JBoss Enterprise Application Platform 7.4 Update 4 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 03

Download JBoss Enterprise Application Platform 7.4 Update 4

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2021-45046 Server log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)
CVE-2022-23307 Server log4j: Unsafe deserialization flaw in Chainsaw log viewer
CVE-2022-23305 Server log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
CVE-2022-23302 Server log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
CVE-2021-45105 Server log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern
CVE-2021-44832 Server log4j-core: remote code execution via JDBC Appender

This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-22103 WFLY-14792 - ParsedServiceDeploymentProcessor unnecessarily does deep reflection on JDK classes
JBEAP-22670 A-MQ7 ENTMQBR-5725 - JMS broker fails to load if there is a prepared transaction with an ACK is pending on an non existent page
JBEAP-23107 Batch WFLY-15921 - JobOperator.getJobNames() does only return Names of Jobs that have already been executed since server start
JBEAP-23114 Batch WFLY-15954 - getJobInstances, getJobInstanceCount, getRunningExecutions should include jobs that have not been started
JBEAP-23323 Batch WFLY-16112 - Batch JobOperatorService should look for only active job names to stop during suspend
JBEAP-22290 CDI / Weld WFLY-11817 - CDI @Resource(lookup=...) processing does not start corresponding binder service
JBEAP-23010 CLI WFCORE-5765 - Unable to check the result containing whitespace with the equals to (==) comparison operator in the "if-else" control flow in JBoss-CLI
JBEAP-23071 Clustering WFLY-14746 - JGRP000014: STABLE.stability_delay has been deprecated: always 0
JBEAP-22746 Clustering WFLY-15677 - Disable simple cache optimization when statistics are enabled
JBEAP-22727 EE WFLY-14919 - Credential store expression resolution not usable for deployment descriptors and annotations.
JBEAP-22722 EE WFLY-15494 - Duplicate dependencies in system module.xmls
JBEAP-22263 EE Serialization of a Map fails if the key uses a custom Serializer
JBEAP-23008 EJB WFLY-15335 - Simplify the processing of ejb timer timeout method params
JBEAP-23009 EJB WFLY-15499 - Honor sybase as database value, and remove the unused field databaseDialects in DatabaseTimerPersistence class
JBEAP-23007 EJB WFLY-15583 - Adjust sql statements during initialization of DatabaseTimerPersistence
JBEAP-22996 EJB EJB timer: need to consider existing timers in database when switching to truncated timestamp
JBEAP-22995 EJB WFLY-15569 - Database persistent auto timer are created twice
JBEAP-22425 JCA WFLY-15228 - Improve RA and DS subsystems' handling of the absence of legacy security
JBEAP-23097 Management Elytron local authentication doesn't work if no standalone/tmp/auth dir exists and no legacy security-realm is configured
JBEAP-22638 Management WFCORE-5675 - NPE sending transformed operation results in OperationTransformationTestCase failing when SE 17 is used
JBEAP-22751 Management WFCORE-5709 - Invalid read-attribute and read-resource output for credential store expressions with resolve-expressions=true
JBEAP-22098 Scripts WFCORE-5406 - For JDK 16+ server requires --add-opens to allow reflective access to JDK classes
JBEAP-22972 Security ELY-2067 - Elytron tool should log a warning that mask password command is not FIPS compliant
JBEAP-22951 Security ELY-2232 - OIDC AccessToken::getResourceAccessClaim always returns en empty map
JBEAP-22953 Security ELY-2242 - OidcRequestAuthenticator.rewrittenRedirectUri retains url query when there's no rewrite rule, but removes it when there's a rewrite rule
JBEAP-23077 Security ELY-2284 - ELY-2290 - Wildfly OIDC secured App generates a lot of keycloak requests
JBEAP-23106 Security ELY-2286 - OIDC-Adapter should support multi tenancy
JBEAP-22726 Security WFCORE-5696 - Credential store expression resolution not usable for deployment descriptors and annotations.
JBEAP-22563 Security WFLY-15274 - Make JBoss EAP able to use latest OpenSSL 3.0.0 libraries
JBEAP-23123 Security ELY-303 ELY-2298 - The 'Basic' and 'Digest' HTTP Authentication Schemes not compatible with RFC7617 and RFC7616
JBEAP-23013 Security WFCORE-5490 - Elytron Expression Resolution too late to handle system properties.
JBEAP-23369 Security OpenSSL doesn't work with JDK 8
JBEAP-23085 Server ISPN-13549 - Data race in EntryWrappingInterceptor handling expired entries
JBEAP-23104 Transactions WFLY-15945 - Performance regression when using the journal store with Naranaya 5.12.4.Final
JBEAP-22349 Undertow WFLY-14945 - JSP Compiler regression on most recent JDK17 EA build
JBEAP-22861 Undertow UNDERTOW-2002 - StackOverflowError upon AJP read timeout
JBEAP-23027 Undertow UNDERTOW-2015 - Undertow AJP listener does not ignore a query parameter that name and value are empty
JBEAP-22320 Undertow WFLY-15117 - NullPointerException during server startup, when called by monitoring tool
JBEAP-22921 VFS JBVFS - Delay openStream call for each entry in VirtualJarInputStream
JBEAP-22819 Web Console HAL-1762 - Aliases are removed from the credential store when passwords are updated from the admin console
JBEAP-22744 Web Console HAL-1760 - Editing credential reference for mail server is not working


Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.4-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.4-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide