JBoss Enterprise Application Platform 7.2 Update 6 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

Note: JBoss EAP 7.2 CP6 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 05

Download JBoss Enterprise Application Platform 7.2 Update 6

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2019-14893 REST jackson-databind: Serialization gadgets in classes of the xalan package
CVE-2019-16335 REST jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource
CVE-2019-14540 REST jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig
CVE-2019-14892 REST jackson-databind: Serialization gadgets in classes of the commons-configuration package
CVE-2019-16942 REST jackson-databind: Serialization gadgets in classes of the commons-dbcp package
CVE-2019-16943 REST jackson-databind: Serialization gadgets in classes of the p6spy package
CVE-2019-17531 REST jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution
CVE-2019-14885 Logging jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command
CVE-2019-17267 REST jackson-databind: Serialization gadgets in classes of the ehcache package
CVE-2019-14888 Web (Undertow) undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
CVE-2019-16869 JMS netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
CVE-2019-10219 Server hibernate-validator: safeHTML validator allows XSS



This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-17535 HAL-1632 - RBAC: Deployment button not available for server group scoped role. [details]
JBEAP-17875 UNDERTOW-1612 - Can't add more than one cookie with the same name and path but different domain
JBEAP-17387 WFCORE-4603 - Replace Deployment --runtime-name option not working
JBEAP-17944 Batch undeploy and shutdown hang by JdbcRepository error
JBEAP-16974 CDI / Weld WELD-2583 - Intercepted subclass should skip methods that have private/package private method params from different packages
JBEAP-17802 CDI / Weld WELD-2600 - Property inside beans.xml is not parsed using spec-descriptor-property-replacement on JBoss
JBEAP-17758 Clustering Session passivation event can deadlock if it attempts write operations on a session
JBEAP-17933 EJB WFTC-78 - XA file registry does not delete records when prepare reports READ ONLY
JBEAP-17344 EJB EJBCLIENT-343 - EJB invocation will not stay local if the application is deployed local and the Remote interface is used [details]
JBEAP-17615 EJB EJBCLIENT-351 - XNIO-348 - Enhance XNIO error logging for RemoteEJBReceiver
JBEAP-17612 EJB WEJBHTTP-29 - WildFlyClientInputStream hangs on close
JBEAP-17896 Hibernate HHH-13698 Hibernate does not recognize MySQL 8 error code 3572 as PessimisticLockException
JBEAP-17840 Hibernate HHH-13307 On release of batch it still contained JDBC statements using JTA
JBEAP-17617 Hibernate HHH-13633 HHH-13634 HHH-13640 HHH-13653 Enhancement-as-proxy initialization bugs [details]
JBEAP-17285 JCA org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer does not like a "*" leading property value
JBEAP-15226 JMS XA recovery warnings when server reloaded
JBEAP-17815 JMX WAR deployment fails due to NPE when both MBean and persistence-unit are packaged [details]
JBEAP-17807 JPA / Hibernate WFLY-12596 Hibernate bytecode transformer needs to pass classloader into ASM ClassWriter for super classes that are in a different classloader
JBEAP-17904 JPA / Hibernate WFLY-12699 add test that reproduces stack overflow and remove use of COMPUTE_FRAMES to avoid (ASM) recomputing stackmap frames
JBEAP-17856 JSF Flash Scope is not cleared when JSF1095 is occurred
JBEAP-17339 JSF Mojarra 4553 - Resoures#encodeAll doesn't work anymore since 2.3.x
JBEAP-17681 JSF WFLY-12563 - org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL flag ignored when WARs are embedded in EAR
JBEAP-17497 OpenShift [eap72-openjdk11-openshift-rhel8, eapcd-openshift-rhel8, eap73-openjdk11-openshift-rhel8] Change in behaviour of DEFAULT_JOB_REPOSITORY environment variable
JBEAP-17301 OpenShift [eap72-openjdk11-openshift-rhel8, eapcd-openshift-rhel8, eap73-openjdk11-openshift-rhel8] Change in behaviour of TIMER_SERVICE_DATA_STORE environment variable
JBEAP-18414 RPM RPM contains file which isn't at zip
JBEAP-17754 Security ModuleClassLoaderLocator$CombinedClassLoader created for every request when using default module
JBEAP-17829 Security WFLY-12705 - File upload fails with IllegalStateException when PicketLink SSO is enabled. [details]
JBEAP-16712 Server WFCORE-4475 - jboss-deployment-structure.xml with fails to parse when annotations=true on a sub-deployment module
JBEAP-6729 Web (Undertow) Cannot create two hosts with unspecified default web module in Undertow
JBEAP-17682 Web (Undertow) Http requests failed with ISPN000299 after redirect and session invalidation
JBEAP-17500 Web (Undertow) UNDERTOW-1589 - 500 response code still sent if large JSP include is nested within custom tag
JBEAP-17601 Web (Undertow) UNDERTOW-1595 - NullPointerException can happen on a range request for a static content [details]
JBEAP-17763 Web (Undertow) UNDERTOW-1598 - Bug in CachedResource range request handling
JBEAP-17768 Web (Undertow) UNDERTOW-1599 - access-log does not output the original query string after the servlet request is forwarded with new query strings [details]
JBEAP-17775 Web (Undertow) XNIO-353 - WARN message for rejected connections over Undertow max-connections limit
JBEAP-17813 Web Console Error when maintaining Datasources & Drivers via Console [details]
JBEAP-17576 Web Console Failed to read WS endpoint runtime data at Management Console
JBEAP-17782 Web Console HAL-1639 - EAP 7.2 console does not display destination list, if the messaging server name is in caps
JBEAP-17577 Web Services CXF-8105 - introduce a property for JMS transport client to decide reset JMS connection or not when client timeout
JBEAP-17618 Web Services CXF-8118 - CXF LoggingInInterceptor, CachedWriter leaks


Installation

Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.6-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.6-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide

Notes

  • JBoss EAP 7.2 CP6 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.

  • SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated, see more details.

  • The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.