JBoss Enterprise Application Platform 7.2 Update 4 Release Notes
Updated -
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 03
Download JBoss Enterprise Application Platform 7.2 Update 4
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-12384 | Server | jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution |
| CVE-2019-12086 | Server | jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server |
| CVE-2019-10184 | Undertow | undertow: Information leak in requests for directories without trailing slashes |
| CVE-2019-14379 | Server | jackson-databind: default typing mishandling leading to remote code execution |
| CVE-2019-10202 | Server | codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities |
| CVE-2019-10212 | Undertow | undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files |
| CVE-2019-19343 | Remoting | undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely |
| CVE-2019-12814 | Server | jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| JBEAP-17398 | CONF0005: Unexpected element "interceptor" in namespace "urn:jboss:wildfly-client-ejb:3.1" [details] | |
| JBEAP-17161 | JGRP-2350 - TCP: connection close can block when send() block on full TCP send-window [details] | |
| JBEAP-17163 | WFCORE-4569 - SaslException: Authentication failed when XA Recovery tries to call remote server [details] | |
| JBEAP-17061 | WFLY-12216 - Log WARN if application specifies @RunAsPrincipal and not @RunAs | |
| JBEAP-16372 | ActiveMQ | ARTEMIS-2290 JMSBridge fails to stop after throwing an error |
| JBEAP-16371 | ActiveMQ | ARTEMIS-2291 JMSBridge fails to stop |
| JBEAP-14032 | ActiveMQ | ARTEMIS-2069 - Backup doesn't activate after shared store is reconnected |
| JBEAP-17342 | ActiveMQ | ARTEMIS-2313 - Accumulation in HierarchicalObjectRepository cache |
| JBEAP-16972 | ActiveMQ | ENTMQBR-2494 IndexOutOfBoundsException from CoreMessage.sendBuffer_1X(CoreMessage.java:313) |
| JBEAP-17300 | ActiveMQ | ENTMQBR-2711 - ARTEMIS-2439 - ServerSessionImpl cache does not clear names of deleted temporary destinations |
| JBEAP-16896 | ActiveMQ | java.net.URISyntaxException: Illegal character in opaque part at index 7: file:C:\Java\jboss\jboss-as\standalone\configuration/logging.properties [details] |
| JBEAP-17292 | CDI / Weld | WELD-2592 - Jandex index retention on Weld |
| JBEAP-16628 | CLI | WFCORE-4389 - deploy fails in batch when operation is validated |
| JBEAP-16788 | CLI | WFCORE-4460 - jboss-cli.sh doesn't return json when the output command is 'failed' |
| JBEAP-17352 | Clustering | ISPN-10323: Non-transactional queries don't update the query cache [details] |
| JBEAP-17120 | EJB | Server-server EJB transactional invocation rolls back if MDB call remote EJB and JBOSS-LOCAL-USER auth is not possible |
| JBEAP-17295 | EJB | Skip redundant put operations when distributable SFSBs use local, non-persistent cache configuration |
| JBEAP-17348 | EJB | WFLY-12352 - Distributable SFSB creation unnecessarily checks passivation store |
| JBEAP-3432 | EJB | IllegalStateException "not in a valid state to be invoking cache operations on" in two cluster test |
| JBEAP-17172 | EJB | DatabaseTimerPersistence does not detect mssql driver type |
| JBEAP-17377 | EJB | Immediatly call receiveMessage() so requests can be deserialized in parrallel |
| JBEAP-17137 | EJB | EJBCLIENT-339 - Remove some doPrivileged calls |
| JBEAP-17036 | EJB | "Failed to reinstate timer" warning is shown when creating large number of EJB timers |
| JBEAP-17210 | EJB | CallerPrincipal will be anonymous (randomly) if EJB2 is called |
| JBEAP-15448 | EJB | EJBCLIENT-305 - Unable to configure 'maximumConnectedClusterNodes' |
| JBEAP-16895 | EJB | EJBCLIENT-333 - Unable to invoke any EJB of the same module after failure of a SFSB in that module |
| JBEAP-17261 | EJB | EJBCLIENT-342 - EJBInvocationClientContext.getResult should notify others only if there are waiters |
| JBEAP-16149 | EJB | JBREM000308: Authentication failed (no mechanisms left) when EJB invocations across servers done with programatic auth [details] |
| JBEAP-16651 | EJB | Transactional remote-outbound-connection to an older version results in an ARJUNA016045 WARN message |
| JBEAP-16793 | EJB | XNIO-339 - Standalone EJB Client using Remote UserTransaction can hang if there are more than 15 concurrent client threads [details] |
| JBEAP-17350 | Hibernate | HHH-13026 - Fix link to Infinispan documentation section regarding Hibernate 2LC |
