JBoss Enterprise Application Platform 7.4 Update 9 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 08

Download JBoss Enterprise Application Platform 7.4 Update 9

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2018-14041 Server bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
CVE-2019-8331 Server bootstrap: XSS in the tooltip or popover data-template attribute
CVE-2022-42004 Server jackson-databind: use of deeply nested arrays
CVE-2018-14040 Server bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
CVE-2018-14042 Server bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
CVE-2022-42003 Server jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
CVE-2016-10735 Server bootstrap: XSS in the data-target attribute
CVE-2022-3143 Security wildfly-elytron: possible timing attacks via use of unsafe comparator
CVE-2022-40149 REST jettison: parser crash by stackoverflow
CVE-2019-11358 Server jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
CVE-2020-11023 Server jquery: Untrusted code execution via
CVE-2020-11022 Server jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
CVE-2015-9251 Server jquery: Cross-site scripting via cross-domain ajax requests
CVE-2017-18214 Server nodejs-moment: Regular expression denial of service
CVE-2022-45693 Server jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos
CVE-2022-45047 Management sshd-common: mina-sshd: Java unsafe deserialization vulnerability
CVE-2022-40150 REST jettison: memory exhaustion via user-supplied XML or JSON data
CVE-2022-46363 Server CXF: Apache CXF: directory listing / code exfiltration
CVE-2022-40152 Application Client woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
CVE-2022-46364 Web Services CXF: Apache CXF: SSRF Vulnerability

This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-24379 CLI Patch rollback fails with NoSuchMethodError on JDK 8
JBEAP-23936 Clustering WFLY-17106 - jboss-web.xml replication-config causes failure in non-clustered EAP 7.4 configurations
JBEAP-24228 EJB Add a global EJB client interceptor for EJB deployments that will runAs the current security identity to activate any outflow identities
JBEAP-24148 EJB EJBCLIENT-458 - ConfigurationBasedEJBClientContextSelector should not throw an Error if JBoss Modules is not on the classpath [details]
JBEAP-24118 Hibernate HSEARCH-4107 - Session cast fails when creating a FullTextSession with Spring 2.4.0 [details]
JBEAP-24074 JCA JBJCA-1429 - Connection leak following transaction timeout during XAResource enlistment
JBEAP-24391 JCA XAManagedConnectionFactory screws up Datasource urls containing ;
JBEAP-24064 JMS WFLY-17112 - Can't load a custom load balancing policy on a pooled connection factory
JBEAP-13722 JPA/Hibernate WFLY-9516 - JPA deployer adding cross sub deployment dependencies when multiple persistence units deployed
JBEAP-23885 JSF JSF Full State Saving ArrayIndexOutOfBoundsException #4936
JBEAP-24134 Management WFCORE-6100 - -D[Server:XXX] JVM parameter is out of order
JBEAP-23775 OpenShift Logger categories not written to standalone-openshift.xml
JBEAP-24190 Remoting REM3-393 - Endpoint parsing: add support for max-inbound-channels and max-outbound-channels
JBEAP-23501 Remoting WFLY-14961 - max-outbound-channels setting in remoting subsystem is not honored
JBEAP-23971 Security ELYWEB-155 - Don't override the deployment's authentication mechanisms when overrideDeploymentConfig is false and the loginConfig is null
JBEAP-24180 Security WFCORE - Security domain cache can be created with type default when using a JAAS realm for remoting
JBEAP-24199 Security WFLY-17316 - SecurityContext callerPrincipal not set with Asynchronous tagged EJB
JBEAP-24221 Security ELY-2117 - SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) on IBM JDK after ELY-2026
JBEAP-24127 Undertow UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value
JBEAP-23259 Undertow UNDERTOW-2031 - protocol error with HTTP/2 and Expect: 100-continue
JBEAP-24141 Undertow UNDERTOW-2081 - RejectedExecutionException occurs during shutdown if an open websocket session exists [details]
JBEAP-24093 Undertow UNDERTOW-2186 - Application sub directories named WEB-INF or META-INF are no longer served
JBEAP-15303 Undertow WFLY-10912 - CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header
JBEAP-24106 Security ELY-2468 - Security context propagation across deployments when using the RH-SSO OIDC adapter with EAP 7.4


Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.9-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.9-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide