JBoss Enterprise Application Platform 7.4 Update 13 Release Notes

Updated -

In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+

This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 12

Download JBoss Enterprise Application Platform 7.4 Update 13

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2023-26136 Server tough-cookie: prototype pollution in cookie memstore
CVE-2023-26464 Server log4j: log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging
CVE-2023-4061 Server wildfly-core: Management User RBAC permission allows unexpected reading of system-properties to an Unauthorized actor
CVE-2023-3171 Server eap-7: heap exhaustion via deserialization [details]
CVE-2023-34462 Server netty: io.netty:netty-handler: SniHandler 16MB allocation
CVE-2023-33201 Security bouncycastle: potential blind LDAP injection attack using a self-signed certificate
CVE-2022-25883 Server nodejs-semver: Regular expression denial of service

This update includes the following bug fixes or changes:

ID Component Summary
JBEAP-24947 A-MQ7 ENTMQBR-8122 - Unhandled NullPointerException in JournalTransaction::forget
JBEAP-25261 ActiveMQ NettyConnection.batchBufferSize() is broken after upgrading netty to 4.1.94.Final
JBEAP-25318 BOM wildfly-jms-client-bom missing some netty dependencies
JBEAP-23209 Bean Validation Improve error message for duplicate EE components
JBEAP-25131 CLI WFCORE-6424 - Generic command argument value issue with List containing Object
JBEAP-25196 Hibernate HHH-16586 - When merging a persisted entity with a null Version, Hibernate treats entity as transient instead of throwing an Exception
JBEAP-24501 JCA JBJCA-1467 - Possible data inconsistency when CMR fails at Commit phase
JBEAP-25148 JCA JBJCA-1471 - Prefill pool after returned connection has been destroyed
JBEAP-25270 Logging MODULES-439 - Create a delegating LoggerFinder
JBEAP-25349 Management WFCORE-6434 - Managed servers could ignore restart/reload required operations when HC reconnects to the domain
JBEAP-24931 Management Sync model operations fail when a HC with stopped managed servers is registered back in the domain
JBEAP-24811 OpenShift Improve message for CLI_GRACEFUL_SHUTDOWN at container startup [details]
JBEAP-25203 REST RESTEASY-3322 - ClassCastException: org.jboss.resteasy.core.registry.ConstantResourceInvoker cannot be cast to org.jboss.resteasy.core.ResourceMethodInvoker
JBEAP-24949 REST RESTEASY-3341 - The RESTEasy multipart provider changed the default entity response from binary to base64
JBEAP-25317 Server WFCORE-6442 - ModuleSpecification discards dependency information
JBEAP-24362 Undertow web session invalidation outside of a request gets IllegalStateException [details]
JBEAP-25037 Undertow UNDERTOW-2285 - Request parameters lost via jsp:include chain
JBEAP-24358 Undertow UNDERTOW-2228 - Undertow write-timeout can cause a truncate response for request coming through keep-alive connection
JBEAP-24842 Undertow UNDERTOW-2228 - Undertow write-timeout can cause a closing TCP connection without response for long-running remote EJB request [details]
JBEAP-24861 Undertow UNDERTOW-2275 Undertow read-timeout can close connection unexpectedly before returning response for POST request larger than the default buffer size
JBEAP-4217 Undertow WFLY-12019 - Cannot remove a undertow server resource at one time
JBEAP-25369 Web Services ClassNotFoundException com.sun.security.jgss.InquireType
JBEAP-23679 mod_cluster MODCLUSTER-754 - Modcluster: Contexts not registered on proxy when server started in suspend mode


Note: This update should only be applied to installer or zip-based installations.

To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:

bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.13-patch.zip"

To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:

bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.13-patch.zip"

These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide