JBoss Enterprise Application Platform 7.4 Update 4 Release Notes
Updated -
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 03
Download JBoss Enterprise Application Platform 7.4 Update 4
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2021-45046 | Server | log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) |
| CVE-2022-23307 | Server | log4j: Unsafe deserialization flaw in Chainsaw log viewer |
| CVE-2022-23305 | Server | log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender |
| CVE-2022-23302 | Server | log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink |
| CVE-2021-45105 | Server | log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern |
| CVE-2021-44832 | Server | log4j-core: remote code execution via JDBC Appender |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| JBEAP-22103 | WFLY-14792 - ParsedServiceDeploymentProcessor unnecessarily does deep reflection on JDK classes | |
| JBEAP-22670 | A-MQ7 | ENTMQBR-5725 - JMS broker fails to load if there is a prepared transaction with an ACK is pending on an non existent page |
| JBEAP-23107 | Batch | WFLY-15921 - JobOperator.getJobNames() does only return Names of Jobs that have already been executed since server start |
| JBEAP-23114 | Batch | WFLY-15954 - getJobInstances, getJobInstanceCount, getRunningExecutions should include jobs that have not been started |
| JBEAP-23323 | Batch | WFLY-16112 - Batch JobOperatorService should look for only active job names to stop during suspend |
| JBEAP-22290 | CDI / Weld | WFLY-11817 - CDI @Resource(lookup=...) processing does not start corresponding binder service |
| JBEAP-23010 | CLI | WFCORE-5765 - Unable to check the result containing whitespace with the equals to (==) comparison operator in the "if-else" control flow in JBoss-CLI |
| JBEAP-23071 | Clustering | WFLY-14746 - JGRP000014: STABLE.stability_delay has been deprecated: always 0 |
| JBEAP-22746 | Clustering | WFLY-15677 - Disable simple cache optimization when statistics are enabled |
| JBEAP-22727 | EE | WFLY-14919 - Credential store expression resolution not usable for deployment descriptors and annotations. |
| JBEAP-22722 | EE | WFLY-15494 - Duplicate dependencies in system module.xmls |
| JBEAP-22263 | EE | Serialization of a Map fails if the key uses a custom Serializer |
| JBEAP-23008 | EJB | WFLY-15335 - Simplify the processing of ejb timer timeout method params |
| JBEAP-23009 | EJB | WFLY-15499 - Honor sybase as database value, and remove the unused field databaseDialects in DatabaseTimerPersistence class |
| JBEAP-23007 | EJB | WFLY-15583 - Adjust sql statements during initialization of DatabaseTimerPersistence |
| JBEAP-22996 | EJB | EJB timer: need to consider existing timers in database when switching to truncated timestamp |
| JBEAP-22995 | EJB | WFLY-15569 - Database persistent auto timer are created twice |
| JBEAP-22425 | JCA | WFLY-15228 - Improve RA and DS subsystems' handling of the absence of legacy security |
| JBEAP-23097 | Management | Elytron local authentication doesn't work if no standalone/tmp/auth dir exists and no legacy security-realm is configured |
| JBEAP-22638 | Management | WFCORE-5675 - NPE sending transformed operation results in OperationTransformationTestCase failing when SE 17 is used |
| JBEAP-22751 | Management | WFCORE-5709 - Invalid read-attribute and read-resource output for credential store expressions with resolve-expressions=true |
| JBEAP-22098 | Scripts | WFCORE-5406 - For JDK 16+ server requires --add-opens to allow reflective access to JDK classes |
| JBEAP-22972 | Security | ELY-2067 - Elytron tool should log a warning that mask password command is not FIPS compliant |
| JBEAP-22951 | Security | ELY-2232 - OIDC AccessToken::getResourceAccessClaim always returns en empty map |
| JBEAP-22953 | Security | ELY-2242 - OidcRequestAuthenticator.rewrittenRedirectUri retains url query when there's no rewrite rule, but removes it when there's a rewrite rule |
| JBEAP-23077 | Security | ELY-2284 - ELY-2290 - Wildfly OIDC secured App generates a lot of keycloak requests |
| JBEAP-23106 | Security | ELY-2286 - OIDC-Adapter should support multi tenancy |
| JBEAP-22726 | Security | WFCORE-5696 - Credential store expression resolution not usable for deployment descriptors and annotations. |
| JBEAP-22563 | Security | WFLY-15274 - Make JBoss EAP able to use latest OpenSSL 3.0.0 libraries |
| JBEAP-23123 | Security | ELY-303 ELY-2298 - The 'Basic' and 'Digest' HTTP Authentication Schemes not compatible with RFC7617 and RFC7616 |
| JBEAP-23013 | Security | WFCORE-5490 - Elytron Expression Resolution too late to handle system properties. |
| JBEAP-23369 | Security | OpenSSL doesn't work with JDK 8 |
| JBEAP-23085 | Server | ISPN-13549 - Data race in EntryWrappingInterceptor handling expired entries |
| JBEAP-23104 | Transactions | WFLY-15945 - Performance regression when using the journal store with Naranaya 5.12.4.Final |
| JBEAP-22349 | Undertow | WFLY-14945 - JSP Compiler regression on most recent JDK17 EA build |
| JBEAP-22861 | Undertow | UNDERTOW-2002 - StackOverflowError upon AJP read timeout |
| JBEAP-23027 | Undertow | UNDERTOW-2015 - Undertow AJP listener does not ignore a query parameter that name and value are empty |
| JBEAP-22320 | Undertow | WFLY-15117 - NullPointerException during server startup, when called by monitoring tool |
| JBEAP-22921 | VFS | JBVFS - Delay openStream call for each entry in VirtualJarInputStream |
| JBEAP-22819 | Web Console | HAL-1762 - Aliases are removed from the credential store when passwords are updated from the admin console |
| JBEAP-22744 | Web Console | HAL-1760 - Editing credential reference for mail server is not working |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.4-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.4-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide
Notes
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- The Helm Chart for JBoss EAP 7.4 / JBoss EAP XP 3 allows to build and deploy applications on OpenShift using Helm package manager
- The IBM WebSphere MQ broker was updated to 9.2 for integration testing, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Tested Integrations for more details.
- Hibernate Search 5 APIs Deprecated in JBoss EAP 7.4 that will be changed in EAP 8 / Hibernate 6
Comments