Red Hat JBoss Web Server 5.5 Release Notes
For Use with the Red Hat JBoss Web Server 5.5
Abstract
Chapter 1. RedHat JBoss Web Server 5.5
Welcome to the Red Hat JBoss Web Server version 5.5 release.
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It consists of an application server (Apache Tomcat Servlet container), and the Tomcat Native Library. A short description of key components is given below:
- Apache tomcat: a servlet container in accordance with the Java Servlet Specification. JBoss Web Server contains Apache Tomcat 9.
- Apache tomcat native library: a Tomcat library, which improves Tomcat scalability, performance, and integration with native server technologies.
- tomcat-vault: an extension for the JBoss Web Server used for securely storing passwords and other sensitive information used by a JBoss Web Server.
- mod_cluster library: a library that allows communication between Apache Tomcat and the Apache HTTP Server’s mod_proxy_cluster module. This allows the Apache HTTP Server to be used as a load balancer for JBoss Web Server. For information on the configuration of mod_cluster, or for information on the installation and configuration of the alternative load balancers mod_jk and mod_proxy, see the HTTP Connectors and Load Balancing Guide.
- Apache portable runtime(APR): A runtime which provides superior scalability, performance, and improved integration with native server technologies. APR is a highly portable library that is at the heart of Apache HTTP Server 2.x. It enables access to advanced IO functionality (for example: sendfile, epoll and OpenSSL), Operating System level functionality (for example: random number generation and system status), and native process handling (shared memory, NT pipes and Unix sockets).
- OpenSSL: A software library which implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a basic cryptographic library.
This release of JBoss Web Server focuses on syncing JWS with the latest Apache HTTPD JBoss Core Services, as well as fixing some security issues.
Red Hat JBoss Web Server 5.5 OpenShift images based on Red Hat Enterprise Linux 7 are no longer provided with this release. Red Hat JBoss Web Server 5.5 images based on Red Hat Enterprise Linux 8 are provided with this release.
Chapter 2. Installing the Red Hat JBoss Web Server 5.5
The JBoss Web Server 5.5 can be installed using one of the following sections of the installation guide:
Chapter 3. OS/JVM Certifications
| Operating System | Chipset Architecture | Java Virtual Machine |
|---|---|---|
| Red Hat Enterprise Linux 8 | x86_64 | Red Hat OpenJDK 1.8.x, Red Hat OpenJDK 11, OracleJDK 11 |
| Red Hat Enterprise Linux 7 | x86_64 | Red Hat OpenJDK 1.8.x, Red Hat OpenJDK 11, Oracle JDK 1.8.x, Oracle JDK 11, IBM JDK 1.8.x |
| Microsoft Windows 2019 Server | x86_64 | Red Hat OpenJDK 1.8.x, Red Hat OpenJDK 11, Oracle JDK 1.8.x, Oracle JDK 11 |
| Microsoft Windows 2016 Server | x86_64 | Red Hat OpenJDK 1.8.x, Red Hat OpenJDK 11, Oracle JDK 1.8.x, Oracle JDK 11 |
| Microsoft Windows 2012 Server R2 | x86_64 | Red Hat OpenJDK 1.8.x, Red Hat OpenJDK 11, Oracle JDK 1.8.x, Oracle JDK 11 |
Red Hat Enterprise Linux 6 is not supported.
Chapter 4. Security Fixes
This update includes fixes for the following security related issues:
| ID | Impact | Summary |
|---|---|---|
| Important | hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used [jws-5] | |
| Moderate | tomcat: Request mix-up with h2c [jws-5] | |
| Low | Incomplete fix for CVE-2020-9484 (RCE via session persistence) [jws-5] |
Chapter 5. Resolved issues
| Issue | Description |
|---|---|
| JWS-1994 | Deprecate JWS Container Images for RHEL7 |
| JWS-1857 | Documentation doesn’t match changed behaviour of HealthCheckValve |
| JWS-1834 | Ensure the overhead check runs after every frame |
| JWS-1200 | Implement JWS Health Check so that it can be consumed by OpenShift |
| JWS-1708 | JWS5 requires Java8 |
| JWS-1969 | MODCLUSTER-728 - Proxy configured by a hostname caches resolved address indefinitely |
| JWS-1462 | OpenShift image create apr connector with SSLVerifyClient="optional" but doesn’t provide a CA file. |
| JWS-1485 | Provide a JWS Openshift image for PowerPC |
| JWS-1838 | Rebase tomcat to version 9.0.43 |
| JWS-2069 | System properties are no longer expanded in JWS 5.4 |
| JWS-1528 | Tomcat - implement pooled LDAP connection for JNDIRealm |
| JWS-1841 | Unable to enable SECURITY_MANAGER through jws5-tomcat.conf in zip based installation |
| JWS-1845 | Update hibernate to latest available version |
| JWS-1839 | Update apr and openssl from JBCS to versions from jbcs-httpd-2.4.37.SP8 |
| JWS-1836 | Upgrade mod_cluster to latest available version |
| JWS-1840 | Upgrade tomcat-native to 1.2.26 |
| JWS-1835 | Upgrade/Rebase components for the release 5.5 |
| JWS-1665 | bndlib is not needed |
Chapter 6. Known issues
There are no Known issues this release.
Chapter 7. Components included in Red Hat JBoss Web Server 5.5
| Component | Version |
|---|---|
| Apache CXF | 3.3.5 |
| Apache Tomcat | 9.0.43 |
| ECJ | 4.12.0 |
| Hibernate | 5.3.20.Final |
| JBoss logging | 3.4.1.Final |
| libapr | 1.6.3 |
| mod_cluster | 1.4.3.Final |
| OpenSSL | 1.1.1g |
| Tomcat-Native | 1.2.26 |
| Tomcat-Vault | 1.1.8.Final |