| JBEAP-16784 | Hibernate | HHH-13357 HHH-13557 HHH-13558 OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones |
| JBEAP-17290 | Hibernate | HHH-13379 - Regression of Instant serialization |
| JBEAP-17297 | Hibernate | HHH-13514 / HHH-13525 - Calling the wrong method inside SessionDelegatorBaseImpl#createStoredProcedureQuery |
| JBEAP-17402 | Hibernate | HHH-13574 - SybaseASE does not support PARTITION BY |
| JBEAP-17488 | Hibernate | HHH-13590 - TransientObjectException merging a non-proxy association to a HibernateProxy |
| JBEAP-17213 | Hibernate | HHH-11032 - Improve performance of PersistentBag.equalsSnapshot [details] |
| JBEAP-16979 | Hibernate | HHH-13416 - Unguarded debug message being rendered in org.hibernate.engine.internal.Collections.processReachableCollection |
| JBEAP-17017 | Hibernate | HHH-13424 HHH-13550: Table nullability should not depend on JpaCompliance.isJpaCacheComplianceEnabled() [details] |
| JBEAP-17110 | Hibernate | HHH-13466 - ClassCastException when changing a collection association to a set if @PreUpdate listener exists [details] |
| JBEAP-17169 | Hibernate | HHH-13492 - OptimisticLockException after lock, refresh, merge in a transaction [details] |
| JBEAP-17283 | Hibernate | Miscellaneous performance improvements |
| JBEAP-17380 | IO | WFCORE-4600 - Memory leak caused by ByteBufferSlicePool usage |
| JBEAP-16825 | JCA | JBJCA-1389 - NullPointerException raised when calling isWrapperFor(...) on a closed connection [details] |
| JBEAP-16986 | JCA | JBJCA-1390 - BlockingFailureCount not tracking IJ000655 errors in SemaphoreConcurrentLinkedDequeManagedConnectionPool [details] |
| JBEAP-17070 | JCA | JBJCA-1391 - SQLException.getSQLState() and getCause() are null with XADatasource connection for postgresql during network failure |
| JBEAP-16921 | JCA | The expression for the value of share-prepared-statements does not work in XA datasource . |
| JBEAP-17259 | JCA | WFLY-12318 - SecurityManager push/pull is expensive |
| JBEAP-17332 | JCA | WFLY-12344 - SecurityManager push/pull is expensive also for datasources |
| JBEAP-17287 | JMS | The subscribed topic is removed if reconnecting to messaging system with legacy-connection-factory |
| JBEAP-17367 | JMS | ENTMQBR-2711 - ARTEMIS-2449 - Limit size of producer details |
| JBEAP-17111 | JMS | HornetQ client issue while using JMSMessageID as selector with EAP 7 |
| JBEAP-16990 | JMS | Set bridgeName while creating JMSBridge on server |
| JBEAP-17310 | JMS | Lost messages in scenario with a remote MDB and a long GC pause. |
| JBEAP-17323 | JMS | Shutdown of server with remote JCA MDB hangs |
| JBEAP-16988 | JMX | WFCORE-4561 - JMX audit log does not show operation parameters |
| JBEAP-17369 | JPA/Hibernate | WFLY-12365 - WildFlyCustomJtaPlatform does not cache TSR for manually bootstrapped hibernate apps |
| JBEAP-16460 | JSF | WFLY-6918 - Unnecessary NoSuchMethodException during JSF app deployment |
| JBEAP-17186 | JSF | Deployments fails if de.odysseus.juel is included in the war |
| JBEAP-17227 | JSF | Mojarra 4596 - Scripts with CDATA cause "empty response" error on Ajax render |
| JBEAP-17157 | JSF | Mojarra Issue 3042 / Partial rendering: insufficient CDATA encoding (XSS) |
| JBEAP-17019 | JSF | protected JSF page can not be accessed with port 80 |
| JBEAP-17266 | Logging | JBLOGGING-141 - At Logger.getMessageLogger, safeguard the doPrivileged call by a SecurityManager check |
| JBEAP-17267 | Logging | LOGMGR-258 - Safeguard doPrivileged calls by a SecurityManager is null check |
| JBEAP-17255 | MSC | Deprecate ServiceBuilder.addAliases() in favor of ServiceBuilder.provides() |
| JBEAP-17253 | MSC | Ensure ReadableValueImpl and WritableValueImpl fields visibility |
| JBEAP-17251 | MSC | MSC-245 - ServiceContainerImpl.registry is leaking memory resources |
| JBEAP-16214 | Management | WFCORE-4283 - Web management console reports 500 error while domain host controller is in bootup [details] |
| JBEAP-16801 | Management | WFCORE-4440 - Changes made via CLI in static-discovery are not reflected in host.xml |
| JBEAP-17177 | Management | WFLY-11617 - Incorrect default transaction type was shown in the JBoss CLI and validation is not working |
| JBEAP-17524 | Naming | WFLY-12472 - NullPointerException in JndiNamingDependencyProcessor |
| JBEAP-17140 | OpenShift | Session reset after scaling down EAP pod in cluster on Openshift |
| JBEAP-17082 | OpenShift | EAP CP images are too big compared to 7.x.0 images |
| JBEAP-17280 | Patching | WFCORE-4586 - patch apply ... --override-all does not work if layer module is corrupted |
