JBoss Enterprise Application Platform 7.2 Update 4 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 03

Download JBoss Enterprise Application Platform 7.2 Update 4

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2019-12384 Server jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
CVE-2019-12086 Server jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server
CVE-2019-10184 Undertow undertow: Information leak in requests for directories without trailing slashes
CVE-2019-14379 Server jackson-databind: default typing mishandling leading to remote code execution
CVE-2019-10202 Server codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities
CVE-2019-10212 Undertow undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files
CVE-2019-19343 Remoting undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely
CVE-2019-12814 Server jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message

This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-17398 CONF0005: Unexpected element "interceptor" in namespace "urn:jboss:wildfly-client-ejb:3.1" [details]
JBEAP-17161 JGRP-2350 - TCP: connection close can block when send() block on full TCP send-window [details]
JBEAP-17163 WFCORE-4569 - SaslException: Authentication failed when XA Recovery tries to call remote server [details]
JBEAP-17061 WFLY-12216 - Log WARN if application specifies @RunAsPrincipal and not @RunAs
JBEAP-16372 ActiveMQ ARTEMIS-2290 JMSBridge fails to stop after throwing an error
JBEAP-16371 ActiveMQ ARTEMIS-2291 JMSBridge fails to stop
JBEAP-14032 ActiveMQ ARTEMIS-2069 - Backup doesn't activate after shared store is reconnected
JBEAP-17342 ActiveMQ ARTEMIS-2313 - Accumulation in HierarchicalObjectRepository cache
JBEAP-16972 ActiveMQ ENTMQBR-2494 IndexOutOfBoundsException from CoreMessage.sendBuffer_1X(CoreMessage.java:313)
JBEAP-17300 ActiveMQ ENTMQBR-2711 - ARTEMIS-2439 - ServerSessionImpl cache does not clear names of deleted temporary destinations
JBEAP-16896 ActiveMQ java.net.URISyntaxException: Illegal character in opaque part at index 7: file:C:\Java\jboss\jboss-as\standalone\configuration/logging.properties [details]
JBEAP-17292 CDI / Weld WELD-2592 - Jandex index retention on Weld
JBEAP-16628 CLI WFCORE-4389 - deploy fails in batch when operation is validated
JBEAP-16788 CLI WFCORE-4460 - jboss-cli.sh doesn't return json when the output command is 'failed'
JBEAP-17352 Clustering ISPN-10323: Non-transactional queries don't update the query cache [details]
JBEAP-17120 EJB Server-server EJB transactional invocation rolls back if MDB call remote EJB and JBOSS-LOCAL-USER auth is not possible
JBEAP-17295 EJB Skip redundant put operations when distributable SFSBs use local, non-persistent cache configuration
JBEAP-17348 EJB WFLY-12352 - Distributable SFSB creation unnecessarily checks passivation store
JBEAP-3432 EJB IllegalStateException "not in a valid state to be invoking cache operations on" in two cluster test
JBEAP-17172 EJB DatabaseTimerPersistence does not detect mssql driver type
JBEAP-17377 EJB Immediatly call receiveMessage() so requests can be deserialized in parrallel
JBEAP-17137 EJB EJBCLIENT-339 - Remove some doPrivileged calls
JBEAP-17036 EJB "Failed to reinstate timer" warning is shown when creating large number of EJB timers
JBEAP-17210 EJB CallerPrincipal will be anonymous (randomly) if EJB2 is called
JBEAP-15448 EJB EJBCLIENT-305 - Unable to configure 'maximumConnectedClusterNodes'
JBEAP-16895 EJB EJBCLIENT-333 - Unable to invoke any EJB of the same module after failure of a SFSB in that module
JBEAP-17261 EJB EJBCLIENT-342 - EJBInvocationClientContext.getResult should notify others only if there are waiters
JBEAP-16149 EJB JBREM000308: Authentication failed (no mechanisms left) when EJB invocations across servers done with programatic auth [details]
JBEAP-16651 EJB Transactional remote-outbound-connection to an older version results in an ARJUNA016045 WARN message
JBEAP-16793 EJB XNIO-339 - Standalone EJB Client using Remote UserTransaction can hang if there are more than 15 concurrent client threads [details]
JBEAP-17350 Hibernate HHH-13026 - Fix link to Infinispan documentation section regarding Hibernate 2LC
JBEAP-16784 Hibernate HHH-13357 HHH-13557 HHH-13558 OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones
JBEAP-17290 Hibernate HHH-13379 - Regression of Instant serialization
JBEAP-17297 Hibernate HHH-13514 / HHH-13525 - Calling the wrong method inside SessionDelegatorBaseImpl#createStoredProcedureQuery
JBEAP-17402 Hibernate HHH-13574 - SybaseASE does not support PARTITION BY
JBEAP-17488 Hibernate HHH-13590 - TransientObjectException merging a non-proxy association to a HibernateProxy
JBEAP-17213 Hibernate HHH-11032 - Improve performance of PersistentBag.equalsSnapshot [details]
JBEAP-16979 Hibernate HHH-13416 - Unguarded debug message being rendered in org.hibernate.engine.internal.Collections.processReachableCollection
JBEAP-17017 Hibernate HHH-13424 HHH-13550: Table nullability should not depend on JpaCompliance.isJpaCacheComplianceEnabled() [details]
JBEAP-17110 Hibernate HHH-13466 - ClassCastException when changing a collection association to a set if @PreUpdate listener exists [details]
JBEAP-17169 Hibernate HHH-13492 - OptimisticLockException after lock, refresh, merge in a transaction [details]
JBEAP-17283 Hibernate Miscellaneous performance improvements
JBEAP-17380 IO WFCORE-4600 - Memory leak caused by ByteBufferSlicePool usage
JBEAP-16825 JCA JBJCA-1389 - NullPointerException raised when calling isWrapperFor(...) on a closed connection [details]
JBEAP-16986 JCA JBJCA-1390 - BlockingFailureCount not tracking IJ000655 errors in SemaphoreConcurrentLinkedDequeManagedConnectionPool [details]
JBEAP-17070 JCA JBJCA-1391 - SQLException.getSQLState() and getCause() are null with XADatasource connection for postgresql during network failure
JBEAP-16921 JCA The expression for the value of share-prepared-statements does not work in XA datasource .
JBEAP-17259 JCA WFLY-12318 - SecurityManager push/pull is expensive
JBEAP-17332 JCA WFLY-12344 - SecurityManager push/pull is expensive also for datasources
JBEAP-17287 JMS The subscribed topic is removed if reconnecting to messaging system with legacy-connection-factory
JBEAP-17367 JMS ENTMQBR-2711 - ARTEMIS-2449 - Limit size of producer details
JBEAP-17111 JMS HornetQ client issue while using JMSMessageID as selector with EAP 7
JBEAP-16990 JMS Set bridgeName while creating JMSBridge on server
JBEAP-17310 JMS Lost messages in scenario with a remote MDB and a long GC pause.
JBEAP-17323 JMS Shutdown of server with remote JCA MDB hangs
JBEAP-16988 JMX WFCORE-4561 - JMX audit log does not show operation parameters
JBEAP-17369 JPA/Hibernate WFLY-12365 - WildFlyCustomJtaPlatform does not cache TSR for manually bootstrapped hibernate apps
JBEAP-16460 JSF WFLY-6918 - Unnecessary NoSuchMethodException during JSF app deployment
JBEAP-17186 JSF Deployments fails if de.odysseus.juel is included in the war
JBEAP-17227 JSF Mojarra 4596 - Scripts with CDATA cause "empty response" error on Ajax render
JBEAP-17157 JSF Mojarra Issue 3042 / Partial rendering: insufficient CDATA encoding (XSS)
JBEAP-17019 JSF protected JSF page can not be accessed with port 80
JBEAP-17266 Logging JBLOGGING-141 - At Logger.getMessageLogger, safeguard the doPrivileged call by a SecurityManager check
JBEAP-17267 Logging LOGMGR-258 - Safeguard doPrivileged calls by a SecurityManager is null check
JBEAP-17255 MSC Deprecate ServiceBuilder.addAliases() in favor of ServiceBuilder.provides()
JBEAP-17253 MSC Ensure ReadableValueImpl and WritableValueImpl fields visibility
JBEAP-17251 MSC MSC-245 - ServiceContainerImpl.registry is leaking memory resources
JBEAP-16214 Management WFCORE-4283 - Web management console reports 500 error while domain host controller is in bootup [details]
JBEAP-16801 Management WFCORE-4440 - Changes made via CLI in static-discovery are not reflected in host.xml
JBEAP-17177 Management WFLY-11617 - Incorrect default transaction type was shown in the JBoss CLI and validation is not working
JBEAP-17524 Naming WFLY-12472 - NullPointerException in JndiNamingDependencyProcessor
JBEAP-17140 OpenShift Session reset after scaling down EAP pod in cluster on Openshift
JBEAP-17082 OpenShift EAP CP images are too big compared to 7.x.0 images
JBEAP-17280 Patching WFCORE-4586 - patch apply ... --override-all does not work if layer module is corrupted
