JBoss Enterprise Application Platform 7.4 Update 1 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

Download JBoss Enterprise Application Platform 7.4 Update 1

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2021-3642 Server wildfly-elytron: possible timing attack in ScramServer
CVE-2021-21409 JMS netty: Request smuggling via content-length header
CVE-2021-3597 Undertow undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
CVE-2021-3536 Web Console wildfly: XSS via admin console when creating roles in domain mode
CVE-2020-13936 Web Services velocity: arbitrary code execution when attacker is able to modify templates
CVE-2021-3644 Management wildfly-core: Invalid Sensitivity Classification of Vault Expression
CVE-2021-28170 EE jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
CVE-2021-3690 Undertow undertow: buffer leak on incoming websocket PONG message may lead to DoS



This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-21302 ActiveMQ WFLY-10725 / ENTMQBR-3702 / ARTEMIS-2176 - Repeating WARN log message "Notified of connection failure" after every xa recovery when read-timeout is configure with a smaller value than default client-failure-check-period (30 seconds)
JBEAP-22203 Batch JBERET-506 Support retrieving job executions by job name
JBEAP-22172 Batch More efficient way of getting batch job executions by job name
JBEAP-21442 Batch JBERET-508 - Restart batch job execution from a different node
JBEAP-21993 Batch WFLY-14275 - Large job repository is blocking deployment
JBEAP-21804 Batch WFLY-14619 - Stop batch job execution from a different node
JBEAP-21772 Batch WFLY-14750 - Batch task not restarted after server resumed from suspended state
JBEAP-21284 CDI / Weld WFLY-14546 - NameNotFoundException: java:comp/TransactionSynchronizationRegistry when firing and observing CDI events asynchronously
JBEAP-21929 Clustering org.infinispan.client.hotrod module is missing a dependency on org.infinispan.protostream
JBEAP-22065 Clustering Do not allow application to create a new session or change the identifier of a session after response is committed
JBEAP-21276 Clustering ISPN-12787 - Non Transactional Cache needs to be invalidated after commit on JPQL update/delete operation
JBEAP-21258 Clustering ISPN-12807 - Simple cache does not update eviction statistics
JBEAP-22185 Clustering Session objects left in memory after non-coordinator member left a cluster
JBEAP-21362 Clustering ISPN-12930 - Clustering: JDBC store using DB2 DB2 v11.1.1.1 doesn't work anymore
JBEAP-21265 EE WFLY-14561 - Incorrect deserialization using getValue method
JBEAP-22170 EJB Wrong error code in EjbLogger.connectorNotConfiguredForEJBClientInvocations compared to upstream
JBEAP-21323 EJB CLI ...service=timer-service/timer=* throws NullPointerException
JBEAP-21260 EJB WEJBHTTP-56 - UT000065: SSL must be specified to connect to a https URL when using ejb over https when 2nd --> 3rd remote ejb call
JBEAP-21433 EJB WEJBHTTP-57 - Use error code and initCause of XAException
JBEAP-21960 EJB WEJBHTTP-58 - Wildfly Http Client HttpServerHelper should log initial exception
JBEAP-22011 EJB WEJBHTTP-59 - EJB over HTTP getting java.lang.ClassNotFoundException to Unchecked Exception
JBEAP-22082 EJB WFTC-93 - When CancellationException is thrown, throw XaException.XAER_RMFAIL
JBEAP-21275 Hibernate HHH-12320 HHH-12436 HHH-12842 HHH-13875 IdentifierGenerationException: null id generated for:class ...
JBEAP-21419 Hibernate HHH-14537 EntityNotFoundException thrown when non-existing association with @NotFound(IGNORE) mapped has proxy in PersistenceContext
JBEAP-22235 Hibernate HHH-14608 Merge causes StackOverflow when JPA proxy compliance is enabled [details]
JBEAP-21975 Hibernate HHH-14616 Optimistic Lock throws "could not retrieve version" exception [details]
JBEAP-21373 JCA JBJCA-1426 - OAUTH marshaling failure when connecting to Oracle database using Kerberos authentication
JBEAP-22077 JCA JBJCA-1410 - Fix hook call failures in Ironjacamar JCA
JBEAP-21432 JCA JBJCA-1410 - Fix performance regression in Ironjacamar JCA.
JBEAP-21315 JCA JBJCA-1418 - IllegalStateException can be thrown when cached connection manager stack is initialized in Servlet and then used in txn EJB method
JBEAP-21295 JCA JBJCA-1422 -MaxWaitCount will be counted one less than waiting requests
JBEAP-21832 JCA JBJCA-1423 - Pool prefill setting silently ignored for multi-user pool configurations
JBEAP-21838 JCA JBJCA-1425 - Datasource clearStatistics operation clears things it shouldn't
JBEAP-22165 JMS JmsXA connection factory not binding to java:jboss/DefaultJMSConnectionFactory
JBEAP-21431 JMX WFLY-14655 - Invocations of ServiceMBeanSupport startService are not in dependency order
JBEAP-21575 MP OpenTracing Remove leftover dependencies of MP Opentracing from EAP
JBEAP-21204 Management WFCORE-5334 - Deleting Configuration Data when Git connection is failed
JBEAP-21482 Management WFCORE-5370 - Metrics Subsystem(s) are not honoring user's role
JBEAP-22151 Management WFCORE-1934 - Make number of thread size for ServerService Thread Pool configurable [details]
JBEAP-21839 Management WFCORE-5368 Populating the boot error collector does not distinguish between problems that happen as part of boot vs those that happen during boot [details]
JBEAP-21002 OpenShift ISPN000280: Caught exception [java.lang.IllegalArgumentException] while invoking method [public java.util.concurrent.CompletionStage
JBEAP-21230 OpenShift kubernetes.KUBE_PING can repeat WARN "failed getting JSON response from Kubernetes Client"
JBEAP-22439 OpenShift Wrong environment variable S2I_FP_VERSION in 7.4.1.GA-CR1 OpenShift image
JBEAP-21285 Remoting EJBCLIENT-347 / REM3-350 - Remoting outbound channels are not closed
JBEAP-21580 Remoting REM3-377 - Use safeClose() in ClientServiceHandle.close()
JBEAP-21999 Scripts "servicepass" is not correctly passed to the parameter to run prunsrv.exe in service.bat
JBEAP-21989 Scripts EAP 7 cannot be installed as Windows Service if installation path contains a whitespace in service.bat
JBEAP-21852 Security ELY-2120 - Avoid an NPE in ServerAuthenticationContext when the peer's IP address is not known
JBEAP-21329 Security WFCORE-4827 - Errors Missing on Invalid Configuration
JBEAP-21288 Security WFCORE-5272 - Setting jacc provider to Elytron throws exceptions
JBEAP-21363 Security WFLY-14423 - Force restart when legacy security initialize-jacc setting is changed
JBEAP-21378 Security ELY-2111 - JwkManager uses incorrect non url-safe Base64 to load the jwks endpoint
JBEAP-21587 Security ELY-2118 - Elytron tool command execution fails with java.lang.UnsupportedOperationException on AIX OS.
JBEAP-21738 Security ELYWEB-113 - SecurityContextImpl.login incorrectly assumes authenticate would be called first.
JBEAP-21781 Security WFCORE-5185 - Update ProviderDefinition to use optimised service loading API
JBEAP-22053 Security WFNAM00007 exception when group name contains a colon
JBEAP-21957 Security WFCORE-5219 - OpenSSL tests should be running on JDK 11
JBEAP-20799 Security Manager WFCORE-5243 - NullPointerException when invalid
classes specified
JBEAP-21813 Transactions WFLY-14762 - Concurrency issue with "ISPN000482: Cannot create remote transaction GlobalTx:xx:xx, already completed"
JBEAP-22033 Undertow Sessions do not expire in cluster after coordinator is killed
JBEAP-21267 Undertow UNDERTOW-1837 - ServletRequest#getLocalPort(), getLocalAddr() and getLocalName() can return wrong information when proxy-address-forwarding="true" is enabled
JBEAP-21269 Undertow UNDERTOW-1849 - NPE happens at StoredResponseStreamSinkConduit.terminateWrites when StoredResponseHandler (store-response) is enabled
JBEAP-21266 Undertow UNDERTOW-1856 UNDERTOW-1858 - Undertow read-timeout can cause closing a connection for long running request even if the request processing is not reading any request data
JBEAP-21440 Undertow UNDERTOW-1864 - EAP returns 403 even after adding the welcome file to unmanaged exploded deploy
JBEAP-21387 Undertow UNDERTOW-1873 - JSP file does not recompile when forwarding a request path is not canonicalized in exploded deployment
JBEAP-21749 Undertow UNDERTOW-1886 - Undertow ignores two-dot segments in relative path URI when its canonicalized path is outside servlet context
JBEAP-22026 Undertow UNDERTOW-1898 - DefaultServlet will not serve content from any directories starting with WEB-INF or META-INF [details]
JBEAP-21568 Web Console HAL-1742 - HAL-1749 - Messaging default server is not shown after changing the server profile
JBEAP-21945 Web Console HAL-1750 Web Console returning WFLYCTL0030: No resource definition is registered for address
JBEAP-22009 Web Console HAL-1753 - The Locations table is not updated after changing the profile in breadcrumb navigation
JBEAP-21280 XML Frameworks Xalan XML to stream transformation produces wrong encoding
JBEAP-21381 mod_cluster WFLY-14130 proxy-list attribute ignored in modcluster subsystem


Installation

Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.1-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.1-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide

Notes