diff --git a/module/osgi-jpa/src/main/java/org/glassfish/osgijpa/EclipseLinkEnhancer.java b/module/osgi-jpa/src/main/java/org/glassfish/osgijpa/EclipseLinkEnhancer.java
index f112a39..2c7d87d 100644
--- a/module/osgi-jpa/src/main/java/org/glassfish/osgijpa/EclipseLinkEnhancer.java
+++ b/module/osgi-jpa/src/main/java/org/glassfish/osgijpa/EclipseLinkEnhancer.java
@@ -33,6 +33,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URISyntaxException;
+import java.nio.file.Files;
 import java.util.jar.JarFile;
 import java.util.jar.Manifest;
 import java.util.logging.Level;
@@ -197,7 +198,7 @@ private void updateManifest(final File mf) throws IOException {
      * @throws IOException if it fails to create the directory
      */
     public static File makeTmpDir(final String prefix) throws IOException {
-        File tmpDir = File.createTempFile(prefix, "");
+        File tmpDir = Files.createTempFile(prefix, "").toFile();
 
         // create a directory in place of the tmp file.
         tmpDir.delete();
diff --git a/module/osgi-web-container/src/main/java/org/glassfish/osgiweb/SunWebXmlParser.java b/module/osgi-web-container/src/main/java/org/glassfish/osgiweb/SunWebXmlParser.java
index 38c92dc..1aaa269 100644
--- a/module/osgi-web-container/src/main/java/org/glassfish/osgiweb/SunWebXmlParser.java
+++ b/module/osgi-web-container/src/main/java/org/glassfish/osgiweb/SunWebXmlParser.java
@@ -37,6 +37,7 @@ final class SunWebXmlParser {
     static {
         XMLIF = XMLInputFactory.newInstance();
         XMLIF.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        XMLIF.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
     }
 
     /**
diff --git a/sample/embeddedgf/provisioner/src/main/java/org/glassfish/fighterfish/sample/embeddegf/provisioner/Activator.java b/sample/embeddedgf/provisioner/src/main/java/org/glassfish/fighterfish/sample/embeddegf/provisioner/Activator.java
index 24cb33d..90b0ad3 100644
--- a/sample/embeddedgf/provisioner/src/main/java/org/glassfish/fighterfish/sample/embeddegf/provisioner/Activator.java
+++ b/sample/embeddedgf/provisioner/src/main/java/org/glassfish/fighterfish/sample/embeddegf/provisioner/Activator.java
@@ -104,7 +104,10 @@ public void extractZip(ZipInputStream zis) throws IOException {
         int size = 0;
         while ((ze = zis.getNextEntry()) != null) {
             logger.logp(Level.FINER, "Activator", "extractZip", "ZipEntry name = {0}, size = {1}", new Object[]{ze.getName(), ze.getSize()});
-            java.io.File f = new java.io.File(dest + java.io.File.separator + ze.getName());
+            java.io.File f = new File(dest, ze.getName());
+            if (!f.toPath().normalize().startsWith(dest.toPath().normalize())) {
+                throw new IOException("Bad zip entry");
+            }
             if (ze.isDirectory()) {
                 if (!f.exists()) {
                     if (!f.mkdirs()) {
diff --git a/test/app/app5/src/main/java/org/glassfish/fighterfish/test/app5/UserNumberBean.java b/test/app/app5/src/main/java/org/glassfish/fighterfish/test/app5/UserNumberBean.java
index 0a21655..c609f56 100644
--- a/test/app/app5/src/main/java/org/glassfish/fighterfish/test/app5/UserNumberBean.java
+++ b/test/app/app5/src/main/java/org/glassfish/fighterfish/test/app5/UserNumberBean.java
@@ -20,6 +20,7 @@
 import javax.faces.context.FacesContext;
 import javax.faces.validator.ValidatorException;
 
+import java.security.SecureRandom;
 import java.util.Random;
 
 /**
@@ -67,7 +68,7 @@ public final class UserNumberBean {
      */
     @SuppressWarnings("checkstyle:MagicNumber")
     public UserNumberBean() {
-        Random randomGR = new Random();
+        Random randomGR = new SecureRandom();
         do {
             this.randomInt = randomGR.nextInt(10);
         } while (this.randomInt == 0);
diff --git a/test/util/src/main/java/org/glassfish/fighterfish/test/util/ZipUtil.java b/test/util/src/main/java/org/glassfish/fighterfish/test/util/ZipUtil.java
index e8e3359..4096d3a 100644
--- a/test/util/src/main/java/org/glassfish/fighterfish/test/util/ZipUtil.java
+++ b/test/util/src/main/java/org/glassfish/fighterfish/test/util/ZipUtil.java
@@ -99,8 +99,10 @@ public static void extractZip(final ZipInputStream zis, final File destDir)
             LOGGER.logp(Level.FINER, "ZipUtil", "extractZip",
                     "ZipEntry name = {0}, size = {1}",
                     new Object[]{ze.getName(), ze.getSize()});
-            java.io.File f = new java.io.File(destDir + java.io.File.separator
-                    + ze.getName());
+            java.io.File f = new File(destDir, ze.getName());
+            if (!f.toPath().normalize().startsWith(destDir.toPath().normalize())) {
+                throw new IOException("Bad zip entry");
+            }
             if (ze.isDirectory()) {
                 if (!f.exists()) {
                     if (!f.mkdirs()) {