IDE.

Develop your microservice applications with MicroProfile 7.0

MicroProfile provides a set of APIs and tools for developing, deploying, and managing microservices in a lightweight and efficient manner. The 24.0.0.12 release adds support for the MicroProfile programming model version 7.0, a major release. It replaces MicroProfile Metrics with MicroProfile Telemetry. Therefore, MicroProfile Metrics moves out of the umbrella release and becomes a stand-alone specification. This release also introduces the new versions of the MicroProfile OpenAPI, Rest Client, Fault Tolerance, and Telemetry features. For more information, see MicroProfile 7.0 deep dive with Open Liberty.

Check for Samesite=None incompatible clients

In 24.0.0.12, you can now use SameSite=None cookies without the worry of breaking certain client versions. Previously, cookies with the SameSite=None attribute were rejected or mishandled (treated as SameSite=Strict) if they were sent to an incompatible client version. Now, Open Liberty intercepts cookies with the SameSite=None attribute before they are sent to the web browser and checks if the User-Agent specifies an incompatible client version. If an incompatible client is detected, the SameSite=None and Partitioned headers (if present) are removed from the cookie.

For more information, see Setting the SameSite attribute on cookies with Open Liberty.

Security vulnerability (CVE) fixes in this release

CVE CVSS Score Vulnerability Assessment Versions Affected Notes

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2024-7254	7.5	Denial of service	20.0.0.12 - 24.0.0.10	Affects the `grpc-1.0` and `grpcClient-1.0` features

CVE-2024-7254

7.5

Denial of service

20.0.0.12 - 24.0.0.10

Affects the grpc-1.0 and grpcClient-1.0 features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Get Open Liberty 24.0.0.12 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

See all blog posts