JBoss Enterprise Application Platform 7.4 Update 10 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 09

Download JBoss Enterprise Application Platform 7.4 Update 10

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2023-1108 Undertow UNDERTOW-2239 - Infinite loop in SslConduit during close on JDK 11 [details]
CVE-2022-41881 Server codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
CVE-2022-45787 Server apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
CVE-2022-41854 Management dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow
CVE-2022-1471 Server RESTEASY-3260 - CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [details]
CVE-2022-41853 Server hsqldb: Untrusted input may lead to RCE attack
CVE-2022-4492 Undertow undertow: Server identity in https connection is not checked by the undertow client [details]
CVE-2023-0482 Server RESTEasy: creation of insecure temp files [details]
CVE-2022-38752 Management snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode

This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-24604 ActiveMQ Artemis natives no longer being loaded
JBEAP-24405 Clustering ISPN-13229 - Memory leak if iteration is used with the internal Infinispan cache API
JBEAP-24441 Clustering WFLY-17149 - Failures due to invalid lambda deserialization should invalidate session
JBEAP-24073 EE JBEE-258 - FactoryFinderCache does not properly handle comments in service
JBEAP-24401 EJB java.lang.IllegalArgumentException: No marshaller registered for Java type org.jboss.ejb.client.UUIDSessionID in EAP 7.4
JBEAP-24450 EJB StrictMaxPoolDerivedSizeReadHandler incorrectly requires exclusive lock and higher level RBAC perms
JBEAP-24376 EJB EJBCLIENT-485 - Set default value for discovery.additional-node-timeout
JBEAP-24157 EJB WEJBHTTP-74 - The http ejb client should use the servers hostname for the TLS SNI extension during handshake
JBEAP-23904 EJB WFLY-16796 - LocalEjbReceiver response contains ContextData that has been removed on the server side
JBEAP-24371 JMS Messaging - Transaction remained in prepared state after failover
JBEAP-24522 JMS AMQ172015: Can not connect to XARecoveryConfig
JBEAP-24346 Management WFCORE-6169 - Disable YAML deserialization in the YAML Configuration Extension
JBEAP-24410 Modules WFCORE-6188 - Eliminate useless locking in ServiceModuleLoader
JBEAP-24443 Modules WFCORE-6199 - JBoss allows duplicate user and local dependencies
JBEAP-24496 Modules WFCORE-6211 - Remove ModuleIdentifier from ServiceModuleLoader.preloadModule
JBEAP-24194 REST RESTEASY-3256 - CDI managed beans do not inject @Context injection targets
JBEAP-24613 RPM RHEL7/8 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9
JBEAP-24499 RPM EAP 7.4 rpm should Obsoletes: eap7-netty-all-4.1.77-3.Final_redhat_00001.1.el8eap.noarch [details]
JBEAP-24583 Scripts Fix enable-elytron-se17.cli script
JBEAP-24254 Scripts JDK17, CLI script to update security doesn't apply to microprofile
JBEAP-23416 Security JBWS-4251 - Add UsernameToken profile integration with Elytron
JBEAP-23415 Security WFLY-15598 - No migration path from wildfly-24's picketbox UsersRolesLoginModule to wildfly-25 elytron
JBEAP-24266 Security jbossws-cxf-5.4.x elyron/picketbox support
JBEAP-24367 Security Getting java.util.ConcurrentModificationException while deploying the application
JBEAP-23166 Security UNDERTOW-2211 causes forbidden access for anonymous resources access.
JBEAP-24168 Security No security domain associated error when using WS-Security username authentication
JBEAP-23682 Server Adapt S3Discovery option for EAP 7.4 and EAP 8.x mixed domains
JBEAP-24498 Server deny-uncovered-http-methods truncates parsing of web.xml file
JBEAP-24375 Undertow UNDERTOW-2214 - Jastow compilation error when mixing EL and scriptlet expressions after UNDERTOW-1319
JBEAP-24415 Undertow UNDERTOW-2221 - Undertow can add unwanted semicolon to path parameter when client http request packets are separated in the middle of path parameter
JBEAP-24421 Undertow UNDERTOW-2222 - Jastow should use UTF-8 for default URI encoding like Undertow


Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.10-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.10-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide