The latest version of Eclipse GlassFish 8.0.3 was released on June 7, 2026. This update focuses heavily on security improvements across various components and introduces significant performance optimizations for both Jakarta Faces rendering and Embedded GlassFish startup times. The release of GlassFish 8.0.3 further reenforces that GlassFish is an actively maintained, enterprise-grade production platform.
Security fixes and brute force prevention
For production deployments, security is very important. GlassFish 8.0.3 brings several critical security fixes and a new mechanism to prevent brute force attacks on admin interfaces.
The most notable security improvement is the fix for CVE-2024-9342(6.3 MEDIUM), which addresses a vulnerability that allowed Login Brute Force attacks against the Admin interface. The fix covers all admin interfaces: Admin Console, CLI, and HTTP. The login mechanism now progressively delays responses to failed login attempts for the same caller’s IP address, making brute-force password guesses impractical and time-consuming. It includes anti-DDoS measures to prevent attackers from locking out the admin interfaces. It also supports cluster and proxy setups to correctly and safely identify the original caller. And it always lets local connections through so that local administration (from localhost or via an SSH tunnel) is never delayed.
In addition to this, GlassFish 8.0.3 includes fixes for several other CVEs in Grizzly and JAXB Impl that have not yet been officially published. These address different areas of the server, including an HTTP smuggling type of attack and a vulnerability involving malicious third-party XML payloads. We are coordinating publishing the CVE reports with the vulnerability reporter and the Eclipse Foundation and we’ll update the release notes once the CVE details are officially published.
GlassFish 8.0.3 delivers performance gains, making the platform faster and more efficient.
The rendering performance of Jakarta Faces pages has improved by more than 2 times. This speed increase is the result of two complementary improvements: an optimization in the new version of Mojarra that benefits any server running it, and a more significant, GlassFish-specific optimization. Together they bring GlassFish’s rendering speed on par with Tomcat and WildFly, and even slightly faster than Payara or OpenLiberty.
Embedded GlassFish now starts approximately 10% faster. This was achieved by moving the loading of necessary resources out of the critical path. The server now loads several subsystems in parallel before they are needed by the main thread. For microservices and Docker containers, where startup time directly affects how quickly your service is available, this is a meaningful improvement.
Bug fixes
GlassFish 8.0.3 also resolves several bugs that could cause issues in specific scenarios:
Creating a domain with a custom master password now works correctly, fixing a regression introduced in GlassFish 7.1.0
Deployment of SBOM files was fixed after it stopped working in version 8.0.1.
A NullPointerException during AMX bootstrap for Message-Driven Beans (MDBs ) without explicit security-identity configurations has been fixed.
Graceful validation handling for invalid MDB ActivationConfigProperty types was added.
The GlassFish error page generator was fixed.
Duplicate port detection in ServerUtils is now enforced, preventing subtle configuration issues.
Component upgrades and SBOM
A lot of work happened in several components both inside the GlassFish project and in other Eclipse Foundation projects where OmniFish has committers. The OmniFish team coordinated CVE fixes across these projects to ensure a secure and stable release.
GlassFish 8.0.3 upgrades JAXB to 4.0.9 and finally brings a stable upgrade of JAXB after we had to revert the JAXB upgrade in GlassFish 8.0.2 due to stability issues.
Other notable component upgrades in this release include Grizzly 5.0.2, Jackson 2.22.0, Parsson 1.1.9, Nimbus JWT 10.9.1, EclipseLink ASM 9.10, Woodstox 7.2.0, MVC-API 3.0.1, and JSON Bind API 3.0.2.
The generation of the Software Bill of Materials (SBOM) for distribution artifacts was also fixed. SBOMs are now, after being missing for GlassFish 8.0.1 and 8.0.2, once again downloadable for GlassFish 8.0.3 from Maven Central as classifier artifacts next to the main artifacts. For example, in JSON format from Maven Central.
Eclipse GlassFish 8.0.3 is yet more stable, faster, and secure. If you are evaluating Jakarta EE platforms for a new project, or looking for a reliable home for existing applications, GlassFish backed by OmniFish is worth a serious look. Download 8.0.3 and see for yourself, or reach out to us if you want to talk through your specific setup.
