Preloader image

Apache TomEE 8.0.13 has been released. It is a maintenance release with some bug fixes and dependencies upgrades.

Thank you to everyone who contributed to this release, including all of our users and the people who submitted bug reports, contributed code or documentation enhancements.

Dependency upgrade

New Feature

Bug

  • TOMEE-4021 Unexpected ehcache 3.8.1 in tomee/lib

  • TOMEE-3850 HTTP(S) connections are not reused

  • TOMEE-4014 Unable to see TomEE version in Tomcat home page with Java 17

  • TOMEE-3979 service.bat issue when using JRE_HOME on Windows

  • TOMEE-4041 4 CVE Vulnerabilities in snakeyaml-1.30.jarĀ 

  • TOMEE-4001 CVE-2022-34305 displaying user provided data without filtering, exposing a XSS vulnerability

Improvement

  • TOMEE-3878 Backport 'No interface view EJB proxies broken on JDK16+' [TOMEE-3877] to TomEE 8.x

Task

Documentation

  • TOMEE-4023 Comparison pages with wrong specs per profiles

  • TOMEE-3981 update javadoc to reflect updates on Jakarta EE

Fixed Common Vulnerabilities and Exposures (CVEs)

  • TOMEE-4041 4 CVE Vulnerabilities in snakeyaml-1.30.jar

  • TOMEE-4001 CVE-2022-34305 displaying user provided data without filtering, exposing a XSS vulnerability

  • TOMEE-4088 Add workaround for CVE-2022-41853 (hsqldb)

Additional Information

Please note:

(1) CVE-2022-42003 (jackson-databind): Users are only affected, if UNWRAP_SINGLE_VALUE_ARRAYS is enabled. Mitigation is included in 2.14.0-rc1. As per list discussion we are fine shipping an RC version.
(2) CVE-2022-41853 (hsqldb): As v2.7.1 wasn’t available at voting time, TomEE sets "hsqldb.method_class_names" to an invalid value to mitigate the vulnerability. Users can override the property as needed.