back to all blogsSee all blog posts

Stronger password encryption and updated guides in 25.0.0.2

image of author
David Mueller on Feb 25, 2025
Post available in languages:

The 25.0.0.2 release includes 256-bit AES password encryption, updates to our Open Liberty guides, and a CVE fix.

In Open Liberty 25.0.0.2:

View the list of fixed bugs in 25.0.0.2.

Develop and run your apps using 25.0.0.2

If you’re using Maven, include the following in your pom.xml file:

<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>3.11.2</version>
</plugin>

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.2'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.

Ask a question on Stack Overflow

Support for AES-256 password encryption

Open Liberty supports Advanced Encryption Standard (AES) encryption for passwords that are stored in the server.xml file. This AES encryption now uses an AES-256 bit key. For AES decryption, Open Liberty supports both AES-128 and AES-256. Previously, Open Liberty AES password encryption and decryption used only a 128-bit key. The 256-bit key provides stronger encryption, making encrypted passwords more secure.

To encrypt a password with AES-256 encryption, run the securityUtility encode command from the wlp/bin directory with the --encoding=aes option.

securityUtility encode --encoding=aes superAES256password

The response is a 256-bit AES encrypted password, similar to the following example:

{aes}ARAmkTCr3of9G0gvieyx7NtHFbeX5fiueD6yGTvnYzyFMxyg7Cd5V6Ew34uxunYb0pYixwDiR6V2qCx2Yxm9io4KBZiW8T9GJLCut1ClauY7GNBM6lFM+PMZfCaScPzUgSE07PJYI37WQ8lSzjaeWGCA+K5dlA==

You can now use this password in your server.xml file, for example in your keystore definition:

<keyStore id="MyKeyStore" password="{aes}ARAmkTCr3of9G0gvieyx7NtHFbeX5fiueD6yGTvnYzyFMxyg7Cd5V6Ew34uxunYb0pYixwDiR6V2qCx2Yxm9io4KBZiW8T9GJLCut1ClauY7GNBM6lFM+PMZfCaScPzUgSE07PJYI37WQ8lSzjaeWGCA+K5dlA==" />

For more information, see the following resources:

New and updated guides since the previous release

As Open Liberty features and functionality continue to grow, we add new guides to openliberty.io on those topics to make their adoption as easy as possible. Existing guides also receive updates to address any reported bugs or issues, keep their content current, and expand what their topic covers.

Security vulnerability (CVE) fixes in this release

CVE CVSS Score Vulnerability Assessment Versions Affected Notes

CVE-2024-47535

5.5

Denial of service

21.0.0.2 - 25.0.0.1

Affects the grpc-1.0 and grpcClient-1.0 features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Get Open Liberty 25.0.0.2 now