JBoss Enterprise Application Platform 7.4 Update 10 Release Notes
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 09
Download JBoss Enterprise Application Platform 7.4 Update 10
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2023-1108 | Undertow | UNDERTOW-2239 - Infinite loop in SslConduit during close on JDK 11 [details] |
| CVE-2022-41881 | Server | codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS |
| CVE-2022-45787 | Server | apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider |
| CVE-2022-41854 | Management | dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow |
| CVE-2022-1471 | Server | RESTEASY-3260 - CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [details] |
| CVE-2022-41853 | Server | hsqldb: Untrusted input may lead to RCE attack |
| CVE-2022-4492 | Undertow | undertow: Server identity in https connection is not checked by the undertow client [details] |
| CVE-2023-0482 | Server | RESTEasy: creation of insecure temp files [details] |
| CVE-2022-38752 | Management | snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| JBEAP-24604 | ActiveMQ | Artemis natives no longer being loaded |
| JBEAP-24405 | Clustering | ISPN-13229 - Memory leak if iteration is used with the internal Infinispan cache API |
| JBEAP-24441 | Clustering | WFLY-17149 - Failures due to invalid lambda deserialization should invalidate session |
| JBEAP-24073 | EE | JBEE-258 - FactoryFinderCache does not properly handle comments in service |
| JBEAP-24401 | EJB | java.lang.IllegalArgumentException: No marshaller registered for Java type org.jboss.ejb.client.UUIDSessionID in EAP 7.4 |
| JBEAP-24450 | EJB | StrictMaxPoolDerivedSizeReadHandler incorrectly requires exclusive lock and higher level RBAC perms |
| JBEAP-24376 | EJB | EJBCLIENT-485 - Set default value for discovery.additional-node-timeout |
| JBEAP-24157 | EJB | WEJBHTTP-74 - The http ejb client should use the servers hostname for the TLS SNI extension during handshake |
| JBEAP-23904 | EJB | WFLY-16796 - LocalEjbReceiver response contains ContextData that has been removed on the server side |
| JBEAP-24371 | JMS | Messaging - Transaction remained in prepared state after failover |
| JBEAP-24522 | JMS | AMQ172015: Can not connect to XARecoveryConfig |
| JBEAP-24346 | Management | WFCORE-6169 - Disable YAML deserialization in the YAML Configuration Extension |
| JBEAP-24410 | Modules | WFCORE-6188 - Eliminate useless locking in ServiceModuleLoader |
| JBEAP-24443 | Modules | WFCORE-6199 - JBoss allows duplicate user and local dependencies |
| JBEAP-24496 | Modules | WFCORE-6211 - Remove ModuleIdentifier from ServiceModuleLoader.preloadModule |
| JBEAP-24194 | REST | RESTEASY-3256 - CDI managed beans do not inject @Context injection targets |
| JBEAP-24613 | RPM | RHEL7/8 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9 |
| JBEAP-24499 | RPM | EAP 7.4 rpm should Obsoletes: eap7-netty-all-4.1.77-3.Final_redhat_00001.1.el8eap.noarch [details] |
| JBEAP-24583 | Scripts | Fix enable-elytron-se17.cli script |
| JBEAP-24254 | Scripts | JDK17, CLI script to update security doesn't apply to microprofile |
| JBEAP-23416 | Security | JBWS-4251 - Add UsernameToken profile integration with Elytron |
| JBEAP-23415 | Security | WFLY-15598 - No migration path from wildfly-24's picketbox UsersRolesLoginModule to wildfly-25 elytron |
| JBEAP-24266 | Security | jbossws-cxf-5.4.x elyron/picketbox support |
| JBEAP-24367 | Security | Getting java.util.ConcurrentModificationException while deploying the application |
| JBEAP-23166 | Security | UNDERTOW-2211 |
| JBEAP-24168 | Security | No security domain associated error when using WS-Security username authentication |
| JBEAP-23682 | Server | Adapt S3Discovery option for EAP 7.4 and EAP 8.x mixed domains |
| JBEAP-24498 | Server | deny-uncovered-http-methods truncates parsing of web.xml file |
| JBEAP-24375 | Undertow | UNDERTOW-2214 - Jastow compilation error when mixing EL and scriptlet expressions after UNDERTOW-1319 |
| JBEAP-24415 | Undertow | UNDERTOW-2221 - Undertow can add unwanted semicolon to path parameter when client http request packets are separated in the middle of path parameter |
| JBEAP-24421 | Undertow | UNDERTOW-2222 - Jastow should use UTF-8 for default URI encoding like Undertow |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.10-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.10-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide
Notes
- Red Hat Insights is available for JBoss EAP 7.4 Update 11+, see more details
- Helm Chart for EAP 7.4 Updates
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- The Helm Chart for JBoss EAP 7.4 / JBoss EAP XP 3 allows to build and deploy applications on OpenShift using Helm package manager
- The IBM WebSphere MQ broker was updated to 9.2 for integration testing, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Tested Integrations for more details.
- Hibernate Search 5 APIs Deprecated in JBoss EAP 7.4 that will be changed in EAP 8 / Hibernate 6
- The RHSSO Galleon Layer is deprecated in JBoss EAP 7.4, see more details.
- JBoss EAP 7.4 Update 8+ now supports OpenJDK 17 / Oracle JDK 17, see configuration changes needed here.
- Deprecated in Red Hat Enterprise Application Platform (EAP) 7
- jndi-name has been required for admin-object definitions as per the schema, the server will require it to be specified or will result in an error, see more details here
Comments