JBoss Enterprise Application Platform 7.2 Update 1 Release Notes
Updated -
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
Download JBoss Enterprise Application Platform 7.2 Update 1
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2018-11307 | Server | jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis |
| CVE-2019-3805 | Server | Race condition on PID file allows for termination of arbitrary processes by local users |
| CVE-2018-14720 | Server | jackson-databind: exfiltration/XXE in some JDK classes |
| CVE-2018-14721 | Server | jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class |
| CVE-2018-1000873 | Server | jackson-datatype-jsr310: jackson-modules-java8: DoS due to an Improper Input Validation |
| CVE-2018-12022 | Server | jackson-databind: improper polymorphic deserialization of types from Jodd-db library |
| CVE-2019-3894 | Concurrency Utilities | wrong SecurityIdentity for EE concurrency threads that are reused |
| CVE-2018-12023 | Server | jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| JBEAP-16204 | ARTEMIS-2139 - Message sent to JMSReplyTo from old client does not find correct bindings | |
| JBEAP-16349 | Add a System.LoggerFinder for Java 9+ | |
| JBEAP-16332 | EJBCLIENT-300 - Request should prevent setting session ID for remote protocol <= 2 | |
| JBEAP-16402 | EJBCLIENT-316 - Incoming call from client of version prior to 2.0 sets transaction timeout to 0 | |
| JBEAP-16209 | ISPN-7863 - Ickle lexer wrongly discards letter v as whitespace ruining parsing of identifiers containing v | |
| JBEAP-16205 | ISPN-9303 - NPE with nested protobuf messages and @Indexed(false) | |
| JBEAP-16207 | ISPN-9500 - ConcurrentSmallIntSet.clear() does not always set the size to 0 | |
| JBEAP-16208 | ISPN-9501 - AbstractCacheStream.performOperationRehashAware() can hang | |
| JBEAP-16210 | ISPN-9569 - Indexing is not working for clustered caches if it is transactional | |
| JBEAP-16211 | ISPN-9573 - Stopping a cache can lead to unintentional unregistering of another indexed cache query-related MBeans | |
| JBEAP-16215 | ISPN-9641 - Using expiration with off heap doesn't subtract size properly with expiration | |
| JBEAP-16218 | ISPN-9701 - TransactionTable does not shutdown gracefully | |
| JBEAP-16216 | ISPN-9702 - ClassCastException when using converters in remote events | |
| JBEAP-16219 | ISPN-9727 - Ickle query ignores an IN clause if there is only one value | |
| JBEAP-16222 | ISPN-9742 - Analyzers not working for inner objects | |
| JBEAP-16220 | ISPN-9798 - Deadlock in org.infinispan.persistence.manager.PersistenceManagerImpl when using infinispan in Wildfly-14.0.1.Final | |
| JBEAP-16221 | ISPN-9800 - Allow PersistenceManager availability check to be disabled | |
| JBEAP-16193 | JBTM-3044 - Decouple TransactionContext from JNDI | |
| JBEAP-16194 | JBTM-3045 - JTA CDI regression (or Standalone JTA 1.2 Quickstart failure) | |
| JBEAP-16195 | JBTM-3047 - Suspending recovery manager causes deadlock when acive RecoveryMonitor scan request exists | |
| JBEAP-16196 | JBTM-3049 - Setting properties via arjPropertyManager should affect all related config bean instances | |
| JBEAP-16199 | JBTM-3064 - After a crash active LRA's are left in a limbo state | |
| JBEAP-16200 | JBTM-3066 - Starting a nested LRA via the client API leaves the parent as the current context | |
| JBEAP-16201 | JBTM-3078 - JDBC transaction driver does not support MSSQL, the list should be enriched | |
| JBEAP-16348 | LOGMGR-210 - Use the StackTraceFormatter to render the stack trace for structured formatters | |
| JBEAP-16350 | LOGMGR-236 - java.lang.ArrayIndexOutOfBoundsException: 76 at org.jboss.logmanager.JDKSpecific.calculateCaller(JDKSpecific.java:112) | |
| JBEAP-16202 | WFLY-10841 - XA recovery warnings when server reloaded | |
| JBEAP-16333 | WFTC-60 - SubordinateXAResource#getRemainingTime is not calculating the remaining time correctly | |
| JBEAP-16448 | Make getServletPath return action name or jsp name configurable | |
| JBEAP-16401 | [EJBCLIENT-313] IllegalArgumentException in EJBClientInvocationContext.java:1116 | |
| JBEAP-16385 | [ELY-1373] IBM JDK, SPNEGO + FORM; with invalid ticket 200 status code is returned | |
| JBEAP-16386 | [ELY-1547] SPNEGO: missing negstat field in the first reply for expired token | |
| JBEAP-16388 | [ELY-386] Unable to create HTTPS connection when some opnessl cipher suite with DHE are used | |
| JBEAP-16389 | [ELY-396] Undertow HTTPS listener does not accept EXPORT40 and EXPORT56 cipher strings | |
| JBEAP-16384 | [ELYWEB-8] Adding Undertow Constant-Driven authentication mode | |
| JBEAP-16357 | [RESTEASY-2047] Typo in MicroprofileClientBuilder | |
| JBEAP-16440 | [UNDERTOW-1477] Consider reusing StringBuilders in URLDecodingHandler | |
| JBEAP-16434 | [UNDERTOW-1486] Out of memory errors | |
| JBEAP-16438 | [UNDERTOW-1487] Multiple invocations of SimpleObjectPool PooledObject.close result in mutation of returned objects | |
| JBEAP-16439 | [UNDERTOW-1490] FlexBase64 doesn't use URL table for encoding ByteBuffer | |
| JBEAP-16437 | [UNDERTOW-1494] Websockets will always wait the full time on graceful close if there are open connections | |
| JBEAP-16436 | [UNDERTOW-1495] add %o: obfuscated remote IP address | |
| JBEAP-16435 | [UNDERTOW-1496] Set form default encoding | |
| JBEAP-16447 | [UNDERTOW-1499] Make getServletPath return action name or jsp name configurable [details] | |
| JBEAP-16387 | [ELY-1549] IBM JDK, SPNEGO + FORM; with invalid ticket 401 status code is returned | |
| JBEAP-16547 | CXF-7823 JAXBEncoderDecoder doesn't respect @XmlType's propOrder in Exception class | |
| JBEAP-16106 | WFTC-52 - Narayana should be announced about subordinate transaction being finished | |
| JBEAP-15158 | ActiveMQ | ARTEMIS-2055 - IndexOutOfBoundsException in JDBC HA scenario |
| JBEAP-9223 | ActiveMQ | Artemis throws Critical IO Error if new journal file is not created in 5 seconds |
| JBEAP-15274 | ActiveMQ | ARTEMIS-2039 - tearDown may interrupt wrong threads after failures |
| JBEAP-16562 | ActiveMQ | ARTEMIS-2131 - Error compacting journal |
| JBEAP-16527 | ActiveMQ | Artemis Replication does not work with JDK 11 |
| JBEAP-16034 | ActiveMQ | ENTMQBR-2197 - Core JMS client leaks temporary destination names [details] |
| JBEAP-16203 | ActiveMQ | PagingStore leak when deleting queue [details] |
| JBEAP-15544 | ActiveMQ | ARTEMIS-1961 - Track routed and unrouted messages sent to an address |
| JBEAP-15451 | ActiveMQ | ARTEMIS-2089 DB2 sending larger message (1MB) crashes the whole server |
| JBEAP-15900 | ActiveMQ | DB2 sending larger message (1MB) crashes the whole server |
| JBEAP-15780 | Batch | JBERET-459: JBeret batches fail following timed out transactions [details] |
| JBEAP-16068 | Batch | WFLY-9658 - Batch jobs in a sub-deployment can be started but not queried [details] |
| JBEAP-16329 | Classloading | ManagedExecutorService persists contextClassLoader reference to cause app classloader leaks |
| JBEAP-15798 | Clustering | ISPN-9720 - JDK11: An illegal reflective access operation has occurred |
| JBEAP-16056 | Clustering | Race condition in InfinispanRouteLocator logic can cause missing route |
| JBEAP-16608 | Clustering | WFLY-11088 - Deployment failure if existing HA deployment contains a common EJB class |
| JBEAP-15999 | Deployment Scanner | FileSystemDeploymentService#handleNotification() can create an unneeded deployment marker file even if scanEnabled="false" is specified [details] |
| JBEAP-16618 | EE | EE deployer adding dependency on org.eclipse.yasson which exposes messages.properties to deployments [details] |
| JBEAP-15517 | EE | Leaking connections when multiple EJBs are injecting a JMSContext [details] |
| JBEAP-15787 | EJB | EJB-314/EJB-317 - Legacy EJB Client: High communication fail rate during failover |
| JBEAP-13745 | EJB | Legacy EJB client: Error getting response. java.lang.ArrayIndexOutOfBoundsException |
| JBEAP-16144 | EJB | Not possible to configure more than 1 passivation-store per subdeployment [details] |
| JBEAP-15738 | EJB | Server-server EJB transactional invocation rolls back if stateful bean is used and JBOSS-LOCAL-USER auth is not possible [details] |
| JBEAP-15874 | EJB | WARN when a clustered EJB is bound to INADDR_ANY (0.0.0.0) as it can not reach back the cluster when not in the same local network |
| JBEAP-15713 | EJB | Add Timer script for MariaDB |
| JBEAP-15729 | EJB | EJB Timer is not properly set when the database is different than the defaults |
| JBEAP-16087 | EJB | WEJBHTTP-18 - HttpEJBReceiver fails under a security manager |
| JBEAP-16272 | EJB | Cancelled timer not removed from internal cache when using persistent timers |
| JBEAP-16187 | EJB | EJB IIOP server to server issues [details] |
| JBEAP-16225 | EJB | Cancelled timer not removed from internal cache when using persistent timers |
| JBEAP-16246 | EJB | EJB IIOP server to server issues [details] |
| JBEAP-16185 | EJB | EJBCLIENT-315 - Allow to configure DeploymentNodeSelector and ClusterNodeSelector in 'wildfly-config.xml' [details] |
| JBEAP-15860 | EJB | Lock is not released when JTS is enabled and a timer is cancelled inside a transaction |
| JBEAP-16069 | EJB | WEJBHTTP-20 - EJB over HTTP using Apache httpd via AJP does not work [details] |
| JBEAP-15394 | EJB | WildFlyInitialContextFactory EJB proxy security behavior inconsistent with different context lookups |
| JBEAP-15882 | Hibernate | HHH-10891 Exception at bootstrap when @Any is inside an @Embeddable object |
| JBEAP-15336 | Hibernate | HHH-12917 - HHH-12918 - HHH-12919: Some strategic string interning opportunities |
| JBEAP-15841 | Hibernate | HHH-13050 On release of batch it still contained JDBC statements logged; unable to release batch statement |
| JBEAP-16190 | Hibernate | HHH-13059 OneToMany with referencedColumnName returns too many entities |
| JBEAP-16074 | Hibernate | HHH-13076 - Hibernate “Transaction already active” behavior |
| JBEAP-16419 | Hibernate | HHH-13107 JtaWithStatementsBatchTest fails on Oracle |
| JBEAP-16191 | Hibernate | HHH-13164 Detecting transient state of mandatory toOne relations is broken |
| JBEAP-16099 | Hibernate | HHH-13169 - Table alias used instead of exact table name in multitable update query |
| JBEAP-16098 | Hibernate | HHH-13172 - Log a warning instead of throwing an Exception when @AttributeOverride is used in conjunction with inheritance |
| JBEAP-16325 | Hibernate | HHH-13244 hibernate.jpa.compliance.proxy=true and DEBUG logging an entity with an uninitialized proxy causes exception |
| JBEAP-16421 | Hibernate | HHH-13269 Embeddable collection regression due to HHH-11544 |
| JBEAP-15803 | Hibernate | HHH-11209: NullPointerException in EntityType.replace() with a PersistentBag [details] |
| JBEAP-14762 | Hibernate | HHH-12555 Merging a blob on an entity results in a class cast exception |
| JBEAP-15782 | Hibernate | HHH-13084: Querying entity with non-ID property named 'id' fails if entity has an IdClass composite key [details] |
| JBEAP-15899 | Hibernate | HHH-13114 Query "select count(h) from Human h" fails if a subclass has a non-Id property named "id" [details] |
| JBEAP-16065 | Hibernate | HHH-13129: Cascaded merge fails for detached bytecode-enhanced entity with uninitialized ToOne [details] |
| JBEAP-16330 | Hibernate | HHH-13194: Methods returning org.hibernate.query.Query are not defined for StatelessSession [details] |
| JBEAP-16409 | Hibernate | HHH-13262: javax.persistence.TransactionRequiredException: Executing an update/delete query [details] |
| JBEAP-16433 | Hibernate | HHH-13281: java.lang.ClassCastException: org.hibernate.internal.SessionImpl cannot be cast to org.hibernate.ejb.HibernateEntityManager [details] |
| JBEAP-16443 | Hibernate | HHH-13285 - ClassCastException: org.dom4j.DocumentFactory cannot be cast to org.dom4j.DocumentFactory after dom4j update [details] |
| JBEAP-16320 | Hibernate | Performance regression using ByteBuddy byte code enhancement |
| JBEAP-15581 | JCA | Enforce the short-running-threads requirement to a distributed workmanager |
| JBEAP-15569 | JCA | JCA distributed work manager doesn't allow to add more than one |
| JBEAP-15843 | JCA | Inconsistency in JCA Subsystem xsd, boundedqueque is used for worker threads |
| JBEAP-15447 | JCA | JBJCA-1382 - Destroy managed connection on failed reconnect |
| JBEAP-15328 | JCA | JBJCA-1385 - EAP 7 / xa-datasource creates twice connections as much as max-pool-size [details] |
| JBEAP-15198 | JCA | JBJCA-1386 - TCCL is not set to datasource module |
| JBEAP-16467 | JCA | IllegalStateException when getting a connection from a removed DataSource |
| JBEAP-15226 | JMS | XA recovery warnings when server reloaded |
| JBEAP-13676 | JMX | REMJMX-158 - WFLYJMX0037 occurs with RBAC enabled when disconnecting JConsole |
| JBEAP-15836 | JPA/Hibernate | ISPN-9075/HHH-12457 - Local Infinispan read-write 2LC become stale on rollback [details] |
| JBEAP-15944 | JSF | Warning about JSF version 'NONE' is shown in logs |
| JBEAP-15996 | Logging | JBoss Logmanager is incompatibile with -Xbootclasspath and JDK 11 |
| JBEAP-15527 | Logging | LogManager stops any logging output after changing "encoding" attribute to file-handler [details] |
| JBEAP-15935 | MP OpenTracing | EAR (WAR + EJB JAR) fails to be deployed with CNFE from open tracing |
| JBEAP-11937 | Management | Capability requirement can be lost if two attributes on same resource reference the same capability |
| JBEAP-15530 | Management | Booting a slave HC fails if the content repository entry for a rollout plan is not present [details] |
| JBEAP-16138 | Management | Multiple |
| JBEAP-16899 | OpenShift | OCP 4.1 - EAP 72 migration pod for transactions fails due to: "ssl.CertificateError: hostname 'openshift.default.svc' doesn't match either of 'kubernetes', 'kubernetes.default', 'kubernetes.default.svc',..." |
| JBEAP-11860 | REST | "Arguments must not be null" when sending a null JSON object with ResteasyWebTarget |
| JBEAP-16062 | RPM | 7.2.0 Regression on File permissions discrepancy between zip and rpms installation |
| JBEAP-16411 | RPM | Some files of EAP7.2 RPM on RHEL8 has been moved to different directory |
| JBEAP-16866 | RPM | EAP installation via jboss-eap7-jdk11 group does not install java 11 |
| JBEAP-16017 | RPM | EAP7.2 RPMs does not match with provides from java-11-openjdk package |
| JBEAP-16073 | RPM | product-info command throws java.lang.IllegalArgumentException |
| JBEAP-16399 | Scripts | null file is created in bin directory when starting EAP 7.2 on Windows |
| JBEAP-15636 | Security | ELY-1693 - Update AcmeClientSpi to make use of POST-as-GET instead of GET |
| JBEAP-3031 | Security | SECURITY-981 - Referrals roles assignment for referral user does not work for AdvancedLdapLoginModule with Active Directory |
| JBEAP-5886 | Security | Security-954 - AdvancedLdapLoginModule - skip roles search when rolesCtxDN is null |
| JBEAP-15654 | Security | Unable to test PicketLink Bindings on Java 11 |
| JBEAP-15557 | Security | HC cannot connect to DC after lost connect with error "WFLYCTL0332: Permission denied\" [details] |
| JBEAP-15837 | Security | Audience restriction check is too strict |
| JBEAP-16152 | Security | ELY-1464/ELY-1747 - identity propagation does not work when programmatic web authentication via HttpServletRequest.login() is used [details] |
| JBEAP-16188 | Security | ELYWEB-36 - File UploadMultipart does not work when SSO is enabled [details] |
| JBEAP-15026 | Security | Elytron does not do RunAs identity remote propagation |
| JBEAP-15384 | Security | PLINK-756 - PicketLinkAuthenticator returns null in sendChallenge method [details] |
| JBEAP-16338 | Security | PLINK-792 - Need to set default encoding for FormParserFactory in SPFormAuthenticationMechanism |
| JBEAP-16304 | Security | WFCORE-4326 - EAP 6.4 client calling EAP 7.x legacy remoting fails with server presented no authentication mechanisms when using anonymous |
| JBEAP-16089 | Transactions | WFTC-54 - Integration with Narayana fails when timeout propagation over remote call declares it as '0' causing UserTransaction timeout to not work [details] |
| JBEAP-16309 | Transactions | WTC-58 - AbstractTransaction#getEstimatedRemainingTime returns wrong value of rounding up which causes timeout of 1 second to be considered invalid |
| JBEAP-15425 | Undertow | Infinispan IllegalStateException when session invalidated after redirect |
| JBEAP-15777 | Undertow | Shutdown hangs if WAR is distributable and uses SSE [details] |
| JBEAP-16428 | Undertow | AcmeResourceHandler should avoid per-request object allocations |
| JBEAP-16156 | Undertow | UNDERTOW-1434 - Add ability to specify "category" parameter to the "access-log" HandlerBuilder |
| JBEAP-16169 | Undertow | UNDERTOW-1440 - Support non-default file systems in PathResourceManager |
| JBEAP-16167 | Undertow | UNDERTOW-1443 - Websockets should start worker lazily |
| JBEAP-16172 | Undertow | UNDERTOW-1447 - Socket options are not passed to createSSLContext resulting in the wrong jsse implementation |
| JBEAP-16168 | Undertow | UNDERTOW-1448 - HTTP/2 is not used when only TLSv1.3 is enabled |
| JBEAP-16170 | Undertow | UNDERTOW-1450 - Spotbugs error MS_MUTABLE_COLLECTION_PKGPROTECT in AlpnOpenListener |
| JBEAP-16009 | Undertow | UNDERTOW-1455 - Asynchronous servlet, onComplete() is not called when error occures |
| JBEAP-16173 | Undertow | UNDERTOW-1460 - RoutingHandler fails to route empty relative path to the "/" template |
| JBEAP-16174 | Undertow | UNDERTOW-1463 - Support proxy protocol v2 |
| JBEAP-16153 | Undertow | UNDERTOW-1472 - Content-Type header is not set in HTTP response for directory resource in servlet directory-listing feature |
| JBEAP-16176 | Undertow | UNDERTOW-1474 - Undertow multi-part upload can potentially leak file descriptors |
| JBEAP-16177 | Undertow | UNDERTOW-1476 - URLDecodingHandler should decode matched values in PathTemplateMatch.ATTACHMENT_KEY |
| JBEAP-16126 | Undertow | UNDERTOW-1482 - No indication of missing included file |
| JBEAP-16129 | Undertow | Forward attributes not present in error pages |
| JBEAP-15560 | Undertow | AJP can't redirect to management console because of unresolved address |
| JBEAP-16130 | Undertow | Forward attributes not present in error pages |
| JBEAP-15572 | Undertow | Getting Unable to find unambiguous method when Calling an Enum function from JSF page [details] |
| JBEAP-16397 | Undertow | UNDERTOW-1159 - Getting JSP name instead action name for getServletPath() [details] |
| JBEAP-15746 | Undertow | UNDERTOW-1429 - JSP optimize-scriplets causes compilation failure when string concatenation exists inside method arguments [details] |
| JBEAP-15919 | Undertow | UNDERTOW-1444 - Range headers do not seem to be handled correctly for files larger than 10 mb |
| JBEAP-16046 | Undertow | UNDERTOW-1457 - Non persistent connection close may violate Undertow's thread model |
| JBEAP-16053 | Undertow | UNDERTOW-1462 - Request cookie is incorrectly parsed when a backslash-escaped double quote exists in the quoted cookie value [details] |
| JBEAP-15574 | Undertow | domain="undefined" in JSESSIONIDSSO [details] |
| JBEAP-15233 | Web Console | Creating a non-local cache container in web console fails |
| JBEAP-15695 | Web Services | Apply CXF Fix managing closing of temp queues (CXF-7768) [details] |
| JBEAP-15390 | Web Services | CXF-7832 - WrappedMessageContext containsKey not consistent with get/put [details] |
| JBEAP-15945 | XTS | JBTM-3079 - InboundBridge recovery aborts live transactions |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.1-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.1-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
Comments