JBEAP-17069 REST JBEE-204 - ClassNotFoundException over org.glassfish.jersey.client.JerseyClientBuilder when sec-mgr is enabled
JBEAP-17381 Remoting REM3-342 - Optimization at RemoteConnection.RemoteWriteListener.send breaks SSL
JBEAP-16363 Remoting XNIO-317 - Introduce API to clean ThreadLocal caches from ByteBufferSlicePool
JBEAP-17260 Remoting JBMAR-227 - River marshalling impacts performance of ejb-client
JBEAP-17317 Remoting JBMAR-229 - Don't run doPrivileged if not needed in RiverUnmarshaller
JBEAP-17279 Remoting REM-340 - Attempt to write directly instead of resuming writes
JBEAP-17139 Remoting REM3-338 - RemoteConnection keep alive algorithm creates a new task at every write event
JBEAP-17138 Remoting REM3-339 - Reduce context switching per request
JBEAP-17275 Remoting REM3-341 - EndpointImpl uses doPrivileged when SecurityManager is null
JBEAP-17337 Security PicketBox : Change use of HTTP download locations to HTTPS
JBEAP-17383 Security Default AuthenticationContext is a static with undefined behaviour
JBEAP-17263 Security ELY-1854 - Add the ability to specify whether or not the AccessControlContext should be captured by using a system property called "wildfly.elytron.capture.access.control.context"
JBEAP-17262 Security ELY-1855 - Update AuthenticationConfiguration#useAuthorizationPrincipal to avoid needing an extra call to AuthenticationConfiguration#useForwardedAuthorizationIdentity
JBEAP-17123 Security Encrypted non-normalized assertion causes ClassCastException
JBEAP-17328 Security Need to handle InputStream after picketlink authentication [details]
JBEAP-17319 Security SECURITY-1002 - doPrivileged is used even when no security manager is present
JBEAP-17336 Security SECURITY-1003 - SubjectActions uses AccessController.doPrivileged even when no security manager is present
JBEAP-17340 Security SECURITY-1004 - Allow the ** role to be disabled
JBEAP-17318 Security WFLY-12340 - SimpleSecurityManager uses AccessController.doPrivileged even if the SM is not checking
JBEAP-16145 Server unsecure interfaces / iiop does not log when binding port
JBEAP-14310 Server WFCORE-3670 - module defined with an alias in jboss-deployment-structure.xml with fails to parse when annotations=true
JBEAP-17379 Transactions WFLY-11849 - Narayana XTS txbridge not permitting to start transaction when no timeout is set
JBEAP-17264 Transactions WFTC-73 - Remove the use of doPrivileged if SecurityManager is null
JBEAP-17316 Transactions JBTM-3165 - Don't create the EnumSet and TransactionEvent unless it is required
JBEAP-17322 Transactions JBTM-3166 - TransactionListener's should not be enabled by default
JBEAP-16731 Transactions WFLY-10351 - Clean up BMTInterceptor [details]
JBEAP-13598 Transactions WFLYTX0001: Unable to roll back active transaction thrown for EJB bridge transactions
JBEAP-17265 Transactions WFTC-72 - Remove use of a global lock and lock per transaction
JBEAP-14074 Undertow OutOfMemoryError: Direct buffer memory when repeating reload
JBEAP-16546 Undertow UNDERTOW-1507 - Undertow mod_cluster proxy: NullPointerException on jvmKill based failover among worker nodes using SSL
JBEAP-17296 Undertow Skip redundant put operations when distributable web sessions use local, non-persistent cache configuration
JBEAP-16826 Undertow UNDERTOW-1567 - Redirect to absolute URL with special characters broken
JBEAP-17104 Undertow UNDERTOW-1569 - HttpServletRequest getLocalName() returns IP instead of hostname
JBEAP-17188 Undertow UNDERTOW-1575 - HttpServletRequest.getRequestedSessionID() is incorrectly returning a newly generated session ID instead of the requested ID in EAP 7 when using URL session tracking [details]
JBEAP-17308 Undertow Undertow/XNIO file watch service has a possibility to prune all file change events and miss to invoke FileChangeCallback [details]
JBEAP-17282 Web Console HAL-1618 Support changed lifecycle hosts / servers
JBEAP-16757 Web Console EAP 7.2 management console add incorrect JVM parameters which include a comma


Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.4-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.4-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide