In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
- In addition to JBoss Enterprise Application Platform 7.2 Update 7, it is recommended to also apply this addtional patch here for CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability, as it was released after Update 7.
- If using AJP and custom request attributes, see How to allow AJP request attributes after applying the CVE-2020-1745 AJP File Read/Inclusion Vulnerability fix in JBoss EAP 7.2 Update 7+ as they will not be allowed by default after the CVE fix.
- JBoss EAP 7.2 CP7 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 06
This update includes fixes for the following security related issues:
|CVE-2019-0205||MP OpenTracing||thrift: Endless loop when feed with specific input data|
|CVE-2019-10086||Server||apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default|
|CVE-2019-20445||JMS||netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header|
|CVE-2019-20444||JMS||netty: HTTP request smuggling|
|CVE-2019-12400||Web Services||xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source|
|CVE-2020-7238||JMS||netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling|
|CVE-2019-14887||Security||The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use|
|CVE-2019-0210||MP OpenTracing||thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol|
This update includes the following bug fixes or changes:
|JBEAP-13981||JAXB Unmarshaller tries to instantiate abstract class ignoring xsi:type if it is a list element|
|JBEAP-18317||ActiveMQ||After messaging migration from EAP 6 to 7 it's impossible to remove sf.* queues|
|JBEAP-18230||ActiveMQ||WFLY-12859 - Acceptor is open after broker starts but before queues are created resulting in QUEUE_DOES_NOT_EXIST message=AMQ229017 (the queue is in the standalone.xml file)|
|JBEAP-17451||ActiveMQ||ENTMQBR-2759 - ARTEMIS-2451 - Eliminate knownDestinations cache|
|JBEAP-17745||CDI / Weld||@PreDestroy not called on view scoped using CDI.|
|JBEAP-18033||CDI / Weld||WFLY-12805 - Loading JTSSynchronizationWrapper gets NoClassDefFoundError: org/jboss/as/naming/context/NamespaceContextSelector [details]|
|JBEAP-18416||Clustering||HttpSessionListener.sessionDestroyed event can deadlock if it attempts write operations on a session|
|JBEAP-18403||Clustering||ISPN-11116 - Invalidation commands should not load the previous value from the store|
|JBEAP-18111||Clustering||JSF is Holding a Lock on an Object While Calling HttpSession.setAttribute on that Object.|
|JBEAP-5947||EJB||Server should verify EJB business methods during deployment and log a warning|
|JBEAP-18369||EJB||Calling Asynchronous EJB will use the propagated caller transaction which is not according to the specification|
|JBEAP-18004||EJB||WEJBHTTP-31 - WildFlyClientInputStream waits for -1 when dealing with an exception result|
|JBEAP-18162||EJB||WEJBHTTP-32 - Remote duplicate notifyAll call from WildflyClientInputStream read listener after -1 is read|
|JBEAP-18233||EJB||WFLY-12871 - System Exception (EJBException) should be thrown instead of ApplicationException when rollback=false|
|JBEAP-17486||Hibernate||HHH-13433 HHH-13737 EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert( e, lockOptions )|
|JBEAP-18123||Hibernate||HHH-13651 HHH-13675 NPE on flushing when ElementCollection field contains null element|
|JBEAP-17709||Hibernate||HHH-12858 HHH-13432 Unable to dynamically set datasource when creating an entity manager factory [details]|
|JBEAP-17982||JCA||JBJCA-1396 - getConnection in UserTransaction returned closed connection after XAResource#commit() failed on same thread|
|JBEAP-18224||JCA||JBJCA-1398 - Connection leak when there is an exception during getConnection for NoTransaction resource adapter [details]|
|JBEAP-18232||JCA||JBJCA-1399 - IJ000608 warnings of connections in excess of max-pool-size when using a capacity incrementer|
|JBEAP-17046||JPA / Hibernate||HHH-13433 - EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert( e, lockOptions )|
|JBEAP-17971||JSF||Mojarra Issue 4650 / ArrayIndexOutOfBoundsException with index -2 in HtmlResponseWriter.writeUnescapedCData(...)|
|JBEAP-18354||JSF||Mojarra-4500 - NPE when determining converter for primitive values [details]|
|JBEAP-18573||MP OpenTracing||WFLY-12486 - Memory leak in OpenTracing when deployment is redeployed multiple times|
|JBEAP-17865||Management||WFCORE-4733 - Server stops after switching from 'local' DC to 'remote' DC|
|JBEAP-17852||Management||HAL-1649 - HAL Management Console black screen - Syntax Error in polyfill.min.js with IE 11 [details]|
|JBEAP-17804||Security||File UploadMultipart does not work for files greater than 10 kB with PicketLink SSO is enabled [details]|
|JBEAP-18122||Security||File upload (multipart) with Picketlink fails with sizes over 20k (using Apache Commons FileUpload) [details]|
|JBEAP-18460||Security||InputStream is empty if getParameter is called in deployment with Picketlink which causes fileupload to fail with sizes over 20k|
|JBEAP-17658||Security||WFLY-12518 - ConnectionSecurityContext.getConnectionPrincipals leads to IllegalStateException getConnectionPrincipals [details]|
|JBEAP-18154||Server||WFCORE-4768 - WFLYIO001: Worker 'default' has auto-configured to 24 core threads should be IO threads|
|JBEAP-15990||Web (Undertow)||WFLY-11481 - EL expressions that contain unnecessary parentheses fail|
|JBEAP-18674||Web (Undertow)||wildfly-openssl can not load library wfssl on RHEL6|
|JBEAP-18102||Web Console||HAL-1627 - Web management console shows internal error on infinispan configuration page|
|JBEAP-18118||Web Console||HAL-1646 - GUI has the wrong focus when switching between profiles [details]|
|JBEAP-18149||Web Console||HAL-1647 - JVM option is saved multiple times [details]|
|JBEAP-16746||Web Services||Stax maxAttributeSize is only vaguely respected|
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.7-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.7-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
JBoss EAP 7.2 CP7 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated.
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.