JBoss Enterprise Application Platform 7.2 Update 8 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+


  • JBoss EAP 7.2 CP8 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 07

Download JBoss Enterprise Application Platform 7.2 Update 8

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2019-10172 Server jackson-mapper-asl: XML external entity similar to CVE-2016-3720
CVE-2020-10719 Web (Undertow) invalid HTTP request with large chunk size
CVE-2020-1745 Web (Undertow) AJP File Read/Inclusion Vulnerability [details]
CVE-2020-1757 Web (Undertow) servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass
CVE-2020-1732 Security Soteria: security identity corruption across concurrent threads
CVE-2020-1719 EJB EJBContext principal is not popped back after invoking another EJB using a different Security Domain
CVE-2019-17573 Server cxf: reflected XSS in the services listing page
CVE-2019-12423 Web Services cxf: OpenId Connect token service does not properly validate the clientId
CVE-2020-7226 Web Services cryptacular: excessive memory allocation during a decode operation
CVE-2020-10705 Web (Undertow) Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header
CVE-2020-1729 MP Config SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loaderheader

This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-18495 EJBCLIENT-365 - EJB client - env property takes not effect when value is an Integer rather than String
JBEAP-18496 WFNC-56 - Naming client - env property takes no effect when value is an Integer rather than String
JBEAP-19235 AjpRequestParser improvements
JBEAP-18839 ARTEMIS-2637 - Resilience around UDP Discovery
JBEAP-18762 ENTMQBR-3108 - ARTEMIS-2500 - LargeMessage doesn't make a full copy of its props
JBEAP-18739 SecurityDomainContextRealm is not caching passwords correctly
JBEAP-18927 Clustering Session attribute lost issue with the ATTRIBUTE replication-granularity + non-BATCH cache in a failover scenario [details]
JBEAP-18410 Clustering Sessions timed out may continue to remain in the Java Heap.
JBEAP-18447 Clustering WFLY-12954 - Web sessions passivated on shutdown
JBEAP-18587 Deployment Framework REM3-352 - EJB client behaviour is different when deployed in a .war compared to a .ear and can result in a OOME [details]
JBEAP-18391 EE WFLY-12947 - EL should coerce String to Integer in equals operation [details]
JBEAP-18560 EJB WFLY-13009 - moduleAvailability message is sent before module has started
JBEAP-18357 EJB WFCORE-4803 - EJB Client authentication does not work using SASL DIGEST-MD5 and EXTERNAL mechanisms in Legacy security
JBEAP-18565 EJB EJBCLIENT-361 - DiscoveryEJBClientInterceptor: static blacklist [details]
JBEAP-18763 JMS ARTEMIS-2513 - Large message's copy may be interfered by other threads
JBEAP-19001 JMS Messages are being added to topic even if there are no subscribers [details]
JBEAP-18832 JMX REMJMX-166 - IllegalThreadStateException after idle jmx connection
JBEAP-18814 JSF JSF IdMapper can create repeated ids in clustered environments causing: IllegalStateException with postback
JBEAP-18065 JSF WFLY-12869 - Remove Multiple JSF Applications found on same ClassLoader WARN
JBEAP-17499 JSF f:viewParam component only works for the first ajax request, but for the second ajax request and so forth the submitted value is null
JBEAP-15235 Management WFCORE-4764 - Availability of web console during the startup of the Domain Controller [details]
JBEAP-18593 Management WFCORE-4830 - HCs (slaves) can not register to the DC (master) during DC and its servers start up
JBEAP-18544 Modules MODULES-378 - Symbolic links in config files are not working
JBEAP-18124 OpenShift Need to configure PREFIX_TX_ISOLATION with NONXA datasource on Openshift
JBEAP-18663 Patching [WFCORE-4596] Write lock is acquired reading patching resource using include-runtime
JBEAP-7045 Scripts Startup error when started as system service
JBEAP-18917 Security Elytron LDAP Squashes Authentication Exception [details]
JBEAP-18012 Security HAL-1651 - For slave node jvm instance which is running on another VM, start/stop and other option are not showing in EAP 7.2.4 in management console when rbac is enabled. [details]
JBEAP-18786 Security JASPIC module's initialize() is called multiple times
JBEAP-18531 Security Picketlink: TLS handshakes with ECDHE fail with Bouncy Castle and Java 11.0.5 [details]
JBEAP-18426 Security WFLY-13161 - CLIENT-CERT login does not work in intermediate elytron setup
JBEAP-19204 Web (Undertow) HTTP continue tests fail with HTTP2 in use
JBEAP-18201 Web (Undertow) WFLY-12822 - UNDERTOW-1623 - Undertow Deadlock
JBEAP-18378 Web (Undertow) UNDERTOW-1637 - Http-404 is returned when accessing protected application context resource without a trailing slash [details]
JBEAP-18857 Web (Undertow) UNDERTOW-1661 - Exchange already complete when rendering a JSP.
JBEAP-18890 Web (Undertow) WFLYCLWEBUT0002 error occurs in first cross-context request creating a shared session
JBEAP-18657 Web Console [HAL-1653] Topology is not refreshed automatically after restart the domain
JBEAP-18810 Web Console HAL-1670 Cannot add Oracle URL to XA Datasource
JBEAP-18368 Web Console [HAL-1669] Cannot add IDP resource in keycloak-saml subsystem using EAP admin console
JBEAP-18650 Web Console [WFCORE-4809] Allow composite operation to read the model without need to acquired the write lock in domain mode
JBEAP-18613 Web Services RESTEASY-2492 - RESTEASY-1986 - RESTEASY002030: Failed to write event org.jboss.resteasy.plugins.providers.sse.OutboundSseEventImpl@42adbd75: java.io.IOException: Broken pipe [details]
JBEAP-18610 mod_cluster application context is enabled to mod_cluster for servers that are started as suspended in the JBoss EAP 7.2 [details]


Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.8-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.8-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide


  • JBoss EAP 7.2 CP8 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.

  • SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated.

  • The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.