JBoss Enterprise Application Platform 7.2 Update 5 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 04

Download JBoss Enterprise Application Platform 7.2 Update 5

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2019-9515 Management HTTP/2: flood using SETTINGS frames results in unbounded memory growth
CVE-2019-14843 Security Manager wildfly-security-manager: security manager authorization bypass
CVE-2019-9512 Management HTTP/2: flood using PING frames results in unbounded memory growth
CVE-2019-14838 Management Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default
CVE-2019-9511 Management HTTP/2: large amount of data requests leads to denial of service
CVE-2019-9514 Management HTTP/2: flood using HEADERS frames results in unbounded memory growth:wq

This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-17532 HHH-13611 Restore EntityMetamodel constructor to take SessionFactoryImplementor argument instead of PersisterCreationContext.
JBEAP-17372 RESTEASY-2027 - PatchMethodFilter doesn't handle request of MediaType application/json-patch+json if MediaType have argument
JBEAP-17125 RESTEASY-2281 - PatchMethodFilter not using provided ObjectMapper
JBEAP-17222 resteasy-jaxrs is missing dependency to microprofile-config-api
JBEAP-17152 CLI jboss-cli.sh does not error on invalid options such as --controler
JBEAP-15985 Clustering NullPointerException in processing EJB request at shutdown
JBEAP-17412 Concurrency Utilities ManagedExecutorService keeping references on undeploy/deploy
JBEAP-17458 EJB Timely topology changes can defer expiration of distributed SFSB
JBEAP-17269 EJB WFLY-12321 - Use a single non-cancelling task per bean manager for tracking passivation expiration
JBEAP-17721 EJB EJB/JNDI over HTTP-Invoker Throws CommunicationException instead of AuthenticationException [details]
JBEAP-16940 EJB Out of specification: Singleton EJB is allowed to implement SessionBean interface. [details]
JBEAP-17376 EJB Single action timer is not triggered automatically after a DB outage, requires server restart
JBEAP-17086 EJB UNDERTOW-1580 - Improve EJB over HTTPS logging
JBEAP-17270 EJB WFLY-12322 - Avoid redispatching to a worker the ejb call if it is async (at AssociationImpl)
JBEAP-17164 Generic JMS RA WFLY-12415 - Complete message object visible in ERROR at org.jboss.resource.adapter.jms.inflow.JmsServerSession
JBEAP-17471 Hibernate HHH-13592 AutoFlushEvent#isFlushRequired is always false
JBEAP-17525 Hibernate HHH-13607 Exception thrown while flushing uninitialized enhanced proxy with immutable natural ID
JBEAP-17485 Hibernate HHH-12968 Persist fails when using JOINED Inheritance with batch_size > 1 and legacy ID generation [details]
JBEAP-17418 Hibernate HHH-13586: ClassCastException when using a single region name for both entity and query results [details]
JBEAP-16800 JCA TCCL is not set to datasource module in datasource constructor
JBEAP-16507 JCA JBJCA-1392 - Need to add checkTransaction handling for unwrap connection
JBEAP-17549 JSF Memory leak in FlashScope - expired elements are not cleared
JBEAP-17883 Logging Ensure the log manager is set for tests for Eclipse OpenJ9
JBEAP-17607 MSC Additional fixes for MSC-245 - ServiceContainerImpl.registry is leaking memory resources
JBEAP-17511 Management JGroups get modified in a wrong way after cli command
JBEAP-16505 Management Need to disable console error page by console-enabled
JBEAP-16475 REST Rest Client fails to convert a single boolean value
JBEAP-17580 REST RESTEASY-2249 @PostConstruct on @ApplicationScoped bean called too late in case a non public @PostConstruct method is present
JBEAP-17711 Remoting Introduce alternative queued acceptor to fix XNIO-258 XNIO-286 XNIO-335 XNIO-265 [details]
JBEAP-17879 Scripts '-Xlog:gc' option is not supported on OpenJDK11 + OpenJ9
JBEAP-17522 Security WFLY-12572 / SECURITY-1005 - Improve credential and role group
JBEAP-17468 Security ELY-1872 - elytron-tool.sh usage with symbolic links
JBEAP-17467 Security WFLY-12569 - File UploadMultipart does not work when PicketLink SSO is enabled
JBEAP-17662 Web (Undertow) WFCORE-4699 - preferIPv6Addresses and preferIPv4Stack System Properties are Mishandled in the Config [details]
JBEAP-17009 Web (Undertow) UNDERTOW-1554 - Improve handling and leniency of bad POST parameters
JBEAP-17818 Web (Undertow) Undertow http-listener max-connections attribute no longer causes additional connections to be rejected
JBEAP-17469 Web Console Not able to view log files in admin console if its created via logging-profile
JBEAP-17375 Web Services WS-Security in combination with MTOM attachments


Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.5-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.5-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide


  • SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated, see more details.

  • The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.

  • The following tools are not in the OpenJ9 image (jboss-eap-7-eap72-openj9-11-openshift-rhel8) compared to the other EAP images delivered for other architectures: ["jcmd", "jinfo", "jstat", "jstatd"].