Red Hat OpenShift Application Runtimes Release Notes

Red Hat OpenShift Application Runtimes 1

For use with Red Hat OpenShift Application Runtimes

Red Hat Customer Content Services

Abstract

This Release Note contains important information related to Red Hat OpenShift Application Runtimes

Chapter 1. Supported Runtime Component Configurations and Integrations

The following resources define the support scope for RHOAR runtime components:

Chapter 2. Technology Preview

Red Hat does not provide support for Technology Preview components provided with this release of Red Hat OpenShift Application Runtimes. Items designated as Technology Preview in the sections below have limited supportability, as defined by the Technology Preview Features Support Scope.

Technology preview features and components provided with this release include:

Chapter 3. RHOAR Deployment Platforms

Container Development Kit

RHOAR runtimes have been tested on Red Hat Container Development Kit (CDK). CDK configures a pre-built Single-node OpenShift Cluster cluster on a local machine. CDK includes Minishift and the oc CLI tool. CDK provides users with a means of deploying Booster applications locally. CDK is available for download from the Red Hat Developer Portal. A free Red Hat developer account is required to access the download.

OpenShift Online Pro

RHOAR runtimes have been tested on OpenShift Online Pro.

OpenShift Online Starter

It is possible to use RHOAR on the zero-cost OpenShift Online Starter cluster, although issues may arise due to resource quotas for some boosters and for executing advanced commands (scale up, rolling upgrade, etc).

OpenShift Container Platform

RHOAR runtimes are fully supported on the OpenShift Container Platform.

Chapter 4. Required Infrastructure Component Versions

The following versions of infrastructure components are required for all runtimes distributed as part of a RHOAR release. Red Hat does not provide support for components listed below, with the exception of components explicitly designated as supported.

Component nameVersion

Fabric8 Maven Plugin

3.5.40

Maven

3.3.1 or later

Node.js v8[a]

8.11.3 LTS

Node.js v10[b]

10.8.0 LTS

Nodeshift

1.11.0

npm 5[c]

5.6.0

npm 6[d]

6.2.0

OpenShift Container Platform (OCP)[e]

3.9 or later

Minishift

1.16.1 or later

CDK[f]

3.4.0

JDK[g][h]

Java 8 JDK[i]

git

2.0 or later

oc command line tool

3.9 or later[j]

[a] The RHOAR Node.js v8 release is supported by Red Hat
[b] The RHOAR Node.js v10 release is supported by Red Hat
[c] Distributed with RHOAR as a supported RPM for Node.js 8
[d] Distributed with RHOAR as a supported RPM for Node.js 10
[e] OCP is supported by Red Hat
[f] CDK is supported by Red Hat
[g] A full JDK installation is required, as JRE does not provide tools for compiling Java applications from source.
[h] Red Hat OpenJDK is supported by Red Hat
[i] All versions of Java 8 are supported. Runtimes provided with this release do not support Java 9.
[j] The version of the oc CLI tool should correspond to the version of OCP that you are using.

Chapter 5. Common RHOAR Components

5.1. Fabric8 Maven Plugin

5.1.1. Known Fabric8 Maven Plugin Issues

5.1.1.1. Error pulling image when redeploying an application on OpenShift 3.7

Description

When deploying an application on OpenShift, the initial deployment succeeds, but re-deploying application using the Fabric8 Maven plugin results in the pod becoming stuck in the ImgPullErr state for extended periods of time. After several retries, the re-deployment completes successfully. The issue occurs on OpenShift 3.7.

Workaround

Before applying this workaround, ensure that you are using Fabric8 Maven Plugin version 3.5.35 and above. After deploying your application using mvn fabric8:deploy, re-deploy it manually using:

mvn -Dfabric8.openshift.trimImageInContainerSpec=true fabric8:deploy

Chapter 6. Eclipse Vert.x

The Eclipse Vert.x runtime artifacts provided with this release of RHOAR are all based on community version 3.5.3.

6.1. Supported Maven Artifacts Provided with Eclipse Vert.x

GroupIDArtifactIDVersion

io.vertx

vertx-auth

3.5.3.redhat-00001

io.vertx

vertx-auth-htdigest

3.5.3.redhat-00001

io.vertx

vertx-auth-htpasswd

3.5.3.redhat-00001

io.vertx

vertx-auth-jwt

3.5.3.redhat-00001

io.vertx

vertx-auth-oauth2

3.5.3.redhat-00001

io.vertx

vertx-circuit-breaker

3.5.3.redhat-00001

io.vertx

vertx-config-kubernetes-configmap

3.5.3.redhat-00001

io.vertx

vertx-config-yaml

3.5.3.redhat-00001

io.vertx

vertx-core

3.5.3.redhat-00001

io.vertx

vertx-dependencies

3.5.3.redhat-00001

io.vertx

vertx-grpc

3.5.3.redhat-00001

io.vertx

vertx-health-check

3.5.3.redhat-00001

io.vertx

vertx-infinispan

3.5.3.redhat-00001

io.vertx

vertx-jdbc-client

3.5.3.redhat-00001

io.vertx

vertx-mongo-client

3.5.3.redhat-00001

io.vertx

vertx-mqtt

3.5.3.redhat-00001

io.vertx

vertx-proton

3.5.3.redhat-00001

io.vertx

vertx-redis-client

3.5.3.redhat-00001

io.vertx

vertx-rx

3.5.3.redhat-00001

io.vertx

vertx-service-proxy

3.5.3.redhat-00001

io.vertx

vertx-service-discovery

3.5.3.redhat-00001

io.vertx

vertx-service-discovery-bridge-kubernetes

3.5.3.redhat-00001

io.vertx

vertx-sockjs-service-proxy

3.5.3.redhat-00001

io.vertx

vertx-web

3.5.3.redhat-00001

io.vertx

vertx-web-client

3.5.3.redhat-00001

io.vertx

vertx-web-templ-freemarker

3.5.3.redhat-00001

io.vertx

vertx-web-templ-handlebars

3.5.3.redhat-00001

6.2. Technology Preview Maven Artifacts Provided with Eclipse Vert.x

Red Hat provides limited support for Eclipse Vert.x artifacts designated as Technology Preview:

Group IDArtifact IDVersion

io.vertx

vertx-kafka-client

3.5.3.redhat-00001

io.vertx

vertx-rx-java2

3.5.3.redhat-00001

io.vertx

vertx-config-vault

3.5.3.redhat-00001

io.vertx

vertx-micrometer-metrics

3.5.3.redhat-00001

6.3. Eclipse Vert.x Maven Artifacts Provided with Developer Support

The following artifacts are available with RHOAR Eclipse Vert.x within the Development Support scope for Red Hat products. Red Hat provides no support for use of the listed artifacts in production-level environments. Red Hat may provide a limited level of support for the use of these artifacts in application development. Such support is typically limited to providing knowledge about the component to the developer for the purposes of development only, and without any commitment to guarantee the functionality of the component in question outside of a development environment.

Group IDArtifact IDVersion

io.vertx

vertx-junit5

3.5.3.redhat-00001

io.vertx

vertx-unit

3.5.3.redhat-00001

6.4. Deprecated Eclipse Vert.x Maven Artifacts

Group IDArtifact IDVersion

io.vertx

vertx-rx-java

3.5.3.redhat-00001

6.5. New Eclipse Vert.x features

This release of RHOAR Eclipse Vert.x introduces the following new features and feature updates:

JBoss Data Grid Infinispan 8.5.1
The vertx-infinispan component provided with this release of RHOAR Eclipse Vert.x uses artifacts provided by the JBoss Data Grid 7.2. These components replace the community Infinispan that vertx-infinispan depended on in the previous releases of RHOAR Eclipse Vert.x.

6.6. Resolved Eclipse Vert.x Issues

The RHOAR Eclipse Vert.x 3.5.3 release serves as a replacement for RHOAR Eclipse Vert.x 3.5.1, and includes bug fixes and enhancements. For a detailed list of issues resolved in the community Eclipse Vert.x 3.5.3 release, see the community release notes.

6.6.1. CVE-2018-12537

Affected component
vertx-core
Issue Summary
Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers.
Red Hat CVE database entry
CVE-2018-12537
Bugzilla Bug ID
1591072

6.6.2. CVE-2018-12540

Affected componet
vertx-web
Issue Summary
the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.
Red Hat CVE database entry
CVE-2018-12540
Bugzilla Bug ID
1600666

6.7. Known Eclipse Vert.x Issues

6.7.1. False Connection reset by peer error messages when calling application endpoint

Description:

Making an HTTP request on an endpoint of a Vert.x application using either curl or a Java HTTP client, produces the following error in the logs after each request:

io.vertx.core.net.impl.ConnectionBase
SEVERE: java.io.IOException: Connection reset by peer

This behavior is caused by the interaction of the Netty application framework and the HAProxy load-balancer used by OpenShift. The error occurs due to existing HTTP connections being re-used by HAProxy without closing. Even though the error message is logged, no error condition occurs. HTTP requests are handled correctly and the application responds as expected.

Chapter 7. WildFly Swarm

The WildFly Swarm runtime artifacts provided with this release of RHOAR are all based on upstream version 2018.3.3.

Important

The WildFly Swarm 7.1.0.redhat-77 productized rutime artifact BOM no longer imports the Red Hat JBoss Enterprise Application Platform runtime artifacts BOM (org.jboss.bom:eap-runtime-artifacts). To use the dependencies provided by the Red Hat JBoss Enterprise Application Platform runtime artifacts BOM in your application, import the BOM in the pom.xml file of your Maven project.

7.1. Supported Maven Artifacts Provided with WildFly Swarm

Group IDArtifact IDVersion

org.wildfly.swarm

spi

7.1.0.redhat-77

org.wildfly.swarm

web

7.1.0.redhat-77

org.wildfly.swarm

undertow

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-cdi

7.1.0.redhat-77

org.wildfly.swarm

cdi

7.1.0.redhat-77

org.wildfly.swarm

microprofile

7.1.0.redhat-77

org.wildfly.swarm

connector

7.1.0.redhat-77

org.wildfly.swarm

ejb

7.1.0.redhat-77

org.wildfly.swarm

transactions

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-jsonp

7.1.0.redhat-77

org.wildfly.swarm

management

7.1.0.redhat-77

org.wildfly.swarm

cdi-config

7.1.0.redhat-77

org.wildfly.swarm

datasources

7.1.0.redhat-77

org.wildfly.swarm

jpa

7.1.0.redhat-77

org.wildfly.swarm

jsf

7.1.0.redhat-77

org.wildfly.swarm

jaxrs

7.1.0.redhat-77

org.wildfly.swarm

jmx

7.1.0.redhat-77

org.wildfly.swarm

topology-webapp

7.1.0.redhat-77

org.wildfly.swarm

jca

7.1.0.redhat-77

org.wildfly.swarm

keycloak

7.1.0.redhat-77

org.wildfly.swarm

bean-validation

7.1.0.redhat-77

org.wildfly.swarm

topology-openshift

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-jaxb

7.1.0.redhat-77

org.wildfly.swarm

remoting

7.1.0.redhat-77

org.wildfly.swarm

hibernate-validator

7.1.0.redhat-77

org.wildfly.swarm

container

7.1.0.redhat-77

org.wildfly.swarm

logging

7.1.0.redhat-77

org.wildfly.swarm

request-controller

7.1.0.redhat-77

org.wildfly.swarm

jsonp

7.1.0.redhat-77

org.wildfly.swarm

naming

7.1.0.redhat-77

org.wildfly.swarm

security

7.1.0.redhat-77

org.wildfly.swarm

ee

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-multipart

7.1.0.redhat-77

org.wildfly.swarm

topology

7.1.0.redhat-77

org.wildfly.swarm

msc

7.1.0.redhat-77

org.wildfly.swarm

jaxrs-validator

7.1.0.redhat-77

org.wildfly.swarm

io

7.1.0.redhat-77

org.wildfly.swarm

opentracing

7.1.0.redhat-77

org.wildfly.swarm

jaeger

7.1.0.redhat-77

7.2. Tested Maven Artifacts Provided with WildFly Swarm

Maven artifacts designated as Tested that are provided with a RHOAR WildFly Swarm release are not supported.

Group IDArtifact IDVersion

org.wildfly.swarm

hystrix

2018.3.3

org.wildfly.swarm

ribbon

2018.3.3

org.wildfly.swarm

ribbon-secured

2018.3.3

org.wildfly.swarm

ribbon-secured-client

2018.3.3

org.wildfly.swarm

archaius

2018.3.3

org.wildfly.swarm

arquillian

2018.3.3

7.3. Technology Preview Maven Artifacts Provided with WildFly Swarm

Red Hat provides limited support for WildFly Swarm artifacts designated as Technology Preview:

Group IDArtifact IDVersion

io.jaegertracing

jaeger-core

0.27.0.redhat-4

io.jaegertracing

jaeger-micrometer

0.27.0.redhat-4

io.jaegertracing

jaeger-parent

0.27.0.redhat-4

io.jaegertracing

jaeger-thrift

0.27.0.redhat-4

io.jaegertracing

jaeger-tracerresolver

0.27.0.redhat-4

io.opentracing

opentracing-api

0.31.0.redhat-7

io.opentracing

opentracing-mock

0.31.0.redhat-7

io.opentracing

opentracing-noop

0.31.0.redhat-7

io.opentracing

opentracing-util

0.31.0.redhat-7

io.opentracing

parent

0.31.0.redhat-7

io.opentracing.contrib

opentracing-tracerresolver

0.1.4.redhat-7

io.opentracing.contrib

opentracing-tracerresolver-parent

0.1.4.redhat-7

io.opentracing.contrib

opentracing-web-servlet-filter

0.1.0.redhat-26

io.opentracing.contrib

opentracing-web-servlet-filter-parent

0.1.0.redhat-26

org.keycloak

keycloak-authz-client

3.4.8.Final-redhat-6

7.4. Deprecated WildFly Swarm Maven Artifacts

Group IDArtifact IDVersion

org.wildfly.swarm

monitor

7.1.0.redhat-77

7.5. New WildFly Swarm features

This release of RHOAR WildFly Swarm introduces the following new features and feature updates:

MicroProfile 1.2
MicroProfile version 1.2 is included with this release of RHOAR WildFly Swarm.
Enterprise Application Platform 7.1.1.GA
EAP dependencies used by RHOAR WildFly Swarm have been updated and aligned with the 7.1.1.GA release of Red Hat JBoss Enterprise Application Platform.
Red Hat SSO 7.2.2.GA
This RHOAR WildFly Swarm release uses dependencies provided by Red Hat Single Sign-On release version 7.2.2.GA.
web hollow JAR file
WildFly Swarm now provides web application dependencies packaged as a standalone hollow JAR file.
microprofile hollow JAR file
WildFly Swarm provides MicroProfile dependencies packaged as a standalone hollow JAR file.

7.6. Known WildFly Swarm Issues

7.6.1. Swarm Arquillian adapter ignores mvn -s settings.xml

Issue Key:

SWARM-1546

NOTE: You do not have to log into JIRA to view this issue.

7.6.2. MicroProfile Fault Tolerance: CDI contexts not available in @Timeout methods

Description

If your application contains a @Timeout method that uses a contextual service , such as the @RequestScoped MyService shown in the example below, the contexts are not activated for that service.

@Inject
private MyService service;

@Timeout
public String doSomething() throws InterruptedException {
    return "Hello " + service.call();
}

The method is not @Asynchronous and should, therefore, be executed on the caller thread, which would make the CDI (Context and Dependency Injection) contexts available. However, the following debug message indicates that the contexts are not available:

2018-04-03 21:16:35,976 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /: org.jboss.weld.context.ContextNotActiveException: WELD-001303: No active contexts for scope type javax.enterprise.context.RequestScoped

Cause

This issue is caused by @Timeout methods always being invoked on a separate thread, even if they are not @Asynchronous.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.3. MicroProfile JWT: cannot use different roles for different methods with parameterized @Paths that share a common prefix

Description

Our implementation of MicroProfile JWT is unable to honor the @RolesAllowed annotations properly. This leads to a situation where separation of access roles to different endpoints does not work for methods with parameterized @Paths that share a common prefix.

Cause

The WildFly Swarm MicroProfile JWT implementation works by scanning for JAX-RS classes and converting the security annotations to <security-constraint> elements in the web.xml configuration file. If your endpoint contains a parameterized @Path, such as @Path("/my/{parameterized}/path"), a <security-constraint> element is created only for the prefix of the path, up to the first parameter. This, however, is insufficient to describe all JAX-RS possibilities.

Consider the following JAX-RS resource example:

@Path("/parameterized-paths")
public class ParameterizedPaths {
    @GET
    @Path("/my/{path}/admin")
    @RolesAllowed("admin")
    public String admin(@PathParam("path") String path) {
        return "Admin accessed " + path;
    }

    @GET
    @Path("/my/{path}/view")
    @RolesAllowed("view")
    public String view(@PathParam("path") String path) {
        return "View accessed " + path;
    }
}

The example above contains a valid JAX-RS endpoint definition with a parameterized path. The method to be called is selected by the full URL, not just by the prefix.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.4. MicroProfile JWT: cannot use different roles for different methods with the same @Path but different @Produces and/or @Consumes annnotations

Description

Our implementation of MicroProfile JWT is unable to honor the @RolesAllowed annotations properly. This leads to a situation where separation of access roles to different methods does not work for methods that share a common @Path, but have different @Produces and/or @Consumes annnotations.

Cause

The WildFly Swarm MicroProfile JWT implementation works by scanning for JAX-RS classes and converting the security annotations to <security-constraint> elements in the web.xml configuration file. This only allows distinguishing between requests based on the URL and HTTP method they use. This, however, is insufficient to describe all JAX-RS possibilities.

Consider the following JAX-RS resource example using the plain and web access roles:

@Path("/content-types")
public class ContentTypesResource {
    @GET
    @Produces(MediaType.TEXT_PLAIN)
    @RolesAllowed("plain")
    public String plain() {
        return "Hello, world!";
    }

    @GET
    @Produces(MediaType.TEXT_HTML)
    @RolesAllowed("web")
    public String web() {
        return "<html>Hello, world!</html>";
    }
}

The example above is a 100% valid JAX-RS. The method to be called is selected by URL and by the Accept header. This pattern is often used by people building more complex REST APIs, that allow them to serve the same resource in multiple representations.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.5. MicroProfile Metrics: Application metric behavior does not conform to metrics specification

Description

When you build and package your application and then run the resulting -swarm.jar uberjar, the application metric is not registered immediately upon deployment. The application metric is registered only after the monitored method is called.

For example, your WildFly Swarm application contains a simple application metric, such as:

@ApplicationScoped
public class HelloService {
    @Counted(monotonic = true, name = "hello", absolute = true, displayName = "HELLO", description = "Number of hello invocations")
    public String hello() {
        return "Hello from counted method";
    }
}
Note

You can test whether application metrics are registered by issuing an OPTIONS HTTP request to the /metrics REST endpoint. For example, localhost:8080/metrics, when running your application locally.

Cause

The implementation does not conform to the current version of the MicroProfile Metrics specification. The specification will likely change in the future to allow this behavior.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.6. Harmless error message in application log: Missing org.glassfish:javax.el-api:3.0.1.b08-redhat-1

Description

If your application, or any of its dependencies, depends on the Java Expression Language, it will display the following warning message during startup.

Failed downloading org/glassfish/javax.el-api/3.0.1.b08-redhat-1/javax.el-api-3.0.1.b08-redhat-1.pom from https://repository.jboss.org/nexus/content/groups/public/. Reason:
org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.glassfish:javax.el-api:pom:3.0.1.b08-redhat-1 in jboss-public-repository-group (https://repository.jboss.org/nexus/content/groups/public/)
Failed downloading org/glassfish/javax.el-api/3.0.1.b08-redhat-1/javax.el-api-3.0.1.b08-redhat-1.pom from http://repo.gradle.org/gradle/libs-releases-local/. Reason:
org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.glassfish:javax.el-api:pom:3.0.1.b08-redhat-1 in gradle (http://repo.gradle.org/gradle/libs-releases-local)
Failed downloading org/glassfish/javax.el-api/3.0.1.b08-redhat-1/javax.el-api-3.0.1.b08-redhat-1.pom from https://repo.maven.apache.org/maven2/. Reason:
org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.glassfish:javax.el-api:pom:3.0.1.b08-redhat-1 in central (https://repo.maven.apache.org/maven2)
Failed downloading org/glassfish/javax.el-api/3.0.1.b08-redhat-1/javax.el-api-3.0.1.b08-redhat-1.pom from http://repo1.maven.org/maven2/. Reason:
org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.glassfish:javax.el-api:pom:3.0.1.b08-redhat-1 in central (http://repo1.maven.org/maven2)

The message is harmless and does not impact the functionality of the application.

Cause

The likely cause of this issue is related to the way dependency resolution works in WildFly Swarm. During the dependency resolution phase, WildFly Swarm ignores dependency exclusions, and thus pulls in javax.el-api, despite javax.el-api being excluded in the EAP BOM. Since it is interpreted as a valid dependency, it is indicated as missing due to being absent form the repository, which causes the error messages displayed in the build log.

Workaround

At the time of this release, there is no workaround available for this issue.

7.6.7. Maven build fails on downloading the org.wildfly.swarm:config-api-runtime artifact

Description

When building your application, Maven fails to download the org.wildfly.swarm:config-api-runtime artifact, causing the build to fail. This issue occurs when you manage the dependency versions in the pom.xml file of your application manually, that is, without importing the BOM:

<dependency>
  <groupId>org.wildfly.swarm</groupId>
‎  <artifactId>microprofile-config</artifactId>
‎‎  <version>${version.org.wildfly.swarm}</version>
‎</dependency>
‎<dependency>
‎‎  <groupId>org.wildfly.swarm</groupId>
‎  ‎<artifactId>undertow</artifactId>
‎‎  <version>${version.org.wildfly.swarm}</version>
‎</dependency>

Cause

The microprofile-config fraction depends on org.wildfly.swarm:microprofile-config-api, which depends on an old version of org.wildfly.swarm:config-api-runtime.

The BOM contains the correct version of org.wildfly.swarm:config-api-runtime. If dependency versions are specified manually and the BOM is not imported, like in the example above, Maven tries to download an unreleased version of org.wildfly.swarm:config-api-runtime, which obviously fails.

Workaround

Using the BOM is a preferred method of consuming dependencies in WildFly Swarm application projects. To ensure that the correct version of org.wildfly.swarm:config-api-runtime is used in your build, ensure that you import the BOM in the pom.xml file of your application.

Chapter 8. Spring Boot

8.1. Name Change in Selected Spring Boot Runtime Components

Important

The following RHOAR Spring Boot components have been renamed to follow the Spring Cloud naming convention. The original component names have been removed from the RHOAR Spring Boot BOM file and are therefore no longer usable. If you are using these components as dependencies in your project, ensure that you update the component names in the pom.xml file of your project to match the name change. RHOAR dependencies referenced using an outdated component names will not resolve correctly.

Note

You can still access the components using their original names by specifying them as Spring Cloud dependencies. If you do so, you receive a deprecation notice about the name change. Note that dependencies referenced this way are part of Spring Cloud, not part of RHOAR, and are not included in the Supported Spring Boot configurations and integrations.

Original component nameNew component name

spring-cloud-starter-feign

spring-cloud-starter-openfeign

spring-cloud-starter-hystrix

spring-cloud-starter-netflix-hystrix

spring-cloud-starter-ribbon

spring-cloud-starter-netflix-ribbon

spring-cloud-starter-zuul

spring-cloud-starter-netflix-zuul

8.2. Tested and Verified Maven Artifacts Provided with Spring Boot

Group IDArtifact IDVersion

org.projectlombok

lombok

1.16.22

org.springframework.boot

spring-boot

1.5.14.RELEASE

org.springframework.boot

spring-boot-test

1.5.14.RELEASE

org.springframework.boot

spring-boot-test-autoconfigure

1.5.14.RELEASE

org.springframework.boot

spring-boot-actuator

1.5.14.RELEASE

org.springframework.boot

spring-boot-actuator-docs

1.5.14.RELEASE

org.springframework.boot

spring-boot-autoconfigure

1.5.14.RELEASE

org.springframework.boot

spring-boot-configuration-metadata

1.5.14.RELEASE

org.springframework.boot

spring-boot-configuration-processor

1.5.14.RELEASE

org.springframework.boot

spring-boot-devtools

1.5.14.RELEASE

org.springframework.boot

spring-boot-loader

1.5.14.RELEASE

org.springframework.boot

spring-boot-loader-tools

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-actuator

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-data-jpa

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-data-mongodb

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-data-rest

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-jdbc

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-test

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-logging

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-web

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-tomcat

1.5.14.RELEASE

org.springframework.boot

spring-boot-starter-websocket

1.5.14.RELEASE

org.aspectj

aspectjrt

1.8.13

org.aspectj

aspectjtools

1.8.13

org.aspectj

aspectjweaver

1.8.13

org.springframework

spring-aspects

4.3.18.RELEASE

org.springframework

spring-beans

4.3.18.RELEASE

org.springframework

spring-context

4.3.18.RELEASE

org.springframework

spring-core

4.3.18.RELEASE

org.springframework

spring-jdbc

4.3.18.RELEASE

org.springframework

spring-orm

4.3.18.RELEASE

org.springframework

spring-tx

4.3.18.RELEASE

org.springframework

spring-web

4.3.18.RELEASE

org.springframework

spring-webmvc

4.3.18.RELEASE

org.springframework.security

spring-security-crypto

4.2.7.RELEASE

org.springframework.amqp

spring-amqp

1.7.8.RELEASE

org.spockframework

spock-core

1.0-groovy-2.4

org.spockframework

spock-spring

1.0-groovy-2.4

com.fasterxml

classmate

1.3.4

com.fasterxml.jackson.core

jackson-annotations

2.8.11.2

com.fasterxml.jackson.core

jackson-core

2.8.11.2

com.fasterxml.jackson.core

jackson-databind

2.8.11.2

com.fasterxml.jackson.dataformat

jackson-dataformat-yaml

2.8.11.2

com.fasterxml.jackson.jaxrs

jackson-jaxrs-json-provider

2.8.11.2

com.fasterxml.jackson.module

jackson-module-jaxb-annotations

2.8.11.2

commons-codec

commons-codec

1.10.0.redhat-5

com.h2database

h2

1.4.197

javax.servlet

jstl

1.2

org.apache.cxf

cxf-spring-boot-starter-jaxrs

3.1.12.redhat-1

ch.qos.logback

logback-core

1.1.11

ch.qos.logback

logback-classic

1.1.11

ch.qos.logback

logback-access

1.1.11

org.apache.httpcomponents

httpclient

4.5.5

org.apache.httpcomponents

httpcore

4.4.9

org.apache.httpcomponents

httpmime

4.5.5

org.codehaus.groovy

groovy

2.4.15

org.assertj

assertj-core

2.6.0

org.codehaus.groovy

groovy-json

2.4.15

org.codehaus.groovy

groovy-xml

2.4.15

org.hibernate

hibernate-validator

5.3.5.Final-redhat-2

org.hibernate

hibernate-core

5.1.10.Final-redhat-1

org.hibernate

hibernate-entitymanager

5.1.10.Final-redhat-1

net.bytebuddy

byte-buddy

1.6.14

org.hibernate.javax.persistence

hibernate-jpa-2.1-api

1.0.0.Final-redhat-2

antlr

antlr

2.7.7.redhat-7

org.jboss

jandex

2.0.0.Final

dom4j

dom4j

1.6.1.redhat-7

org.hibernate.common

hibernate-commons-annotations

5.0.1.Final-redhat-2

javax.enterprise

cdi-api

1.1

javax.el

el-api

2.2

javax.transaction

javax.transaction-api

1.2

javax.annotation

jsr250-api

1.0

javax.inject

javax.inject

1.0.0.redhat-6

org.javassist

javassist

3.21.0-GA

org.jboss.logging

jboss-logging

3.3.2.Final-redhat-1

org.json

json

20140107

org.slf4j

jul-to-slf4j

1.7.25

org.slf4j

slf4j-api

1.7.25

org.yaml

snakeyaml

1.17.0.redhat-1

xml-apis

xml-apis

1.4.01

io.dropwizard.metrics

metrics-core

3.1.5

io.dropwizard.metrics

metrics-ganglia

3.1.5

io.dropwizard.metrics

metrics-graphite

3.1.5

io.dropwizard.metrics

metrics-servlets

3.1.5

org.hsqldb

hsqldb

2.3.6

com.google.guava

guava

23.0

org.springframework.cloud

spring-cloud-sleuth-zipkin

1.3.3.RELEASE

org.springframework.cloud

spring-cloud-sleuth-zipkin-stream

1.3.3.RELEASE

org.springframework.cloud

spring-cloud-sleuth-stream

1.3.3.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-core

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-config

1.4.3.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-discovery

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-ribbon

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-hystrix

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-kubernetes-zipkin

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-config

1.4.3.RELEASE

org.springframework.cloud

spring-cloud-starter-hystrix

1.4.4.RELEASE

org.springframework.cloud

spring-cloud-starter-sleuth

1.3.3.RELEASE

org.springframework.cloud

spring-cloud-starter-stream-rabbit

1.3.3.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-archaius

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-atlas

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-eureka-client

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-eureka-server

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-openfeign

1.4.4.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-hystrix

1.4.4.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-hystrix-dashboard

1.4.4.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-ribbon

1.4.4.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-spectator

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-turbine

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-turbine-stream

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-netflix-zuul

1.4.4.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes-all

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes-config

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes-netflix

0.2.0.RELEASE

org.springframework.cloud

spring-cloud-starter-kubernetes-zipkin

0.2.0.RELEASE

org.apache.tomcat.embed

tomcat-embed-core

8.5.20.redhat-6

org.apache.tomcat.embed

tomcat-embed-el

8.5.20.redhat-6

org.apache.tomcat.embed

tomcat-embed-jasper

8.5.20.redhat-6

org.apache.tomcat.embed

tomcat-embed-websocket

8.5.20.redhat-6

org.apache.tomcat

tomcat-jdbc

8.5.20.redhat-6

org.keycloak

keycloak-adapter-spi

3.4.3.Final-redhat-2

org.keycloak

keycloak-spring-boot-starter

3.4.3.Final-redhat-2

org.keycloak

keycloak-spring-boot-adapter

3.4.3.Final-redhat-2

org.keycloak

spring-boot-container-bundle

3.4.3.Final-redhat-2

org.keycloak

keycloak-spring-security-adapter

3.4.3.Final-redhat-2

8.3. Technology Preview Maven Artifacts Provided with Spring Boot

Red Hat provides limited support for Spring Boot artifacts designated as Technology Preview:

Group IDArtifact IDVersion

io.jaegertracing

jaeger-core

0.27.0.redhat-4

io.jaegertracing

jaeger-thrift

0.27.0.redhat-4

io.opentracing

opentracing-api

0.31.0.redhat-7

io.opentracing

opentracing-noop

0.31.0.redhat-7

io.opentracing

opentracing-util

0.31.0.redhat-7

io.opentracing

parent

0.31.0.redhat-7

io.opentracing.contrib

opentracing-tracerresolver

0.1.4.redhat-7

io.opentracing.contrib

opentracing-tracerresolver-parent

0.1.4.redhat-7

io.opentracing.contrib

opentracing-web-servlet-filter

0.1.0.redhat-26

io.opentracing.contrib

opentracing-web-servlet-filter-parent

0.1.0.redhat-26

io.opentracing.contrib

opentracing-spring-web

0.3.3.redhat-6

io.opentracing.contrib

opentracing-spring-web-parent

0.3.3.redhat-6

io.opentracing.contrib

opentracing-spring-web-starter

0.3.3.redhat-6

io.opentracing.contrib

opentracing-spring-jaeger-parent

0.1.4.redhat-3

io.opentracing.contrib

opentracing-spring-jaeger-starter

0.1.4.redhat-3

io.opentracing.contrib

opentracing-spring-jaeger-web-starter

0.1.4.redhat-3

org.keycloak

keycloak-authz-client

3.4.3.Final-redhat-2

8.4. Deploying Spring Boot applications on Red Hat JBoss Fuse

As a Technology Preview feature, RHOAR allows you to build and deploy Spring Boot applications packaged as JAR files on Red Hat JBoss Fuse, both in standalone mode and on OpenShift. For additional information, see Red Hat JBoss Fuse documentation.

8.5. Deploying Spring Boot Applications From WAR Files

RHOAR allows you to repackage your Spring Boot application as an executable WAR file. This feature is currently provided with the RHOAR release of Spring Boot as a Technology Preview and is not supported by Red Hat.

8.6. Resolved Spring Boot Issues

Upstream Bug Fixes

The RHOAR Spring Boot 1.5.14.RELEASE release serves as a replacement for RHOAR Spring Boot 1.5.13.RELEASE, and includes bug fixes and enhancements. The following issues have been resolved in the Pivotal™ release and are incorporated by productized RHOAR Spring Boot components. See the links to the public Spring by Pivotal™ Spring Boot JIRA project and upstream Spring Boot Git Hub projects below for detailed issue descriptions:

Spring Security 4.2.7

8.6.1. CVE-2018-11039

Security Fixes

Issue summary
Cross Site Tracing (XST) with Spring Framework
Pivotal CVE database entry
CVE-2018-11039

8.6.2. CVE-2018-11040

Issue summary
JSONP enabled by default in MappingJackson2JsonView
Pivotal CVE database entry
CVE-2018-11040

8.7. Known Spring Boot Issues

8.7.1. Missing APR/native library in the openshift-openjdk image

Issue Key:

SB-379

NOTE: You do not have to log into JIRA to view this issue.

Chapter 9. Node.js

9.1. Supported Node.js Base Images

Table 9.1. Node.js 8 LTS

Node.js base imageRelease

registry.access.redhat.com/rhoar-nodejs/nodejs-8

8.11.3-4

Table 9.2. Node.js 10 LTS

Node.js base imageRelease

registry.access.redhat.com/rhoar-nodejs/nodejs-10

10.8.0-1

9.2. Supported Node.js RPM Packages

Table 9.3. Node.js 8 LTS

Package nameArchitecture/TypeVersionDescription

rhoar-nodejs-8.11.3-4.el7.src.rpm

SRPMS

8.11.3

RHOAR Node.js 8 (LTS) sources

rhoar-nodejs-docs-8.11.3-4.el7.noarch.rpm

noarch

8.11.3

RHOAR Node.js 8 API documentation

npm-5.6.0-1.8.11.3.4.el7.x86_64.rpm

x86_64

5.6.0

npm package manager

rhoar-nodejs-8.11.3-4.el7.x86_64.rpm

x86_64

8.11.3

RHOAR Node.js (LTS) 8 binaries

rhoar-nodejs-debuginfo-8.11.3-4.el7.x86_64.rpm

x86_64

8.11.3

debug information for the RHOAR Node.js 8 package

Table 9.4. Node.js 10 LTS

Package nameArchitecture/TypeVersionDescription

rhoar-nodejs-10.8.0-1.el7.src.rpm

SRPMS

10.8.0

RHOAR Node.js 10 (LTS) sources

rhoar-nodejs-docs-10.8.0-1.el7.noarch.rpm

noarch

10.8.0

RHOAR Node.js 10 API documentation

npm-6.2.0-1.10.8.0.1.el7.x86_64.rpm

x86_64

6.2.0

npm package manager

rhoar-nodejs-10.8.0-1.el7.x86_64.rpm

x86_64

10.8.0

RHOAR Node.js 10 (LTS) binaries

rhoar-nodejs-debuginfo-10.8.0-1.el7.x86_64.rpm

x86_64

10.8.0

debug information for the RHOAR Node.js 10 package

9.3. Community Node.js npm modules

The RHOAR Node.js base image allows you to develop a Node.js application for OpenShift using any of the community Node.js modules available through npm. Community npm modules are not supported by Red Hat.

9.4. Resolved Node.js Issues

Node.js 8.11.3

The RHOAR Node.js release is a Red Hat product release aligned with the community Node.js LTS release version 8.11.3. The current productized release contains aggregated bug fixes and enhancements introduced in community versions 8.11.2 through 8.11.3. For a list of issues resolved in this release, see the Node.js 8.11.3 changelog.

Security Bug Fixes

Bugfixes listed below for 8.11.3 applicable to 10.8.0 are addressed in both releases, but listed only once. Bugfixes specific to 10.8.0 only are listed separately under the Node.js 10 subsection.

9.4.1. CVE-2017-3636

Affected component
mysql
Issue summary
Client programs unspecified vulnerability (CPU Jul 2017)
Red Hat CVE database entry
CVE-2017-3636
Bugzilla Bug ID
1472686

9.4.2. CVE-2017-3641

Affected component
mysql
Issue summary
Server: DML unspecified vulnerability (CPU Jul 2017)
Red Hat CVE database entry
CVE-2017-3641
Bugzilla Bug ID
1472693

9.4.3. CVE-2017-3651

Affected component
mysql
Issue summary
Client mysqldump unspecified vulnerability (CPU Jul 2017)
Red Hat CVE database entry
CVE-2017-3651
Bugzilla Bug ID
1472708

9.4.4. CVE-2017-3653

Affected component
mysql
Issue summary
Server: DDL unspecified vulnerability (CPU Jul 2017)
Red Hat CVE database entry
CVE-2017-3653
Bugzilla Bug ID
1472711

9.4.5. CVE-2017-10268

Affected component
mysql
Issue summary
Server: Replication unspecified vulnerability (CPU Oct 2017)
Red Hat CVE database entry
CVE-2017-10268
Bugzilla Bug ID
1503656

9.4.6. CVE-2017-10378

Affected component
mysql
Issue summary
Server: Optimizer unspecified vulnerability (CPU Oct 2017)
Red Hat CVE database entry
CVE-2017-10378
Bugzilla Bug ID
1503684

9.4.7. CVE-2017-10379

Affected component
mysql
Issue summary
Client programs unspecified vulnerability (CPU Oct 2017)
Red Hat CVE database entry
CVE-2017-10379
Bugzilla Bug ID
1503685

9.4.8. CVE-2017-10384

Affected component
mysql
Issue summary
Server: DDL unspecified vulnerability (CPU Oct 2017)
Red Hat CVE database entry
CVE-2017-10384
Bugzilla Bug ID
1503686

9.4.9. CVE-2017-13215

Affected component
kernel
Issue summary
crypto: privilege escalation in skcipher_recvmsg function
Red Hat CVE database entry
CVE-2017-13215
Bugzilla Bug ID
1535173

9.4.10. CVE-2018-2562

Affected component
mysql
Issue summary
Server: Partition unspecified vulnerability
Red Hat CVE database entry
CVE-2018-2562
Bugzilla Bug ID
1535484

9.4.11. CVE-2018-2622

Affected component
mysql
Issue summary
Server: DDL unspecified vulnerability (CPU Jan 2018)
Red Hat CVE database entry
CVE-2018-2622
Bugzilla Bug ID
1535499

9.4.12. CVE-2018-2640

Affected component
mysql
Issue summary
Server: Optimizer unspecified vulnerability (CPU Jan 2018)
Red Hat CVE database entry
CVE-2018-2640
Bugzilla Bug ID
1535500

9.4.13. CVE-2018-2665

Affected component
mysql
Issue summary
Server: Optimizer unspecified vulnerability (CPU Jan 2018)
Red Hat CVE database entry
CVE-2018-2665
Bugzilla Bug ID
1535504

9.4.14. CVE-2018-2668

Affected component
mysql
Issue summary
Server: Optimizer unspecified vulnerability (CPU Jan 2018)
Red Hat CVE database entry
CVE-2018-2668
Bugzilla Bug ID
1535506

9.4.15. CVE-2018-2755

Affected component
mysql
Issue summary
Server: Replication unspecified vulnerability (CPU Apr 2018)
Red Hat CVE database entry
CVE-2018-2755
Bugzilla Bug ID
1568921

9.4.16. CVE-2018-2761

Affected component
mysql
Issue summary
Client programs unspecified vulnerability (CPU Apr 2018)
Red Hat CVE database entry
CVE-2018-2761
Bugzilla Bug ID
1568924

9.4.17. CVE-2018-2767

Affected component
mysql
Issue summary
Use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM)
Red Hat CVE database entry
CVE-2018-2767
Bugzilla Bug ID
1564965

9.4.18. CVE-2018-2771

Affected component
mysql
Issue summary
Server: Locking unspecified vulnerability (CPU Apr 2018)
Red Hat CVE database entry
CVE-2018-2771
Bugzilla Bug ID
1568931

9.4.19. CVE-2018-2781

Affected component
mysql
Issue summary
Server: Optimizer unspecified vulnerability (CPU Apr 2018)
Red Hat CVE database entry
CVE-2018-2781
Bugzilla Bug ID
1568942

9.4.20. CVE-2018-2813

Affected component
mysql
Issue summary
Server: DDL unspecified vulnerability (CPU Apr 2018)
Red Hat CVE database entry
CVE-2018-2813
Bugzilla Bug ID
1568951

9.4.21. CVE-2018-2817

Affected component
mysql
Issue summary
Server: DDL unspecified vulnerability (CPU Apr 2018)
Red Hat CVE database entry
CVE-2018-2817
Bugzilla Bug ID
1568954

9.4.22. CVE-2018-2819

Affected component
mysql
Issue summary
InnoDB unspecified vulnerability (CPU Apr 2018)
Red Hat CVE database entry
CVE-2018-3620
Bugzilla Bug ID
1568956

9.4.23. CVE-2018-3620

Affected component
kernel
Issue summary
L1 terminal fault (L1TF) (CVE-2018-3646)
Red Hat CVE database entry
CVE-2018-3620
Bugzilla Bug ID
1585005

9.4.24. CVE-2018-3646

Affected component
kernel
Issue summary
L1 terminal fault (L1TF) (CVE-2018-3620)
Red Hat CVE database entry
CVE-2018-3646
Bugzilla Bug ID
1585005

9.4.25. CVE-2018-3693

Affected component
kernel
Issue summary
speculative bounds check bypass store
Red Hat CVE database entry
CVE-2018-3693
Bugzilla Bug ID
1581650

9.4.26. CVE-2018-5390

Affected component
kernel
Issue summary
TCP segments with random offsets allow a remote denial of service (SegmentSmack)
Red Hat CVE database entry
CVE-2018-5390
Bugzilla Bug ID
1601704

9.4.27. CVE-2018-7566

Affected component
kernel
Issue summary
Race condition in snd_seq_write() may lead to UAF or OOB-access
Red Hat CVE database entry
CVE-2018-7566
Bugzilla Bug ID
1550142

9.4.28. CVE-2018-10675

Affected component
kernel
Issue summary
mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact
Red Hat CVE database entry
CVE-2018-10675
Bugzilla Bug ID
1575065

9.4.29. CVE-2018-11233

Affected component
git
Issue summary
path sanity check in is_ntfs_dotgit() can read arbitrary memory
Red Hat CVE database entry
CVE-2018-11233
Bugzilla Bug ID
1583888

9.4.30. CVE-2018-11235

Affected component
git
Issue summary
arbitrary code execution when recursively cloning a malicious repository
Red Hat CVE database entry
CVE-2018-11235
Bugzilla Bug ID
1583862

Node.js 10.8.0

The RHOAR Node.js release is a Red Hat product release aligned with the community Node.js LTS release version 10.8.0. The current productized release contains aggregated bug fixes and enhancements introduced in the upstream between versions 10.6.0 and 10.8.0. For a list of issues resolved in this release, see the Node.js 10.8.0 changelog.

9.4.31. CVE-2018-2183

Security Bug Fixes

Affected component
SSL/TLS
Issue summary
Birthday attack against 64-bit block ciphers (SWEET32)
Red Hat CVE database entry
CVE-2018-2183
Bugzilla Bug ID
1369383

9.4.32. CVE-2018-10897

Affected component
yum-utils
Issue summary
reposync: improper path validation may lead to directory traversal
Red Hat CVE database entry
CVE-2018-10897
Bugzilla Bug ID
1600221

9.5. Known Node.js Issues

9.5.1. Deployment fails when an npm dependency specifies a git repository.

Description:

If a package.json file contains dependencies that specify a git repository, a deployment error occurs when packaging and deploying the application to OpenShift.

Workaround:

Install the rh-git29-git package available from Red Hat Software Collections.

Legal Notice

Copyright © 2018 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.