Bikram (Sep 18 2024 at 20:48): Bikram (Sep 18 2024 at 20:48):There is a level 7 CVE published on 2024-09-11 for Payara server < 6.2024.9
https://www.cvedetails.com/vulnerability-list/vendor_id-25517/year-2024/opopenred-1/Payara.html
For Borealis We are running DV v6.2 in Payara v6.2023.8, wondering if updating to latest version of payara for 6.2 will cause any issue?
Philip Durbin ๐ (Sep 18 2024 at 20:51):Hmm, I'm not sure if we use the thing mentioned in the CVE. This: https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Using%20REST%20Interfaces%20for%20Server%20Administration.html
Philip Durbin ๐ (Sep 18 2024 at 20:52):But as to your question, I'm not sure. It might work.
Oliver Bertuch (Sep 18 2024 at 21:04):Here is the related issue/PR. https://github.com/payara/Payara/pull/6889
Oliver Bertuch (Sep 18 2024 at 21:05):Honestly, I doubt unless you expose port 4848, this is a high risk as the management REST API is tucked away
Oliver Bertuch (Sep 18 2024 at 21:10):On a related note: CVE is by far not anymore what it once has been. The quality of the content has degraded over time and there is a heated discussion around how risks are assigned a score. Personally, I take any CVE with a good grain of salt.
Oliver Bertuch (Sep 18 2024 at 21:14):@Bikram in case you want to test drive an upgrade, maybe using a container setup helps. You simply need to build the base image and application images with a newer Payara version by using a Maven property.
Bikram (Sep 18 2024 at 21:33):Thank you @Philip Durbin ๐ @Oliver Bertuch I ll let our Security manager know, he flagged this issue.
Philip Durbin ๐ (Sep 19 2024 at 16:14):Sure. We talked about this during the #containers meeting today, if you're interested: https://harvard.zoom.us/rec/share/U7XC1e0hbcWhrKdE8bh_X3Drf-wXCV6B1LgLNFwnzkIKp00g1wc1rvnCqnXr7mcY.z74fpUPWL8l9oPEf
Notification Bot (Sep 11 2025 at 15:10):Bikram has marked this topic as resolved.
Last updated: Nov 01 2025 at 14:11 UTC