JBoss Enterprise Application Platform 7.2 Update 4 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 03
Download This content is not included.JBoss Enterprise Application Platform 7.2 Update 4
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-12384 | Server | jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution |
| CVE-2019-12086 | Server | jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server |
| CVE-2019-10184 | Undertow | undertow: Information leak in requests for directories without trailing slashes |
| CVE-2019-14379 | Server | jackson-databind: default typing mishandling leading to remote code execution |
| CVE-2019-10202 | Server | codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities |
| CVE-2019-10212 | Undertow | undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files |
| CVE-2019-19343 | Remoting | undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely |
| CVE-2019-12814 | Server | jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-17398 | CONF0005: Unexpected element "interceptor" in namespace "urn:jboss:wildfly-client-ejb:3.1" [details] | |
| Content from issues.jboss.org is not included.JBEAP-17161 | JGRP-2350 - TCP: connection close can block when send() block on full TCP send-window [details] | |
| Content from issues.jboss.org is not included.JBEAP-17163 | WFCORE-4569 - SaslException: Authentication failed when XA Recovery tries to call remote server [details] | |
| Content from issues.jboss.org is not included.JBEAP-17061 | WFLY-12216 - Log WARN if application specifies @RunAsPrincipal and not @RunAs | |
| Content from issues.jboss.org is not included.JBEAP-16372 | ActiveMQ | ARTEMIS-2290 JMSBridge fails to stop after throwing an error |
| Content from issues.jboss.org is not included.JBEAP-16371 | ActiveMQ | ARTEMIS-2291 JMSBridge fails to stop |
| Content from issues.jboss.org is not included.JBEAP-14032 | ActiveMQ | ARTEMIS-2069 - Backup doesn't activate after shared store is reconnected |
| Content from issues.jboss.org is not included.JBEAP-17342 | ActiveMQ | ARTEMIS-2313 - Accumulation in HierarchicalObjectRepository cache |
| Content from issues.jboss.org is not included.JBEAP-16972 | ActiveMQ | ENTMQBR-2494 IndexOutOfBoundsException from CoreMessage.sendBuffer_1X(CoreMessage.java:313) |
| Content from issues.jboss.org is not included.JBEAP-17300 | ActiveMQ | ENTMQBR-2711 - ARTEMIS-2439 - ServerSessionImpl cache does not clear names of deleted temporary destinations |
| Content from issues.jboss.org is not included.JBEAP-16896 | ActiveMQ | java.net.URISyntaxException: Illegal character in opaque part at index 7: file:C:\Java\jboss\jboss-as\standalone\configuration/logging.properties [details] |
| Content from issues.jboss.org is not included.JBEAP-17292 | CDI / Weld | WELD-2592 - Jandex index retention on Weld |
| Content from issues.jboss.org is not included.JBEAP-16628 | CLI | WFCORE-4389 - deploy fails in batch when operation is validated |
| Content from issues.jboss.org is not included.JBEAP-16788 | CLI | WFCORE-4460 - jboss-cli.sh doesn't return json when the output command is 'failed' |
| Content from issues.jboss.org is not included.JBEAP-17352 | Clustering | ISPN-10323: Non-transactional queries don't update the query cache [details] |
| Content from issues.jboss.org is not included.JBEAP-17120 | EJB | Server-server EJB transactional invocation rolls back if MDB call remote EJB and JBOSS-LOCAL-USER auth is not possible |
| Content from issues.jboss.org is not included.JBEAP-17295 | EJB | Skip redundant put operations when distributable SFSBs use local, non-persistent cache configuration |
| Content from issues.jboss.org is not included.JBEAP-17348 | EJB | WFLY-12352 - Distributable SFSB creation unnecessarily checks passivation store |
| Content from issues.jboss.org is not included.JBEAP-3432 | EJB | IllegalStateException "not in a valid state to be invoking cache operations on" in two cluster test |
| Content from issues.jboss.org is not included.JBEAP-17172 | EJB | DatabaseTimerPersistence does not detect mssql driver type |
| Content from issues.jboss.org is not included.JBEAP-17377 | EJB | Immediatly call receiveMessage() so requests can be deserialized in parrallel |
| Content from issues.jboss.org is not included.JBEAP-17137 | EJB | EJBCLIENT-339 - Remove some doPrivileged calls |
| Content from issues.jboss.org is not included.JBEAP-17036 | EJB | "Failed to reinstate timer" warning is shown when creating large number of EJB timers |
| Content from issues.jboss.org is not included.JBEAP-17210 | EJB | CallerPrincipal will be anonymous (randomly) if EJB2 is called |
| Content from issues.jboss.org is not included.JBEAP-15448 | EJB | EJBCLIENT-305 - Unable to configure 'maximumConnectedClusterNodes' |
| Content from issues.jboss.org is not included.JBEAP-16895 | EJB | EJBCLIENT-333 - Unable to invoke any EJB of the same module after failure of a SFSB in that module |
| Content from issues.jboss.org is not included.JBEAP-17261 | EJB | EJBCLIENT-342 - EJBInvocationClientContext.getResult should notify others only if there are waiters |
| Content from issues.jboss.org is not included.JBEAP-16149 | EJB | JBREM000308: Authentication failed (no mechanisms left) when EJB invocations across servers done with programatic auth [details] |
| Content from issues.jboss.org is not included.JBEAP-16651 | EJB | Transactional remote-outbound-connection to an older version results in an ARJUNA016045 WARN message |
| Content from issues.jboss.org is not included.JBEAP-16793 | EJB | XNIO-339 - Standalone EJB Client using Remote UserTransaction can hang if there are more than 15 concurrent client threads [details] |
| Content from issues.jboss.org is not included.JBEAP-17350 | Hibernate | HHH-13026 - Fix link to Infinispan documentation section regarding Hibernate 2LC |
| Content from issues.jboss.org is not included.JBEAP-16784 | Hibernate | HHH-13357 HHH-13557 HHH-13558 OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones |
| Content from issues.jboss.org is not included.JBEAP-17290 | Hibernate | HHH-13379 - Regression of Instant serialization |
| Content from issues.jboss.org is not included.JBEAP-17297 | Hibernate | HHH-13514 / HHH-13525 - Calling the wrong method inside SessionDelegatorBaseImpl#createStoredProcedureQuery |
| Content from issues.jboss.org is not included.JBEAP-17402 | Hibernate | HHH-13574 - SybaseASE does not support PARTITION BY |
| Content from issues.jboss.org is not included.JBEAP-17488 | Hibernate | HHH-13590 - TransientObjectException merging a non-proxy association to a HibernateProxy |
| Content from issues.jboss.org is not included.JBEAP-17213 | Hibernate | HHH-11032 - Improve performance of PersistentBag.equalsSnapshot [details] |
| Content from issues.jboss.org is not included.JBEAP-16979 | Hibernate | HHH-13416 - Unguarded debug message being rendered in org.hibernate.engine.internal.Collections.processReachableCollection |
| Content from issues.jboss.org is not included.JBEAP-17017 | Hibernate | HHH-13424 HHH-13550: Table nullability should not depend on JpaCompliance.isJpaCacheComplianceEnabled() [details] |
| Content from issues.jboss.org is not included.JBEAP-17110 | Hibernate | HHH-13466 - ClassCastException when changing a collection association to a set if @PreUpdate listener exists [details] |
| Content from issues.jboss.org is not included.JBEAP-17169 | Hibernate | HHH-13492 - OptimisticLockException after lock, refresh, merge in a transaction [details] |
| Content from issues.jboss.org is not included.JBEAP-17283 | Hibernate | Miscellaneous performance improvements |
| Content from issues.jboss.org is not included.JBEAP-17380 | IO | WFCORE-4600 - Memory leak caused by ByteBufferSlicePool usage |
| Content from issues.jboss.org is not included.JBEAP-16825 | JCA | JBJCA-1389 - NullPointerException raised when calling isWrapperFor(...) on a closed connection [details] |
| Content from issues.jboss.org is not included.JBEAP-16986 | JCA | JBJCA-1390 - BlockingFailureCount not tracking IJ000655 errors in SemaphoreConcurrentLinkedDequeManagedConnectionPool [details] |
| Content from issues.jboss.org is not included.JBEAP-17070 | JCA | JBJCA-1391 - SQLException.getSQLState() and getCause() are null with XADatasource connection for postgresql during network failure |
| Content from issues.jboss.org is not included.JBEAP-16921 | JCA | The expression for the value of share-prepared-statements does not work in XA datasource . |
| Content from issues.jboss.org is not included.JBEAP-17259 | JCA | WFLY-12318 - SecurityManager push/pull is expensive |
| Content from issues.jboss.org is not included.JBEAP-17332 | JCA | WFLY-12344 - SecurityManager push/pull is expensive also for datasources |
| Content from issues.jboss.org is not included.JBEAP-17287 | JMS | The subscribed topic is removed if reconnecting to messaging system with legacy-connection-factory |
| Content from issues.jboss.org is not included.JBEAP-17367 | JMS | ENTMQBR-2711 - ARTEMIS-2449 - Limit size of producer details |
| Content from issues.jboss.org is not included.JBEAP-17111 | JMS | HornetQ client issue while using JMSMessageID as selector with EAP 7 |
| Content from issues.jboss.org is not included.JBEAP-16990 | JMS | Set bridgeName while creating JMSBridge on server |
| Content from issues.jboss.org is not included.JBEAP-17310 | JMS | Lost messages in scenario with a remote MDB and a long GC pause. |
| Content from issues.jboss.org is not included.JBEAP-17323 | JMS | Shutdown of server with remote JCA MDB hangs |
| Content from issues.jboss.org is not included.JBEAP-16988 | JMX | WFCORE-4561 - JMX audit log does not show operation parameters |
| Content from issues.jboss.org is not included.JBEAP-17369 | JPA/Hibernate | WFLY-12365 - WildFlyCustomJtaPlatform does not cache TSR for manually bootstrapped hibernate apps |
| Content from issues.jboss.org is not included.JBEAP-16460 | JSF | WFLY-6918 - Unnecessary NoSuchMethodException during JSF app deployment |
| Content from issues.jboss.org is not included.JBEAP-17186 | JSF | Deployments fails if de.odysseus.juel is included in the war |
| Content from issues.jboss.org is not included.JBEAP-17227 | JSF | Mojarra 4596 - Scripts with CDATA cause "empty response" error on Ajax render |
| Content from issues.jboss.org is not included.JBEAP-17157 | JSF | Mojarra Issue 3042 / Partial rendering: insufficient CDATA encoding (XSS) |
| Content from issues.jboss.org is not included.JBEAP-17019 | JSF | protected JSF page can not be accessed with port 80 |
| Content from issues.jboss.org is not included.JBEAP-17266 | Logging | JBLOGGING-141 - At Logger.getMessageLogger, safeguard the doPrivileged call by a SecurityManager check |
| Content from issues.jboss.org is not included.JBEAP-17267 | Logging | LOGMGR-258 - Safeguard doPrivileged calls by a SecurityManager is null check |
| Content from issues.jboss.org is not included.JBEAP-17255 | MSC | Deprecate ServiceBuilder.addAliases() in favor of ServiceBuilder.provides() |
| Content from issues.jboss.org is not included.JBEAP-17253 | MSC | Ensure ReadableValueImpl and WritableValueImpl fields visibility |
| Content from issues.jboss.org is not included.JBEAP-17251 | MSC | MSC-245 - ServiceContainerImpl.registry is leaking memory resources |
| Content from issues.jboss.org is not included.JBEAP-16214 | Management | WFCORE-4283 - Web management console reports 500 error while domain host controller is in bootup [details] |
| Content from issues.jboss.org is not included.JBEAP-16801 | Management | WFCORE-4440 - Changes made via CLI in static-discovery are not reflected in host.xml |
| Content from issues.jboss.org is not included.JBEAP-17177 | Management | WFLY-11617 - Incorrect default transaction type was shown in the JBoss CLI and validation is not working |
| Content from issues.jboss.org is not included.JBEAP-17524 | Naming | WFLY-12472 - NullPointerException in JndiNamingDependencyProcessor |
| Content from issues.jboss.org is not included.JBEAP-17140 | OpenShift | Session reset after scaling down EAP pod in cluster on Openshift |
| Content from issues.jboss.org is not included.JBEAP-17082 | OpenShift | EAP CP images are too big compared to 7.x.0 images |
| Content from issues.jboss.org is not included.JBEAP-17280 | Patching | WFCORE-4586 - patch apply ... --override-all does not work if layer module is corrupted |
| Content from issues.jboss.org is not included.JBEAP-17069 | REST | JBEE-204 - ClassNotFoundException over org.glassfish.jersey.client.JerseyClientBuilder when sec-mgr is enabled |
| Content from issues.jboss.org is not included.JBEAP-17381 | Remoting | REM3-342 - Optimization at RemoteConnection.RemoteWriteListener.send breaks SSL |
| Content from issues.jboss.org is not included.JBEAP-16363 | Remoting | XNIO-317 - Introduce API to clean ThreadLocal caches from ByteBufferSlicePool |
| Content from issues.jboss.org is not included.JBEAP-17260 | Remoting | JBMAR-227 - River marshalling impacts performance of ejb-client |
| Content from issues.jboss.org is not included.JBEAP-17317 | Remoting | JBMAR-229 - Don't run doPrivileged if not needed in RiverUnmarshaller |
| Content from issues.jboss.org is not included.JBEAP-17279 | Remoting | REM-340 - Attempt to write directly instead of resuming writes |
| Content from issues.jboss.org is not included.JBEAP-17139 | Remoting | REM3-338 - RemoteConnection keep alive algorithm creates a new task at every write event |
| Content from issues.jboss.org is not included.JBEAP-17138 | Remoting | REM3-339 - Reduce context switching per request |
| Content from issues.jboss.org is not included.JBEAP-17275 | Remoting | REM3-341 - EndpointImpl uses doPrivileged when SecurityManager is null |
| Content from issues.jboss.org is not included.JBEAP-17337 | Security | PicketBox : Change use of HTTP download locations to HTTPS |
| Content from issues.jboss.org is not included.JBEAP-17383 | Security | Default AuthenticationContext is a static with undefined behaviour |
| Content from issues.jboss.org is not included.JBEAP-17263 | Security | ELY-1854 - Add the ability to specify whether or not the AccessControlContext should be captured by using a system property called "wildfly.elytron.capture.access.control.context" |
| Content from issues.jboss.org is not included.JBEAP-17262 | Security | ELY-1855 - Update AuthenticationConfiguration#useAuthorizationPrincipal to avoid needing an extra call to AuthenticationConfiguration#useForwardedAuthorizationIdentity |
| Content from issues.jboss.org is not included.JBEAP-17123 | Security | Encrypted non-normalized assertion causes ClassCastException |
| Content from issues.jboss.org is not included.JBEAP-17328 | Security | Need to handle InputStream after picketlink authentication [details] |
| Content from issues.jboss.org is not included.JBEAP-17319 | Security | SECURITY-1002 - doPrivileged is used even when no security manager is present |
| Content from issues.jboss.org is not included.JBEAP-17336 | Security | SECURITY-1003 - SubjectActions uses AccessController.doPrivileged even when no security manager is present |
| Content from issues.jboss.org is not included.JBEAP-17340 | Security | SECURITY-1004 - Allow the ** role to be disabled |
| Content from issues.jboss.org is not included.JBEAP-17318 | Security | WFLY-12340 - SimpleSecurityManager uses AccessController.doPrivileged even if the SM is not checking |
| Content from issues.jboss.org is not included.JBEAP-16145 | Server | unsecure interfaces / iiop does not log when binding port |
| Content from issues.jboss.org is not included.JBEAP-14310 | Server | WFCORE-3670 - module defined with an alias in jboss-deployment-structure.xml with fails to parse when annotations=true |
| Content from issues.jboss.org is not included.JBEAP-17379 | Transactions | WFLY-11849 - Narayana XTS txbridge not permitting to start transaction when no timeout is set |
| Content from issues.jboss.org is not included.JBEAP-17264 | Transactions | WFTC-73 - Remove the use of doPrivileged if SecurityManager is null |
| Content from issues.jboss.org is not included.JBEAP-17316 | Transactions | JBTM-3165 - Don't create the EnumSet and TransactionEvent unless it is required |
| Content from issues.jboss.org is not included.JBEAP-17322 | Transactions | JBTM-3166 - TransactionListener's should not be enabled by default |
| Content from issues.jboss.org is not included.JBEAP-16731 | Transactions | WFLY-10351 - Clean up BMTInterceptor [details] |
| Content from issues.jboss.org is not included.JBEAP-13598 | Transactions | WFLYTX0001: Unable to roll back active transaction thrown for EJB bridge transactions |
| Content from issues.jboss.org is not included.JBEAP-17265 | Transactions | WFTC-72 - Remove use of a global lock and lock per transaction |
| Content from issues.jboss.org is not included.JBEAP-14074 | Undertow | OutOfMemoryError: Direct buffer memory when repeating reload |
| Content from issues.jboss.org is not included.JBEAP-16546 | Undertow | UNDERTOW-1507 - Undertow mod_cluster proxy: NullPointerException on jvmKill based failover among worker nodes using SSL |
| Content from issues.jboss.org is not included.JBEAP-17296 | Undertow | Skip redundant put operations when distributable web sessions use local, non-persistent cache configuration |
| Content from issues.jboss.org is not included.JBEAP-16826 | Undertow | UNDERTOW-1567 - Redirect to absolute URL with special characters broken |
| Content from issues.jboss.org is not included.JBEAP-17104 | Undertow | UNDERTOW-1569 - HttpServletRequest getLocalName() returns IP instead of hostname |
| Content from issues.jboss.org is not included.JBEAP-17188 | Undertow | UNDERTOW-1575 - HttpServletRequest.getRequestedSessionID() is incorrectly returning a newly generated session ID instead of the requested ID in EAP 7 when using URL session tracking [details] |
| Content from issues.jboss.org is not included.JBEAP-17308 | Undertow | Undertow/XNIO file watch service has a possibility to prune all file change events and miss to invoke FileChangeCallback [details] |
| Content from issues.jboss.org is not included.JBEAP-17282 | Web Console | HAL-1618 Support changed lifecycle hosts / servers |
| Content from issues.jboss.org is not included.JBEAP-16757 | Web Console | EAP 7.2 management console add incorrect JVM parameters which include a comma |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.4-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.4-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
SBR
Category
Components
Article Type