JBoss Enterprise Application Platform 7.4 Update 5 Release Notes
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 04
Download JBoss Enterprise Application Platform 7.4 Update 5
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2022-23913 | Server | artemis-commons: Apache ActiveMQ Artemis DoS |
| CVE-2021-42392 | Server | h2: Remote Code Execution in Console |
| CVE-2022-0084 | Server | xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr |
| CVE-2022-23437 | Server | xerces-j2: infinite loop when handling specially crafted XML document payloads |
| CVE-2022-1319 | Undertow | undertow: Double AJP response for 400 from EAP 7 results in CPING failures |
| CVE-2020-36518 | Server | jackson-databind: denial of service via a large depth of nested objects |
| CVE-2022-0866 | Server | Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled |
| CVE-2021-37136 | Server | netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data |
| CVE-2021-37137 | Server | netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way |
| CVE-2022-21363 | Server | mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors |
| CVE-2022-24785 | Server | Moment.js: Path traversal in moment.locale |
| CVE-2022-23221 | Server | h2: Loading of custom classes from remote servers through JNDI |
| CVE-2022-21299 | XML Frameworks | xercesimpl: OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) |
| CVE-2021-43797 | Server | netty: control chars in header names may lead to HTTP request smuggling |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| JBEAP-23240 | Batch | JBERET-537 - Error closing ItemReader.: javax.transaction.TransactionalException: ARJUNA016110: Transaction is required for invocation |
| JBEAP-23193 | Bean Validation | HV-1878 - Hibernate validator: UnsupportedOperationException at java.sql.Date.toInstant(Date.java:316) |
| JBEAP-22842 | Clustering | Defend against ConcurrentModificationExceptions while marshalling collections/maps |
| JBEAP-22724 | EJB | WFCORE-5861 - InaccessibleObjectException with OpenJDK17 and embed-server |
| JBEAP-21282 | EJB | Verify EJB over HTTP transactional behavior in OpenShift environment |
| JBEAP-22012 | Hibernate | HHH-14624 HHH-14649 HHH-14819 Oracle 'offset ? rows fetch next ? rows' pagination support [details] |
| JBEAP-23147 | Hibernate | HHH-15106 - Associations with @NotFound should always be left joined when de-referenced in HQL/Criteria |
| JBEAP-23291 | JSF | Some Form attributes are lost by JSF rendering when enabling javax.faces.FACELETS_REFRESH_PERIOD |
| JBEAP-23179 | OpenShift | Jolokia #438 Reading runtime mbean fails on JDK11 |
| JBEAP-23202 | Remoting | IOException with message ack timeout expired before timeout has ellapsed |
| JBEAP-22923 | Remoting | XNIO-402 - Log Xnio thread size config at debug |
| JBEAP-23515 | Remoting | XNIO-404 - Channels cannot open file "NUL:" on Windows [details] |
| JBEAP-2903 | Security | User with slash or backslash char in LDAP name cannot log in through security-realm |
| JBEAP-23421 | Security | ELY-2326 - Elytron GSSCredentialSecurityFactory does not check validity of KerberosTicket. |
| JBEAP-23162 | Security | ELY-2304 - Wildfly Elytron Tool, location is required even for non-filebased type e.g. PKCS11 |
| JBEAP-21954 | Server | WFCORE-5416 Jgit incorrect reference in org.jboss.as.controller module |
| JBEAP-22907 | Server | WFCORE-5792 Configuration changes made to embedded server are not stored in expected location |
| JBEAP-23530 | Undertow | UNDERTOW-2079 - CPU spinning in AbstractFramedStreamSinkChannel |
| JBEAP-23537 | Undertow | UNDERTOW-2080 - Use currentTimeMillis instead of nanoTime to measure times in awaitWritable |
| JBEAP-21806 | Undertow | WFLY-13044: WFLYSEC0012 Error in web.xml with similar Patterns |
| JBEAP-23154 | Web Console | HAL-1767 - Active threads count missing in batch preview |
| JBEAP-12667 | Web Services | java.lang.RuntimeException: MQJCA1018: Only one session per connection is allowed [details] |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.5-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.5-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide
Notes
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- The Helm Chart for JBoss EAP 7.4 / JBoss EAP XP 3 allows to build and deploy applications on OpenShift using Helm package manager
- The IBM WebSphere MQ broker was updated to 9.2 for integration testing, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Tested Integrations for more details.
- Hibernate Search 5 APIs Deprecated in JBoss EAP 7.4 that will be changed in EAP 8 / Hibernate 6
- The RHSSO Galleon Layer is deprecated in JBoss EAP 7.4, see more details.
- JBoss EAP 7.4 Update 5+ support for JDK 17 is in technical preview, see configuration changes needed here.
Comments