Version 2.18.2 (July 2025)

Welcome to the Zowe Version 2.18.2 release!

This release includes compatibility changes for the upcoming z/OS 3.2.

See Bug fixes for a list of issues addressed in this release.

Download v2.18.2 build: Want to try new features as soon as possible? You can download the v2.18.2 build from Zowe.org.

New features and enhancements

Zowe Version 2.18.2 contains the enhancements that are described in the following topics:

Zowe Application Framework

ZSS

• z/OS 3.2 is now supported. (#538)

Zowe API Mediation Layer

• The configuration property apiml.security.forwardHeader.trustedProxies has been added to specify the regular expression pattern used to identify trusted proxies from which X-Forwarded-* headers are accepted and forwarded. This mitigates CVE-2025-41235. The API ML gateways (including cloud gateways) in Multitenancy Configuration are trusted by default. (#4148 and #4188)
• A Java sample app has been added to assist users to authenticate client certificates. (#4009)
• Users can now configure the connectTimeout and readTimeout for Eureka HTTP client. (#4046)
• Java 21 is now supported. (#4027)

Bug fixes

Zowe Version 2.18.2 contains the bug fixes that are described in the following topics:

Zowe Application Framework

• Fixed an issue of the API Catalog by introducing a workaround. Before the fix, the API Catalog attempted to establish two secure Transport Layer Security (TLS) connections while the API Catalog operated under AT-TLS. Since AT-TLS already handled the secure communication, the attempt by the API Catalog was unnecessary and led to performance overheads or failures in communication. After the fix, the registration information of the API Catalog updates the Eureka client system to indicate to other systems that AT-TLS is in use and provides secure communication. This ensures that the API Catalog and the other services interacting with it recognize the existing secure environment that AT-TLS provides and the API Catalog avoids unnecessary security processing. (#609)

ZSS

• Fixed an issue where the HTTP client software was unable to handle EWOULDBLOCK errors while processing data from AT-TLS in Zowe. The fix introduced HTTP_CLIENT_UNBLOCKED_TRY_AGAIN (19) and HTTP_CLIENT_SOCKET_TIMEOUT (20) error codes into the HTTP client software to enable the HTTP client software to handle the EWOULDBLOCK errors with greater efficiency. (#534)

• Fixed an issue where there was a delay in the response from the Gateway after HTTP or AT-TLS contacted the Gateway for Single Sign On(SSO). After the fix, if HTTP or AT-TLS contacts the Gateway for SSO, the Gateway provides an immediate response. (#775), (#772)

• Fixed an issue where Zowe, when installed on the z/OS operating system, stopped working because that version of z/OS changed or upgraded. After the fix, Zowe continues to work uninterrupted even if the version of the underlying z/OS changes or upgrades. (#780)

Zowe API Mediation Layer

• Fixed gateway returning empty auth keys from z/OSMF when apiml.security.auth.zosmf.jwtAutoconfiguration is set to jwt. (#4092)
• Fixed an error where NPE in ApimlPeerEurekaNode stops heartbeats. (#4195)
• Fixed logout implementation in API Catalog in which cookies from the browser were deleted but JWT against the Gateway instance of the Zowe installation are not invalidated. (#4185)
• Applied fix for disabling infinispan diagnostics by default. (#4170)
• Fixed a resource leak in the http client, whereby all objects are now closed after use. (#4153)
• Added HSTS header when AT-TLS enabled for V2. (#4071)
• Changed error code SERVICE_UNAVAILABLE to INTERNAL_SERVER_ERROR when ticket generation fails. (#4043)

Zowe CLI

DB2 Plug-in for Zowe CLI

• Updated tar-fs transitive dependency to resolve technical debt. (#177)
• Updated axios transitive dependency to resolve technical debt. (#175)

Zowe Explorer

Zowe Explorer (Core)

• See the Zowe Explorer changelog for updates included in this release.

Zowe Explorer API

• See the Zowe Explorer API changelog for updates included in this release.

Zowe Explorer FTP Extension

• See the Zowe Explorer FTP Extension changelog for updates included in this release.

Zowe Explorer ESLint Plug-in

• See the Zowe Explorer ESLint Plug-in changelog for updates included in this release.

Vulnerabilities fixed

Zowe discloses fixed vulnerabilities in a timely manner giving you sufficient time to plan your upgrades. Zowe does not disclose the vulnerabilities fixed in the latest release as we respect the need for at least 45 days to decide when and how you upgrade Zowe. When a new release is published, Zowe publishes the vulnerabilities fixed in the previous release. For more information about the Zowe security policy, see the Security page on the Zowe website.

The following security issues were fixed by the Zowe security group in version 2.18.1:

• BDSA-2024-4090
• BDSA-2023-3495
• BDSA-2024-5371
• BDSA-2024-5369