JBoss Enterprise Application Platform 7.0 Update 08 Release Notes
Important: This update is not the latest cumulative patch, it is recommended to apply the latest update, see these links for the latest:
Important: A regression was found in CP8 due to a bug fix and it is recommended to use CP9 or later to avoid potential remoting hangs, see EAP 7.0 CP9 Release Notes for more details.
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule, targeting a new release every 6 weeks.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.0 Update 07
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2017-2582 | Security | SAML request parser replaces special strings with system properties |
| CVE-2014-9970 | Server | jasypt: Vulnerable to timing attack against the password hash comparison |
| CVE-2015-6644 | Web Services | bouncycastle: Information disclosure in GCMBlockCipher |
| CVE-2017-5645 | Server | log4j: Socket receiver deserialization vulnerability |
| CVE-2017-7536 | Server | hibernate-validator: Privilege escalation when running under the security manager |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-11895 | EE | The flushOnSessionInvalidation attribute is missing in the jboss-web schema and the parser |
| Content from issues.jboss.org is not included.JBEAP-11519 | EJB | Race condition if timers overlap due to long running execution and short schedules if database persistence is used [details] |
| Content from issues.jboss.org is not included.JBEAP-11954 | EJB | java.lang.IllegalArgumentException: Timestamp format must be yyyy-mm-dd hh:mm:ss[.fffffffff] when javax.ejb.ScheduleExpression.start(java.util.Date s) was invoked [details] |
| Content from issues.jboss.org is not included.JBEAP-11928 | JMS | JMSException needs serialVersionUID and to handle backwards compatibility |
| Content from issues.jboss.org is not included.JBEAP-12040 | Logging | Initializing the SyslogHandler should not do a permissions check when setting the output stream |
| Content from issues.jboss.org is not included.JBEAP-1719 | Logging | Log rotation fails on Windows if target already exists |
| Content from issues.jboss.org is not included.JBEAP-12093 | Logging | Log rotations may break out of the loop too early for size rotations |
| Content from issues.jboss.org is not included.JBEAP-10684 | Logging | StringIndexOutOfBoundsException throw while formatting log with truncation |
| Content from issues.jboss.org is not included.JBEAP-11998 | Logging | Monthly file rotation will continually overwrite the rotated log file [details] |
| Content from issues.jboss.org is not included.JBEAP-12544 | Naming | Remote Naming holding cache lock while closing leading to thread pile up |
| Content from issues.jboss.org is not included.JBEAP-12472 | Naming | Bindings of most binding-types can not be created in naming subsystem configuration in Web Console |
| Content from issues.jboss.org is not included.JBEAP-10156 | Remoting | Authentication via remoting fail for larger requests i.e. long password |
| Content from issues.jboss.org is not included.JBEAP-12032 | Remoting | Avoid Remoting resume/suspend read race on server |
| Content from issues.jboss.org is not included.JBEAP-11779 | Security | @RunAsIdentity should cause authentication part to be skipped [details] |
| Content from issues.jboss.org is not included.JBEAP-11887 | Security | SP can not parse SAML response if namespace is declared in root element |
| Content from issues.jboss.org is not included.JBEAP-11927 | Web (Undertow) | Deployment fails if you add and remove SSO |
| Content from issues.jboss.org is not included.JBEAP-9709 | Web (Undertow) | UNDERTOW-1011 - Undertow doesn't process HTTPS request sometimes |
| Content from issues.jboss.org is not included.JBEAP-11830 | Web (Undertow) | UNDERTOW-1020 AjpRequestParser does not output any log message when exceeding max-parameters/max-headers |
| Content from issues.jboss.org is not included.JBEAP-11840 | Web (Undertow) | UNDERTOW-1035 Websocket non clean close can cause IO thread to get stuck in a loop |
| Content from issues.jboss.org is not included.JBEAP-10143 | Web (Undertow) | UNDERTOW-1040 Request scheme attribute is not writable |
| Content from issues.jboss.org is not included.JBEAP-11835 | Web (Undertow) | UNDERTOW-1088 SPDY: SpdyClientConnection.sendRequest() shouldn't be synchronized |
| Content from issues.jboss.org is not included.JBEAP-11843 | Web (Undertow) | UNDERTOW-1111 Undertow does not respect javax.servlet.SessionCookieConfig#getMaxAge contract |
| Content from issues.jboss.org is not included.JBEAP-11845 | Web (Undertow) | UNDERTOW-1112 Potential memory leak with DeflatingStreamSinkConduit |
| Content from issues.jboss.org is not included.JBEAP-10150 | Web (Undertow) | UNDERTOW-1021 - AJP listener should log at DEBUG level when handling 400 Bad Request like wrong magic number and invalid Content-Length |
| Content from issues.jboss.org is not included.JBEAP-12455 | Web (Undertow) | Call doGet in DefaultServlet.doPost |
| Content from issues.jboss.org is not included.JBEAP-12407 | Web (Undertow) | Kerberos negotiation done in every request [details] |
| Content from issues.jboss.org is not included.JBEAP-11442 | Web (Undertow) | RFC6265 compliant cookie validation |
| Content from issues.jboss.org is not included.JBEAP-11648 | Web (Undertow) | The flushOnSessionInvalidation is not parsed correctly from jboss-web.xml |
| Content from issues.jboss.org is not included.JBEAP-9874 | Web (Undertow) | UNDERTOW-884 FormAuthenticationMechanism.sendRedirect computes wrong location header value |
| Content from issues.jboss.org is not included.JBEAP-11673 | Web (Undertow) | static content under jboss-web.xml overlay directory is not served correctly after the content is updated [details] |
| Content from issues.jboss.org is not included.JBEAP-12838 | Web (Undertow) | HttpSession.invalidate() requires additional permissions if Security Manager is enabled |
| Content from issues.jboss.org is not included.JBEAP-12411 | Web Services | POJO WS not defaulting to Undertow default-security-domain |
| Content from issues.jboss.org is not included.JBEAP-12241 | mod_cluster | Mod cluster not working with non-root user |
| Content from issues.jboss.org is not included.JBEAP-10173 | mod_cluster | UNDERTOW-898 Failover targets should be chosen deterministically (Undertow) |
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.0.8-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.0.8-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the This content is not included.JBoss EAP 7.0 Patching And Upgrading Guide