JBoss Enterprise Application Platform 7.2 Update 1 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

Download JBoss Enterprise Application Platform 7.2 Update 1

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2018-11307 Server jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
CVE-2019-3805 Server Race condition on PID file allows for termination of arbitrary processes by local users
CVE-2018-14720 Server jackson-databind: exfiltration/XXE in some JDK classes
CVE-2018-14642 Web (Undertow) Infoleak in some circumstances where Undertow can serve data from a random buffer
CVE-2018-14721 Server jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
CVE-2018-1000873 Server jackson-datatype-jsr310: jackson-modules-java8: DoS due to an Improper Input Validation
CVE-2018-12022 Server jackson-databind: improper polymorphic deserialization of types from Jodd-db library
CVE-2019-3894 Concurrency Utilities wrong SecurityIdentity for EE concurrency threads that are reused
CVE-2018-12023 Server jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver



This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-16204 ARTEMIS-2139 - Message sent to JMSReplyTo from old client does not find correct bindings
JBEAP-16349 Add a System.LoggerFinder for Java 9+
JBEAP-16332 EJBCLIENT-300 - Request should prevent setting session ID for remote protocol <= 2
JBEAP-16402 EJBCLIENT-316 - Incoming call from client of version prior to 2.0 sets transaction timeout to 0
JBEAP-16209 ISPN-7863 - Ickle lexer wrongly discards letter v as whitespace ruining parsing of identifiers containing v
JBEAP-16205 ISPN-9303 - NPE with nested protobuf messages and @Indexed(false)
JBEAP-16207 ISPN-9500 - ConcurrentSmallIntSet.clear() does not always set the size to 0
JBEAP-16208 ISPN-9501 - AbstractCacheStream.performOperationRehashAware() can hang
JBEAP-16210 ISPN-9569 - Indexing is not working for clustered caches if it is transactional
JBEAP-16211 ISPN-9573 - Stopping a cache can lead to unintentional unregistering of another indexed cache query-related MBeans
JBEAP-16215 ISPN-9641 - Using expiration with off heap doesn't subtract size properly with expiration
JBEAP-16218 ISPN-9701 - TransactionTable does not shutdown gracefully
JBEAP-16216 ISPN-9702 - ClassCastException when using converters in remote events
JBEAP-16219 ISPN-9727 - Ickle query ignores an IN clause if there is only one value
JBEAP-16222 ISPN-9742 - Analyzers not working for inner objects
JBEAP-16220 ISPN-9798 - Deadlock in org.infinispan.persistence.manager.PersistenceManagerImpl when using infinispan in Wildfly-14.0.1.Final
JBEAP-16221 ISPN-9800 - Allow PersistenceManager availability check to be disabled
JBEAP-16193 JBTM-3044 - Decouple TransactionContext from JNDI
JBEAP-16194 JBTM-3045 - JTA CDI regression (or Standalone JTA 1.2 Quickstart failure)
JBEAP-16195 JBTM-3047 - Suspending recovery manager causes deadlock when acive RecoveryMonitor scan request exists
JBEAP-16196 JBTM-3049 - Setting properties via arjPropertyManager should affect all related config bean instances
JBEAP-16199 JBTM-3064 - After a crash active LRA's are left in a limbo state
JBEAP-16200 JBTM-3066 - Starting a nested LRA via the client API leaves the parent as the current context
JBEAP-16201 JBTM-3078 - JDBC transaction driver does not support MSSQL, the list should be enriched
JBEAP-16348 LOGMGR-210 - Use the StackTraceFormatter to render the stack trace for structured formatters
JBEAP-16350 LOGMGR-236 - java.lang.ArrayIndexOutOfBoundsException: 76 at org.jboss.logmanager.JDKSpecific.calculateCaller(JDKSpecific.java:112)
JBEAP-16202 WFLY-10841 - XA recovery warnings when server reloaded
JBEAP-16333 WFTC-60 - SubordinateXAResource#getRemainingTime is not calculating the remaining time correctly
JBEAP-16448 Make getServletPath return action name or jsp name configurable
JBEAP-16401 [EJBCLIENT-313] IllegalArgumentException in EJBClientInvocationContext.java:1116
JBEAP-16385 [ELY-1373] IBM JDK, SPNEGO + FORM; with invalid ticket 200 status code is returned
JBEAP-16386 [ELY-1547] SPNEGO: missing negstat field in the first reply for expired token
JBEAP-16388 [ELY-386] Unable to create HTTPS connection when some opnessl cipher suite with DHE are used
JBEAP-16389 [ELY-396] Undertow HTTPS listener does not accept EXPORT40 and EXPORT56 cipher strings
JBEAP-16384 [ELYWEB-8] Adding Undertow Constant-Driven authentication mode
JBEAP-16357 [RESTEASY-2047] Typo in MicroprofileClientBuilder
JBEAP-16440 [UNDERTOW-1477] Consider reusing StringBuilders in URLDecodingHandler
JBEAP-16434 [UNDERTOW-1486] Out of memory errors
JBEAP-16438 [UNDERTOW-1487] Multiple invocations of SimpleObjectPool PooledObject.close result in mutation of returned objects
JBEAP-16439 [UNDERTOW-1490] FlexBase64 doesn't use URL table for encoding ByteBuffer
JBEAP-16437 [UNDERTOW-1494] Websockets will always wait the full time on graceful close if there are open connections
JBEAP-16436 [UNDERTOW-1495] add %o: obfuscated remote IP address
JBEAP-16435 [UNDERTOW-1496] Set form default encoding
JBEAP-16447 [UNDERTOW-1499] Make getServletPath return action name or jsp name configurable [details]
JBEAP-16387 [ELY-1549] IBM JDK, SPNEGO + FORM; with invalid ticket 401 status code is returned
JBEAP-16547 CXF-7823 JAXBEncoderDecoder doesn't respect @XmlType's propOrder in Exception class
JBEAP-16106 WFTC-52 - Narayana should be announced about subordinate transaction being finished
JBEAP-15158 ActiveMQ ARTEMIS-2055 - IndexOutOfBoundsException in JDBC HA scenario
JBEAP-9223 ActiveMQ Artemis throws Critical IO Error if new journal file is not created in 5 seconds
JBEAP-15274 ActiveMQ ARTEMIS-2039 - tearDown may interrupt wrong threads after failures
JBEAP-16562 ActiveMQ ARTEMIS-2131 - Error compacting journal
JBEAP-16527 ActiveMQ Artemis Replication does not work with JDK 11
JBEAP-16034 ActiveMQ ENTMQBR-2197 - Core JMS client leaks temporary destination names [details]
JBEAP-16203 ActiveMQ PagingStore leak when deleting queue [details]
JBEAP-15544 ActiveMQ ARTEMIS-1961 - Track routed and unrouted messages sent to an address
JBEAP-15451 ActiveMQ ARTEMIS-2089 DB2 sending larger message (1MB) crashes the whole server
JBEAP-15900 ActiveMQ DB2 sending larger message (1MB) crashes the whole server
JBEAP-16527 ActiveMQ Artemis Replication does not work with JDK 11
JBEAP-15780 Batch JBERET-459: JBeret batches fail following timed out transactions [details]
JBEAP-16068 Batch WFLY-9658 - Batch jobs in a sub-deployment can be started but not queried [details]
JBEAP-16329 Class Loading ManagedExecutorService persists contextClassLoader reference to cause app classloader leaks
JBEAP-15798 Clustering ISPN-9720 - JDK11: An illegal reflective access operation has occurred
JBEAP-16056 Clustering Race condition in InfinispanRouteLocator logic can cause missing route
JBEAP-16608 Clustering WFLY-11088 - Deployment failure if existing HA deployment contains a common EJB class
JBEAP-15999 Deployment Scanner FileSystemDeploymentService#handleNotification() can create an unneeded deployment marker file even if scanEnabled="false" is specified [details]
JBEAP-16618 EE EE deployer adding dependency on org.eclipse.yasson which exposes messages.properties to deployments [details]