| JBEAP-17069 | REST | JBEE-204 - ClassNotFoundException over org.glassfish.jersey.client.JerseyClientBuilder when sec-mgr is enabled |
| JBEAP-17381 | Remoting | REM3-342 - Optimization at RemoteConnection.RemoteWriteListener.send breaks SSL |
| JBEAP-16363 | Remoting | XNIO-317 - Introduce API to clean ThreadLocal caches from ByteBufferSlicePool |
| JBEAP-17260 | Remoting | JBMAR-227 - River marshalling impacts performance of ejb-client |
| JBEAP-17317 | Remoting | JBMAR-229 - Don't run doPrivileged if not needed in RiverUnmarshaller |
| JBEAP-17279 | Remoting | REM-340 - Attempt to write directly instead of resuming writes |
| JBEAP-17139 | Remoting | REM3-338 - RemoteConnection keep alive algorithm creates a new task at every write event |
| JBEAP-17138 | Remoting | REM3-339 - Reduce context switching per request |
| JBEAP-17275 | Remoting | REM3-341 - EndpointImpl uses doPrivileged when SecurityManager is null |
| JBEAP-17337 | Security | PicketBox : Change use of HTTP download locations to HTTPS |
| JBEAP-17383 | Security | Default AuthenticationContext is a static with undefined behaviour |
| JBEAP-17263 | Security | ELY-1854 - Add the ability to specify whether or not the AccessControlContext should be captured by using a system property called "wildfly.elytron.capture.access.control.context" |
| JBEAP-17262 | Security | ELY-1855 - Update AuthenticationConfiguration#useAuthorizationPrincipal to avoid needing an extra call to AuthenticationConfiguration#useForwardedAuthorizationIdentity |
| JBEAP-17123 | Security | Encrypted non-normalized assertion causes ClassCastException |
| JBEAP-17328 | Security | Need to handle InputStream after picketlink authentication [details] |
| JBEAP-17319 | Security | SECURITY-1002 - doPrivileged is used even when no security manager is present |
| JBEAP-17336 | Security | SECURITY-1003 - SubjectActions uses AccessController.doPrivileged even when no security manager is present |
| JBEAP-17340 | Security | SECURITY-1004 - Allow the ** role to be disabled |
| JBEAP-17318 | Security | WFLY-12340 - SimpleSecurityManager uses AccessController.doPrivileged even if the SM is not checking |
| JBEAP-16145 | Server | unsecure interfaces / iiop does not log when binding port |
| JBEAP-14310 | Server | WFCORE-3670 - module defined with an alias in jboss-deployment-structure.xml with fails to parse when annotations=true |
| JBEAP-17379 | Transactions | WFLY-11849 - Narayana XTS txbridge not permitting to start transaction when no timeout is set |
| JBEAP-17264 | Transactions | WFTC-73 - Remove the use of doPrivileged if SecurityManager is null |
| JBEAP-17316 | Transactions | JBTM-3165 - Don't create the EnumSet and TransactionEvent unless it is required |
| JBEAP-17322 | Transactions | JBTM-3166 - TransactionListener's should not be enabled by default |
| JBEAP-16731 | Transactions | WFLY-10351 - Clean up BMTInterceptor [details] |
| JBEAP-13598 | Transactions | WFLYTX0001: Unable to roll back active transaction thrown for EJB bridge transactions |
| JBEAP-17265 | Transactions | WFTC-72 - Remove use of a global lock and lock per transaction |
| JBEAP-14074 | Undertow | OutOfMemoryError: Direct buffer memory when repeating reload |
| JBEAP-16546 | Undertow | UNDERTOW-1507 - Undertow mod_cluster proxy: NullPointerException on jvmKill based failover among worker nodes using SSL |
| JBEAP-17296 | Undertow | Skip redundant put operations when distributable web sessions use local, non-persistent cache configuration |
| JBEAP-16826 | Undertow | UNDERTOW-1567 - Redirect to absolute URL with special characters broken |
| JBEAP-17104 | Undertow | UNDERTOW-1569 - HttpServletRequest getLocalName() returns IP instead of hostname |
| JBEAP-17188 | Undertow | UNDERTOW-1575 - HttpServletRequest.getRequestedSessionID() is incorrectly returning a newly generated session ID instead of the requested ID in EAP 7 when using URL session tracking [details] |
| JBEAP-17308 | Undertow | Undertow/XNIO file watch service has a possibility to prune all file change events and miss to invoke FileChangeCallback [details] |
| JBEAP-17282 | Web Console | HAL-1618 Support changed lifecycle hosts / servers |
| JBEAP-16757 | Web Console | EAP 7.2 management console add incorrect JVM parameters which include a comma |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.4-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.4-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
Comments