JBoss Enterprise Application Platform 7.2 Update 7 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

Notes:

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 06

Download JBoss Enterprise Application Platform 7.2 Update 7

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2019-0205 MP OpenTracing thrift: Endless loop when feed with specific input data
CVE-2019-10086 Server apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
CVE-2019-20445 JMS netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
CVE-2019-20444 JMS netty: HTTP request smuggling
CVE-2019-12400 Web Services xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source
CVE-2020-7238 JMS netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
CVE-2019-14887 Security The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
CVE-2019-0210 MP OpenTracing thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol



This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-13981 JAXB Unmarshaller tries to instantiate abstract class ignoring xsi:type if it is a list element
JBEAP-18317 ActiveMQ After messaging migration from EAP 6 to 7 it's impossible to remove sf.* queues
JBEAP-18230 ActiveMQ WFLY-12859 - Acceptor is open after broker starts but before queues are created resulting in QUEUE_DOES_NOT_EXIST message=AMQ229017 (the queue is in the standalone.xml file)
JBEAP-17451 ActiveMQ ENTMQBR-2759 - ARTEMIS-2451 - Eliminate knownDestinations cache
JBEAP-17745 CDI / Weld @PreDestroy not called on view scoped using CDI.
JBEAP-18033 CDI / Weld WFLY-12805 - Loading JTSSynchronizationWrapper gets NoClassDefFoundError: org/jboss/as/naming/context/NamespaceContextSelector [details]
JBEAP-18416 Clustering HttpSessionListener.sessionDestroyed event can deadlock if it attempts write operations on a session
JBEAP-18403 Clustering ISPN-11116 - Invalidation commands should not load the previous value from the store
JBEAP-18111 Clustering JSF is Holding a Lock on an Object While Calling HttpSession.setAttribute on that Object.
JBEAP-5947 EJB Server should verify EJB business methods during deployment and log a warning
JBEAP-18369 EJB Calling Asynchronous EJB will use the propagated caller transaction which is not according to the specification
JBEAP-18004 EJB WEJBHTTP-31 - WildFlyClientInputStream waits for -1 when dealing with an exception result
JBEAP-18162 EJB WEJBHTTP-32 - Remote duplicate notifyAll call from WildflyClientInputStream read listener after -1 is read
JBEAP-18233 EJB WFLY-12871 - System Exception (EJBException) should be thrown instead of ApplicationException when rollback=false
JBEAP-17486 Hibernate HHH-13433 HHH-13737 EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert( e, lockOptions )
JBEAP-18123 Hibernate HHH-13651 HHH-13675 NPE on flushing when ElementCollection field contains null element
JBEAP-17709 Hibernate HHH-12858 HHH-13432 Unable to dynamically set datasource when creating an entity manager factory [details]
JBEAP-17982 JCA JBJCA-1396 - getConnection in UserTransaction returned closed connection after XAResource#commit() failed on same thread
JBEAP-18224 JCA JBJCA-1398 - Connection leak when there is an exception during getConnection for NoTransaction resource adapter [details]
JBEAP-18232 JCA JBJCA-1399 - IJ000608 warnings of connections in excess of max-pool-size when using a capacity incrementer
JBEAP-17046 JPA / Hibernate HHH-13433 - EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert( e, lockOptions )
JBEAP-17971 JSF Mojarra Issue 4650 / ArrayIndexOutOfBoundsException with index -2 in HtmlResponseWriter.writeUnescapedCData(...)
JBEAP-18354 JSF Mojarra-4500 - NPE when determining converter for primitive values [details]
JBEAP-18573 MP OpenTracing WFLY-12486 - Memory leak in OpenTracing when deployment is redeployed multiple times
JBEAP-17865 Management WFCORE-4733 - Server stops after switching from 'local' DC to 'remote' DC
JBEAP-17852 Management HAL-1649 - HAL Management Console black screen - Syntax Error in polyfill.min.js with IE 11 [details]
JBEAP-17804 Security File UploadMultipart does not work for files greater than 10 kB with PicketLink SSO is enabled [details]
JBEAP-18122 Security File upload (multipart) with Picketlink fails with sizes over 20k (using Apache Commons FileUpload) [details]
JBEAP-18460 Security InputStream is empty if getParameter is called in deployment with Picketlink which causes fileupload to fail with sizes over 20k
JBEAP-17658 Security WFLY-12518 - ConnectionSecurityContext.getConnectionPrincipals leads to IllegalStateException getConnectionPrincipals [details]
JBEAP-18154 Server WFCORE-4768 - WFLYIO001: Worker 'default' has auto-configured to 24 core threads should be IO threads
JBEAP-15990 Web (Undertow) WFLY-11481 - EL expressions that contain unnecessary parentheses fail
JBEAP-18674 Web (Undertow) wildfly-openssl can not load library wfssl on RHEL6
JBEAP-18102 Web Console HAL-1627 - Web management console shows internal error on infinispan configuration page
JBEAP-18118 Web Console HAL-1646 - GUI has the wrong focus when switching between profiles [details]
JBEAP-18149 Web Console HAL-1647 - JVM option is saved multiple times [details]
JBEAP-16746 Web Services Stax maxAttributeSize is only vaguely respected


Installation

Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.7-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.7-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide

Notes

  • JBoss EAP 7.2 CP7 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.

  • SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated.

  • The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.