JBEAP-15517 EE Leaking connections when multiple EJBs are injecting a JMSContext [details]
JBEAP-15787 EJB EJB-314/EJB-317 - Legacy EJB Client: High communication fail rate during failover
JBEAP-13745 EJB Legacy EJB client: Error getting response. java.lang.ArrayIndexOutOfBoundsException
JBEAP-16144 EJB Not possible to configure more than 1 passivation-store per subdeployment [details]
JBEAP-15738 EJB Server-server EJB transactional invocation rolls back if stateful bean is used and JBOSS-LOCAL-USER auth is not possible [details]
JBEAP-15874 EJB WARN when a clustered EJB is bound to INADDR_ANY (0.0.0.0) as it can not reach back the cluster when not in the same local network
JBEAP-15713 EJB Add Timer script for MariaDB
JBEAP-15729 EJB EJB Timer is not properly set when the database is different than the defaults
JBEAP-16087 EJB WEJBHTTP-18 - HttpEJBReceiver fails under a security manager
JBEAP-16272 EJB Cancelled timer not removed from internal cache when using persistent timers
JBEAP-16187 EJB EJB IIOP server to server issues [details]
JBEAP-16225 EJB Cancelled timer not removed from internal cache when using persistent timers
JBEAP-16246 EJB EJB IIOP server to server issues [details]
JBEAP-15860 EJB Lock is not released when JTS is enabled and a timer is cancelled inside a transaction
JBEAP-16069 EJB WEJBHTTP-20 - EJB over HTTP using Apache httpd via AJP does not work [details]
JBEAP-15394 EJB WildFlyInitialContextFactory EJB proxy security behavior inconsistent with different context lookups
JBEAP-15882 Hibernate HHH-10891 Exception at bootstrap when @Any is inside an @Embeddable object
JBEAP-15336 Hibernate HHH-12917 - HHH-12918 - HHH-12919: Some strategic string interning opportunities
JBEAP-16419 Hibernate HHH-13107 JtaWithStatementsBatchTest fails on Oracle
JBEAP-16191 Hibernate HHH-13164 Detecting transient state of mandatory toOne relations is broken
JBEAP-16099 Hibernate HHH-13169 - Table alias used instead of exact table name in multitable update query
JBEAP-16098 Hibernate HHH-13172 - Log a warning instead of throwing an Exception when @AttributeOverride is used in conjunction with inheritance
JBEAP-16325 Hibernate HHH-13244 hibernate.jpa.compliance.proxy=true and DEBUG logging an entity with an uninitialized proxy causes exception
JBEAP-16421 Hibernate HHH-13269 Embeddable collection regression due to HHH-11544
JBEAP-15803 Hibernate HHH-11209: NullPointerException in EntityType.replace() with a PersistentBag [details]
JBEAP-14762 Hibernate HHH-12555 Merging a blob on an entity results in a class cast exception
JBEAP-15782 Hibernate HHH-13084: Querying entity with non-ID property named 'id' fails if entity has an IdClass composite key [details]
JBEAP-15899 Hibernate HHH-13114 Query "select count(h) from Human h" fails if a subclass has a non-Id property named "id" [details]
JBEAP-16065 Hibernate HHH-13129: Cascaded merge fails for detached bytecode-enhanced entity with uninitialized ToOne [details]
JBEAP-16330 Hibernate HHH-13194: Methods returning org.hibernate.query.Query are not defined for StatelessSession [details]
JBEAP-16409 Hibernate HHH-13262: javax.persistence.TransactionRequiredException: Executing an update/delete query [details]
JBEAP-16433 Hibernate HHH-13281: java.lang.ClassCastException: org.hibernate.internal.SessionImpl cannot be cast to org.hibernate.ejb.HibernateEntityManager [details]
JBEAP-16443 Hibernate HHH-13285 - ClassCastException: org.dom4j.DocumentFactory cannot be cast to org.dom4j.DocumentFactory after dom4j update [details]
JBEAP-16320 Hibernate Performance regression using ByteBuddy byte code enhancement
JBEAP-15581 JCA Enforce the short-running-threads requirement to a distributed workmanager
JBEAP-15569 JCA JCA distributed work manager doesn't allow to add more than one
JBEAP-15843 JCA Inconsistency in JCA Subsystem xsd, boundedqueque is used for worker threads
JBEAP-15447 JCA JBJCA-1382 - Destroy managed connection on failed reconnect
JBEAP-15328 JCA JBJCA-1385 - EAP 7 / xa-datasource creates twice connections as much as max-pool-size [details]
JBEAP-15198 JCA JBJCA-1386 - TCCL is not set to datasource module
JBEAP-16467 JCA IllegalStateException when getting a connection from a removed DataSource
JBEAP-15226 JMS XA recovery warnings when server reloaded
JBEAP-13676 JMX REMJMX-158 - WFLYJMX0037 occurs with RBAC enabled when disconnecting JConsole
JBEAP-15836 JPA / Hibernate ISPN-9075/HHH-12457 - Local Infinispan read-write 2LC become stale on rollback [details]
JBEAP-15944 JSF Warning about JSF version 'NONE' is shown in logs
JBEAP-15996 Logging JBoss Logmanager is incompatibile with -Xbootclasspath and JDK 11
JBEAP-15527 Logging LogManager stops any logging output after changing "encoding" attribute to file-handler [details]
JBEAP-15935 MP OpenTracing EAR (WAR + EJB JAR) fails to be deployed with CNFE from open tracing
JBEAP-11937 Management Capability requirement can be lost if two attributes on same resource reference the same capability
JBEAP-15530 Management Booting a slave HC fails if the content repository entry for a rollout plan is not present [details]
JBEAP-16138 Management Multiple elements inside an http-interface parsed wrongly [details]
JBEAP-16899 OpenShift OCP 4.1 - EAP 72 migration pod for transactions fails due to: "ssl.CertificateError: hostname 'openshift.default.svc' doesn't match either of 'kubernetes', 'kubernetes.default', 'kubernetes.default.svc',..."
JBEAP-11860 REST "Arguments must not be null" when sending a null JSON object with ResteasyWebTarget
JBEAP-16411 RPM Some files of EAP7.2 RPM on RHEL8 has been moved to different directory
JBEAP-16866 RPM EAP installation via jboss-eap7-jdk11 group does not install java 11
JBEAP-16017 RPM EAP7.2 RPMs does not match with provides from java-11-openjdk package
JBEAP-16073 RPM product-info command throws java.lang.IllegalArgumentException
JBEAP-16399 Scripts null file is created in bin directory when starting EAP 7.2 on Windows
JBEAP-15636 Security ELY-1693 - Update AcmeClientSpi to make use of POST-as-GET instead of GET
JBEAP-3031 Security SECURITY-981 - Referrals roles assignment for referral user does not work for AdvancedLdapLoginModule with Active Directory
JBEAP-5886 Security Security-954 - AdvancedLdapLoginModule - skip roles search when rolesCtxDN is null
JBEAP-15654 Security Unable to test PicketLink Bindings on Java 11
JBEAP-15557 Security HC cannot connect to DC after lost connect with error "WFLYCTL0332: Permission denied\" [details]
JBEAP-15837 Security Audience restriction check is too strict
JBEAP-16152 Security ELY-1464/ELY-1747 - identity propagation does not work when programmatic web authentication via HttpServletRequest.login() is used [details]
JBEAP-16188 Security ELYWEB-36 - File UploadMultipart does not work when SSO is enabled [details]
JBEAP-15026 Security Elytron does not do RunAs identity remote propagation
JBEAP-15384 Security PLINK-756 - PicketLinkAuthenticator returns null in sendChallenge method [details]
JBEAP-16338 Security PLINK-792 - Need to set default encoding for FormParserFactory in SPFormAuthenticationMechanism
JBEAP-16304 Security WFCORE-4326 - EAP 6.4 client calling EAP 7.x legacy remoting fails with server presented no authentication mechanisms when using anonymous
JBEAP-16089 Transactions WFTC-54 - Integration with Narayana fails when timeout propagation over remote call declares it as '0' causing UserTransaction timeout to not work [details]
JBEAP-16309 Transactions WTC-58 - AbstractTransaction#getEstimatedRemainingTime returns wrong value of rounding up which causes timeout of 1 second to be considered invalid
JBEAP-15425 Web (Undertow) Infinispan IllegalStateException when session invalidated after redirect
JBEAP-15777 Web (Undertow) Shutdown hangs if WAR is distributable and uses SSE [details]
JBEAP-16428 Web (Undertow) AcmeResourceHandler should avoid per-request object allocations
JBEAP-16156 Web (Undertow) UNDERTOW-1434 - Add ability to specify "category" parameter to the "access-log" HandlerBuilder
JBEAP-16169 Web (Undertow) UNDERTOW-1440 - Support non-default file systems in PathResourceManager
JBEAP-16167 Web (Undertow) UNDERTOW-1443 - Websockets should start worker lazily
JBEAP-16172 Web (Undertow) UNDERTOW-1447 - Socket options are not passed to createSSLContext resulting in the wrong jsse implementation
JBEAP-16168 Web (Undertow) UNDERTOW-1448 - HTTP/2 is not used when only TLSv1.3 is enabled
JBEAP-16170 Web (Undertow) UNDERTOW-1450 - Spotbugs error MS_MUTABLE_COLLECTION_PKGPROTECT in AlpnOpenListener
JBEAP-16009 Web (Undertow) UNDERTOW-1455 - Asynchronous servlet, onComplete() is not called when error occures
JBEAP-16173 Web (Undertow) UNDERTOW-1460 - RoutingHandler fails to route empty relative path to the "/" template
JBEAP-16174 Web (Undertow) UNDERTOW-1463 - Support proxy protocol v2
JBEAP-16153 Web (Undertow) UNDERTOW-1472 - Content-Type header is not set in HTTP response for directory resource in servlet directory-listing feature
JBEAP-16176 Web (Undertow) UNDERTOW-1474 - Undertow multi-part upload can potentially leak file descriptors
JBEAP-16177 Web (Undertow) UNDERTOW-1476 - URLDecodingHandler should decode matched values in PathTemplateMatch.ATTACHMENT_KEY
JBEAP-16126 Web (Undertow) UNDERTOW-1482 - No indication of missing included file
JBEAP-16129 Web (Undertow) Forward attributes not present in error pages
JBEAP-15560 Web (Undertow) AJP can't redirect to management console because of unresolved address
JBEAP-16130 Web (Undertow) Forward attributes not present in error pages
JBEAP-15572 Web (Undertow) Getting Unable to find unambiguous method when Calling an Enum function from JSF page [details]
JBEAP-16397 Web (Undertow) UNDERTOW-1159 - Getting JSP name instead action name for getServletPath() [details]
JBEAP-15746 Web (Undertow) UNDERTOW-1429 - JSP optimize-scriplets causes compilation failure when string concatenation exists inside method arguments [details]
JBEAP-15919 Web (Undertow) UNDERTOW-1444 - Range headers do not seem to be handled correctly for files larger than 10 mb
JBEAP-16046 Web (Undertow) UNDERTOW-1457 - Non persistent connection close may violate Undertow's thread model
JBEAP-16053 Web (Undertow) UNDERTOW-1462 - Request cookie is incorrectly parsed when a backslash-escaped double quote exists in the quoted cookie value [details]
JBEAP-15574 Web (Undertow) domain="undefined" in JSESSIONIDSSO [details]
JBEAP-15233 Web Console Creating a non-local cache container in web console fails
JBEAP-15695 Web Services Apply CXF Fix managing closing of temp queues (CXF-7768) [details]
JBEAP-15390 Web Services CXF-7832 - WrappedMessageContext containsKey not consistent with get/put [details]
JBEAP-15945 XTS JBTM-3079 - InboundBridge recovery aborts live transactions


Installation

Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.1-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.1-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide

Comments