In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
- JBoss EAP 7.2 CP8 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 07
This update includes fixes for the following security related issues:
|CVE-2019-10172||Server||jackson-mapper-asl: XML external entity similar to CVE-2016-3720|
|CVE-2020-10719||Web (Undertow)||invalid HTTP request with large chunk size|
|CVE-2020-1745||Web (Undertow)||AJP File Read/Inclusion Vulnerability [details]|
|CVE-2020-1757||Web (Undertow)||servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass|
|CVE-2020-1732||Security||Soteria: security identity corruption across concurrent threads|
|CVE-2020-1719||EJB||EJBContext principal is not popped back after invoking another EJB using a different Security Domain|
|CVE-2019-17573||Server||cxf: reflected XSS in the services listing page|
|CVE-2019-12423||Web Services||cxf: OpenId Connect token service does not properly validate the clientId|
|CVE-2020-7226||Web Services||cryptacular: excessive memory allocation during a decode operation|
|CVE-2020-10705||Web (Undertow)||Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header|
|CVE-2020-1729||MP Config||SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loaderheader|
This update includes the following bug fixes or changes:
|JBEAP-18495||EJBCLIENT-365 - EJB client - env property takes not effect when value is an Integer rather than String|
|JBEAP-18496||WFNC-56 - Naming client - env property takes no effect when value is an Integer rather than String|
|JBEAP-18839||ARTEMIS-2637 - Resilience around UDP Discovery|
|JBEAP-18762||ENTMQBR-3108 - ARTEMIS-2500 - LargeMessage doesn't make a full copy of its props|
|JBEAP-18739||SecurityDomainContextRealm is not caching passwords correctly|
|JBEAP-18927||Clustering||Session attribute lost issue with the ATTRIBUTE replication-granularity + non-BATCH cache in a failover scenario [details]|
|JBEAP-18410||Clustering||Sessions timed out may continue to remain in the Java Heap.|
|JBEAP-18447||Clustering||WFLY-12954 - Web sessions passivated on shutdown|
|JBEAP-18587||Deployment Framework||REM3-352 - EJB client behaviour is different when deployed in a .war compared to a .ear and can result in a OOME [details]|
|JBEAP-18391||EE||WFLY-12947 - EL should coerce String to Integer in equals operation [details]|
|JBEAP-18560||EJB||WFLY-13009 - moduleAvailability message is sent before module has started|
|JBEAP-18357||EJB||WFCORE-4803 - EJB Client authentication does not work using SASL DIGEST-MD5 and EXTERNAL mechanisms in Legacy security|
|JBEAP-18565||EJB||EJBCLIENT-361 - DiscoveryEJBClientInterceptor: static blacklist [details]|
|JBEAP-18763||JMS||ARTEMIS-2513 - Large message's copy may be interfered by other threads|
|JBEAP-19001||JMS||Messages are being added to topic even if there are no subscribers [details]|
|JBEAP-18832||JMX||REMJMX-166 - IllegalThreadStateException after idle jmx connection|
|JBEAP-18814||JSF||JSF IdMapper can create repeated ids in clustered environments causing: IllegalStateException with postback|
|JBEAP-18065||JSF||WFLY-12869 - Remove Multiple JSF Applications found on same ClassLoader WARN|
|JBEAP-17499||JSF||f:viewParam component only works for the first ajax request, but for the second ajax request and so forth the submitted value is null|
|JBEAP-15235||Management||WFCORE-4764 - Availability of web console during the startup of the Domain Controller [details]|
|JBEAP-18593||Management||WFCORE-4830 - HCs (slaves) can not register to the DC (master) during DC and its servers start up|
|JBEAP-18544||Modules||MODULES-378 - Symbolic links in config files are not working|
|JBEAP-18124||OpenShift||Need to configure PREFIX_TX_ISOLATION with NONXA datasource on Openshift|
|JBEAP-18663||Patching||[WFCORE-4596] Write lock is acquired reading patching resource using include-runtime|
|JBEAP-7045||Scripts||Startup error when started as system service|
|JBEAP-18917||Security||Elytron LDAP Squashes Authentication Exception [details]|
|JBEAP-18012||Security||HAL-1651 - For slave node jvm instance which is running on another VM, start/stop and other option are not showing in EAP 7.2.4 in management console when rbac is enabled. [details]|
|JBEAP-18786||Security||JASPIC module's initialize() is called multiple times|
|JBEAP-18531||Security||Picketlink: TLS handshakes with ECDHE fail with Bouncy Castle and Java 11.0.5 [details]|
|JBEAP-18426||Security||WFLY-13161 - CLIENT-CERT login does not work in intermediate elytron setup|
|JBEAP-19204||Web (Undertow)||HTTP continue tests fail with HTTP2 in use|
|JBEAP-18201||Web (Undertow)||WFLY-12822 - UNDERTOW-1623 - Undertow Deadlock|
|JBEAP-18378||Web (Undertow)||UNDERTOW-1637 - Http-404 is returned when accessing protected application context resource without a trailing slash [details]|
|JBEAP-18857||Web (Undertow)||UNDERTOW-1661 - Exchange already complete when rendering a JSP.|
|JBEAP-18890||Web (Undertow)||WFLYCLWEBUT0002 error occurs in first cross-context request creating a shared session|
|JBEAP-18657||Web Console||[HAL-1653] Topology is not refreshed automatically after restart the domain|
|JBEAP-18810||Web Console||HAL-1670 Cannot add Oracle URL to XA Datasource|
|JBEAP-18368||Web Console||[HAL-1669] Cannot add IDP resource in keycloak-saml subsystem using EAP admin console|
|JBEAP-18650||Web Console||[WFCORE-4809] Allow composite operation to read the model without need to acquired the write lock in domain mode|
|JBEAP-18613||Web Services||RESTEASY-2492 - RESTEASY-1986 - RESTEASY002030: Failed to write event org.jboss.resteasy.plugins.providers.sse.OutboundSseEventImpl@42adbd75: java.io.IOException: Broken pipe [details]|
|JBEAP-18610||mod_cluster||application context is enabled to mod_cluster for servers that are started as suspended in the JBoss EAP 7.2 [details]|
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.8-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.8-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
JBoss EAP 7.2 CP8 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated.
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.