JBoss Enterprise Application Platform 7.4 Update 2 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 01

Download JBoss Enterprise Application Platform 7.4 Update 2

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2021-37714 Bean Validation jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
CVE-2021-40690 Security xmlsec: xml-security: XPath Transform abuse allows for information disclosure
CVE-2021-3717 Security wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
CVE-2021-3629 Undertow undertow: potential security issue in flow control over HTTP/2 may lead to DOS
CVE-2021-20289 REST resteasy: Error message exposes endpoint class information

This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-22495 WFCORE-5523 - WFCORE-5465 - Git tests fail if git init.defaultBranch is not master
JBEAP-22152 EJBCLIENT-408 - Racecondition in RemotingEJBDiscoveryProvider is causing a NullPointerException
JBEAP-22244 A-MQ7 WFLY-15039 - Cluster Intermittently Fails to Reestablish After a Node is Restarted
JBEAP-22486 ActiveMQ ENTMQBR-5471 - Broker does not auto create a queue when deploying a MDB
JBEAP-22110 ActiveMQ ENTMQBR-5385 - Different number of large messages between queues when using bridge
JBEAP-22303 Bean Validation WFLY-11566 - Follow-up fixes for WFLY-11566
JBEAP-22175 Clustering WFLY-7115 - KeyAffinityService blocks Infinispan's topology change thread
JBEAP-22516 Hibernate Hibernate ORM JDK 17 Support
JBEAP-22496 Hibernate HHH-14796 - Cannot replace an existing JPQL NamedQuery with a native NamedQuery
JBEAP-22075 Hibernate HHH-14840 - IBM Db2 11.1 fails on TransientOverride test cases
JBEAP-22304 JCA JBJCA-1421 - Use Connection.isValid() in org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker
JBEAP-22442 JCA WFLY-15189 - JCA: Disable logging for failed connections found during validation
JBEAP-22286 JCA JBJCA-1427 - not possible to bypass GSSCredentials using Datasource.getConnection(username,password)
JBEAP-21536 JSF WFLY-14698 - Caching of managed beans in WebInjectionContainer can cause memory leaks in distributed JSF applications following session timeout
JBEAP-22056 Migration CMTOOL-304 - CMTOOL: Java EE references should be replaced by Jakarta EE
JBEAP-12319 Migration CMTOOL-308 - Server Migration Tool scripts do not have .ps1 version
JBEAP-22428 Modules MODULES-406 - ModuleLoader fails when iterating over an absent module
JBEAP-22013 REST RESTEASY-2914 - ResteasyViolationException#toString concurrency generate a java.util.ConcurrentModificationException
JBEAP-22336 Scripts WFCORE-5546 - "JAVA_OPTS" is not correctly set in standalone.bat
JBEAP-15433 Scripts WFCORE-4008 - Unify "-server" option in windows standalone scripts (ps1, bat)
JBEAP-22063 Scripts WFCORE-5499 - domain.ps1 doesn't add --add-exports JVM options as expected for JDK > 9
JBEAP-22338 Security ELY-2194 - JWK implementation in JwkManager does not work properly on key rotation
JBEAP-22371 Server WFCORE-5543 - Operation-scoped caching of static module Jandex indices
JBEAP-21927 Server WFLY-14436 - Improve error for incorrect class for xa-datasource-class, etc.
JBEAP-22511 Undertow UNDERTOW-1972 - InMemorySessionManager can mistake PLACE_HOLDER_SESSION with a real session
JBEAP-22176 Undertow UNDERTOW-1869 - InMemorySessionManager Session Creation Not Thread Safe
JBEAP-22454 Web Console Missing metadata: [resource description] @ {selected.profile}/subsystem=infinispan/cache-container=/distributed-cache=/memory=binary
JBEAP-22497 Web Services CXF-8596 - Fix infinite loop in WebFaultOutInterceptor


Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.2-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.2-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide