back to all blogsSee all blog posts

Configurable maximum FFDC age along with CVE and other notable bug fixes in Open Liberty

image of author
Michal Broz on Dec 20, 2022
Post available in languages: 日本語 ,

Open Liberty provides the ability to automatically purge FFDC log files after they reach a configured age. This release also provides many significant bug fixes, including two that address CVEs in gRPC and gRPC Client. Two new guides, covering the topics of gRPC and WebSocket, also join our extensive list of guides. If you’re interested in features and functionality that we have in progress, like Jakarta EE 10, MicroProfile 6, and InstantOn, take a look at the recent beta blog posts.

In Open Liberty

Along with the new features and functions added to the runtime, we’ve also made updates to our guides.

View the list of fixed bugs in

Run your apps using

If you’re using Maven, here are the coordinates:


Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty', name: 'openliberty-runtime', version: '[,)'

Or if you’re using Docker:

FROM open-liberty

Or take a look at our Downloads page.

Ask a question on Stack Overflow

Configurable maximum FFDC age

Open Liberty provides First Failure Data Capture(FFDC) capability, which instantly collects information about events and conditions that might lead up to a failure. In certain scenarios, the number of files in the FFDC directory can grow to a very large amount. Previously, Open Liberty automatically purged FFDC files in excess of 500 and this value was not configurable. This release introduces new functionality that automatically purges FFDC log files after they reach a configured age. You can specify this age with a new configuration attribute, maxFfdcAge.

maxFfdcAge is the maximum desired age before an FFDC file is deleted. At midnight everyday, any FFDC file that has reached the maximum configured age will be deleted. Specify a positive integer followed by a unit of time, which can be days (d), hours (h), or minutes (m). For example, specify 2 days as 2d. You can include multiple values in a single entry. For example, 2d6h is equivalent to 2 days and 6 hours.

Example server.xml configuration:

    <logging maxFfdcAge="2d"/>

Security vulnerability (CVE) fixes in this release

CVE CVSS Score Vulnerability Assessment Versions Affected Notes



Denial of service -

Affects the grpc-1.0 and grpcClient-1.0 features



Denial of service -

Affects the grpc-1.0 and grpcClient-1.0 features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in

  • NullPointerException in InstallFeatureAction for .esa files

    A bug introduced in the featureUtility command caused a NullPointerException to occur when trying to install a feature with using the Enterprise Subsystem Archive (ESA) packaging denoted by an .esa extension.


    This is has been resolved, and invoking ./featureUtility installFeature x.esa to install ESA features no longer throws an NPE.

  • HTTP/2 Intermittent server quiesce failure when stream is closed with an exception

    An intermittent issue can occur causing threads to hang when an exception occurs on an HTTP/2 connection. This results in a quiesce warning being issued during a server stop.

    The issue has been resolved and the HTTP/2 streams and connections and the threads managing now stop without error, even in exception conditions.

  • Liberty default HttpAuthenticationMechanisms do not call HttpMessageContext.responseUnauthorized

    HttpMessageContextWrapper must override the responseUnauthorized method. Due to a bug, Liberty’s HttpAuthenticationMechanisms did not call HttpMessageContext.responseUnauthorized, which prevented users from enriching the response, for example, by adding headers.

    This issue has been resolved and the default HttpAuthenticationMechanisms now properly calls HttpMessageContext.responseUnauthorized for unauthorized requests.

  • JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion() return incorrect version

    If a Pages, formerly known as JSP, application calls JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion(), the wrong version is returned. The value is coded to return 2.1 rather than the correct specification version.

    The issue has been resolved, and the correct version is now returned. For example, jsp-2.2 returns 2.2 and pages-3.0 returns 3.0.

  • OidcClientImpl does not properly declare a dependency on SecurityService

    When invoking request.logout() from a ServletFilter that intercepts traffic to the ibm_security_logout form-based logout URL , the following NPE might occur:

    Stack Dump = java.lang.NullPointerException
            at javax.servlet.http.HttpServletRequestWrapper.logout(

    The issue has been resolved by declaring OidcClientImpl dependent on SecurityService and the NPE no longer occurs.

New and updated guides since the previous release

As Open Liberty features and functionality continue to grow, we continue to add new guides to on those topics to make their adoption as easy as possible. Existing guides also receive updates to address any reported bugs/issues, keep their content current, and expand what their topic covers.

Get Open Liberty now