Preloader image

Apache TomEE 8.0.14 has been released. It is a maintenance release with some bug fixes and dependencies upgrades.

Thank you to everyone who contributed to this release, including all of our users and the people who submitted bug reports, contributed code or documentation enhancements.

Dependency upgrade

Bug

  • TOMEE-4120 Remote EJB2 BMP Memory Leak

  • TOMEE-4122 Performance Regression in bean resolution in EAR files

  • TOMEE-4101 Typo with EL22Adaptor implementation in openwebbeans.properties

  • TOMEE-4102 TomEE logs SEVERE: Expected ContextBinding to have the method getThreadName()

  • TOMEE-4106 TomEE version no longer appearing at default manager page

  • TOMEE-4014 Unable to see TomEE version in Tomcat home page with Java 17

  • TOMEE-4108 Backport TOMEE-4065: LoginToContinue interceptor fails on custom auth mechanism

  • TOMEE-3779 tomee-embedded-maven-plugin fails with NPE

Improvement

  • TOMEE-4124 Remove timing of timing just for logging

Task

Documentation

  • TOMEE-4104 Documentation Website: XA DataSource Configuration: Bug in MySQL Sample Code

Fixed Common Vulnerabilities and Exposures (CVEs)

  • TOMEE-4086 HSQLDB 2.7.1

  • TOMEE-4125 Update Apache CXF versions to mitigate CVE-2022-46364 and CVE-2022-46363

  • TOMEE-4103 Update woodstox-core to mitigate CVE-2022-40153

  • TOMEE-4111 Upgrade bcel component in TomEE

  • TOMEE-4176 CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection on TomEE’s tomcat-websocket.jar

  • TOMEE-4169 SnakeYAML - CVE-2022-1471

Additional Information

Please note:

CVE-2022-1471: Snakeyaml is a transient dependency of jackson-dataformat-yaml (which is used in OpenAPI). According to the Jackson people, they are not affected: https://github.com/FasterXML/jackson-dataformats-text/issues/361