JBoss Enterprise Application Platform 7.4 Update 9 Release Notes
Updated -
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 08
Download JBoss Enterprise Application Platform 7.4 Update 9
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2018-14041 | Server | bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy |
| CVE-2019-8331 | Server | bootstrap: XSS in the tooltip or popover data-template attribute |
| CVE-2022-42004 | Server | jackson-databind: use of deeply nested arrays |
| CVE-2018-14040 | Server | bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute |
| CVE-2018-14042 | Server | bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip |
| CVE-2022-42003 | Server | jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS |
| CVE-2016-10735 | Server | bootstrap: XSS in the data-target attribute |
| CVE-2022-3143 | Security | wildfly-elytron: possible timing attacks via use of unsafe comparator |
| CVE-2022-40149 | REST | jettison: parser crash by stackoverflow |
| CVE-2019-11358 | Server | jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection |
| CVE-2020-11023 | Server | jquery: Untrusted code execution via |
| CVE-2020-11022 | Server | jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method |
| CVE-2015-9251 | Server | jquery: Cross-site scripting via cross-domain ajax requests |
| CVE-2017-18214 | Server | nodejs-moment: Regular expression denial of service |
| CVE-2022-45693 | Server | jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos |
| CVE-2022-45047 | Management | sshd-common: mina-sshd: Java unsafe deserialization vulnerability |
| CVE-2022-40150 | REST | jettison: memory exhaustion via user-supplied XML or JSON data |
| CVE-2022-46363 | Server | CXF: Apache CXF: directory listing / code exfiltration |
| CVE-2022-40152 | Application Client | woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks |
| CVE-2022-46364 | Web Services | CXF: Apache CXF: SSRF Vulnerability |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| JBEAP-24379 | CLI | Patch rollback fails with NoSuchMethodError on JDK 8 |
| JBEAP-23936 | Clustering | WFLY-17106 - jboss-web.xml replication-config causes failure in non-clustered EAP 7.4 configurations |
| JBEAP-24228 | EJB | Add a global EJB client interceptor for EJB deployments that will runAs the current security identity to activate any outflow identities |
| JBEAP-24148 | EJB | EJBCLIENT-458 - ConfigurationBasedEJBClientContextSelector should not throw an Error if JBoss Modules is not on the classpath [details] |
| JBEAP-24118 | Hibernate | HSEARCH-4107 - Session cast fails when creating a FullTextSession with Spring 2.4.0 [details] |
| JBEAP-24074 | JCA | JBJCA-1429 - Connection leak following transaction timeout during XAResource enlistment |
| JBEAP-24391 | JCA | XAManagedConnectionFactory screws up Datasource urls containing ; |
| JBEAP-24064 | JMS | WFLY-17112 - Can't load a custom load balancing policy on a pooled connection factory |
| JBEAP-13722 | JPA/Hibernate | WFLY-9516 - JPA deployer adding cross sub deployment dependencies when multiple persistence units deployed |
| JBEAP-23885 | JSF | JSF Full State Saving ArrayIndexOutOfBoundsException #4936 |
| JBEAP-24134 | Management | WFCORE-6100 - -D[Server:XXX] JVM parameter is out of order |
| JBEAP-23775 | OpenShift | Logger categories not written to standalone-openshift.xml |
| JBEAP-24190 | Remoting | REM3-393 - Endpoint parsing: add support for max-inbound-channels and max-outbound-channels |
| JBEAP-23501 | Remoting | WFLY-14961 - max-outbound-channels setting in remoting subsystem is not honored |
| JBEAP-23971 | Security | ELYWEB-155 - Don't override the deployment's authentication mechanisms when overrideDeploymentConfig is false and the loginConfig is null |
| JBEAP-24180 | Security | WFCORE - Security domain cache can be created with type default when using a JAAS realm for remoting |
| JBEAP-24199 | Security | WFLY-17316 - SecurityContext callerPrincipal not set with Asynchronous tagged EJB |
| JBEAP-24221 | Security | ELY-2117 - SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) on IBM JDK after ELY-2026 |
| JBEAP-24127 | Undertow | UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value |
| JBEAP-23259 | Undertow | UNDERTOW-2031 - protocol error with HTTP/2 and Expect: 100-continue |
| JBEAP-24141 | Undertow | UNDERTOW-2081 - RejectedExecutionException occurs during shutdown if an open websocket session exists [details] |
| JBEAP-24093 | Undertow | UNDERTOW-2186 - Application sub directories named WEB-INF or META-INF are no longer served |
| JBEAP-15303 | Undertow | WFLY-10912 - CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header |
| JBEAP-24106 | Security | ELY-2468 - Security context propagation across deployments when using the RH-SSO OIDC adapter with EAP 7.4 |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.9-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.9-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide
Notes
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- The Helm Chart for JBoss EAP 7.4 / JBoss EAP XP 3 allows to build and deploy applications on OpenShift using Helm package manager
- The IBM WebSphere MQ broker was updated to 9.2 for integration testing, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Tested Integrations for more details.
- Hibernate Search 5 APIs Deprecated in JBoss EAP 7.4 that will be changed in EAP 8 / Hibernate 6
- The RHSSO Galleon Layer is deprecated in JBoss EAP 7.4, see more details.
- JBoss EAP 7.4 Update 7+ now supports OpenJDK 17 , Update 8+ supports Oracle JDK17, see configuration changes needed here.
- Deprecated in Red Hat Enterprise Application Platform (EAP) 7
- jndi-name has been required for admin-object definitions as per the schema, the server will require it to be specified or will result in an error, see more details here
Comments