JBoss Enterprise Application Platform 7.4 Update 5 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 04

Download JBoss Enterprise Application Platform 7.4 Update 5

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2022-23913 Server artemis-commons: Apache ActiveMQ Artemis DoS
CVE-2021-42392 Server h2: Remote Code Execution in Console
CVE-2022-0084 Server xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr
CVE-2022-23437 Server xerces-j2: infinite loop when handling specially crafted XML document payloads
CVE-2022-1319 Undertow undertow: Double AJP response for 400 from EAP 7 results in CPING failures
CVE-2020-36518 Server jackson-databind: denial of service via a large depth of nested objects
CVE-2022-0866 Server Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled
CVE-2021-37136 Server netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
CVE-2021-37137 Server netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
CVE-2022-21363 Server mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors
CVE-2022-24785 Server Moment.js: Path traversal in moment.locale
CVE-2022-23221 Server h2: Loading of custom classes from remote servers through JNDI
CVE-2022-21299 XML Frameworks xercesimpl: OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646)
CVE-2021-43797 Server netty: control chars in header names may lead to HTTP request smuggling

This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-23240 Batch JBERET-537 - Error closing ItemReader.: javax.transaction.TransactionalException: ARJUNA016110: Transaction is required for invocation
JBEAP-23193 Bean Validation HV-1878 - Hibernate validator: UnsupportedOperationException at java.sql.Date.toInstant(Date.java:316)
JBEAP-22842 Clustering Defend against ConcurrentModificationExceptions while marshalling collections/maps
JBEAP-22724 EJB WFCORE-5861 - InaccessibleObjectException with OpenJDK17 and embed-server
JBEAP-21282 EJB Verify EJB over HTTP transactional behavior in OpenShift environment
JBEAP-22012 Hibernate HHH-14624 HHH-14649 HHH-14819 Oracle 'offset ? rows fetch next ? rows' pagination support [details]
JBEAP-23147 Hibernate HHH-15106 - Associations with @NotFound should always be left joined when de-referenced in HQL/Criteria
JBEAP-23291 JSF Some Form attributes are lost by JSF rendering when enabling javax.faces.FACELETS_REFRESH_PERIOD
JBEAP-23179 OpenShift Jolokia #438 Reading runtime mbean fails on JDK11
JBEAP-23202 Remoting IOException with message ack timeout expired before timeout has ellapsed
JBEAP-22923 Remoting XNIO-402 - Log Xnio thread size config at debug
JBEAP-23515 Remoting XNIO-404 - Channels cannot open file "NUL:" on Windows [details]
JBEAP-2903 Security User with slash or backslash char in LDAP name cannot log in through security-realm
JBEAP-23421 Security ELY-2326 - Elytron GSSCredentialSecurityFactory does not check validity of KerberosTicket.
JBEAP-23162 Security ELY-2304 - Wildfly Elytron Tool, location is required even for non-filebased type e.g. PKCS11
JBEAP-21954 Server WFCORE-5416 Jgit incorrect reference in org.jboss.as.controller module
JBEAP-22907 Server WFCORE-5792 Configuration changes made to embedded server are not stored in expected location
JBEAP-23530 Undertow UNDERTOW-2079 - CPU spinning in AbstractFramedStreamSinkChannel
JBEAP-23537 Undertow UNDERTOW-2080 - Use currentTimeMillis instead of nanoTime to measure times in awaitWritable
JBEAP-21806 Undertow WFLY-13044: WFLYSEC0012 Error in web.xml with similar Patterns
JBEAP-23154 Web Console HAL-1767 - Active threads count missing in batch preview
JBEAP-12667 Web Services java.lang.RuntimeException: MQJCA1018: Only one session per connection is allowed [details]


Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.5-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.5-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide