JBoss Enterprise Application Platform 7.2 Update 7 Release Notes
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
Notes:
- In addition to This content is not included.JBoss Enterprise Application Platform 7.2 Update 7, it is recommended to also apply this addtional This content is not included.patch here for CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability, as it was released after Update 7.
- If using AJP and custom request attributes, see How to allow AJP request attributes after applying the CVE-2020-1745 AJP File Read/Inclusion Vulnerability fix in JBoss EAP 7.2 Update 7+ as they will not be allowed by default after the CVE fix.
- JBoss EAP 7.2 CP7 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 06
Download This content is not included.JBoss Enterprise Application Platform 7.2 Update 7
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-0205 | MP OpenTracing | thrift: Endless loop when feed with specific input data |
| CVE-2019-10086 | Server | apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default |
| CVE-2019-20445 | JMS | netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header |
| CVE-2019-20444 | JMS | netty: HTTP request smuggling |
| CVE-2019-12400 | Web Services | xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source |
| CVE-2020-7238 | JMS | netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling |
| CVE-2019-14887 | Security | The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use |
| CVE-2019-0210 | MP OpenTracing | thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-13981 | JAXB Unmarshaller tries to instantiate abstract class ignoring xsi:type if it is a list element | |
| Content from issues.jboss.org is not included.JBEAP-18317 | ActiveMQ | After messaging migration from EAP 6 to 7 it's impossible to remove sf.* queues |
| Content from issues.jboss.org is not included.JBEAP-18230 | ActiveMQ | WFLY-12859 - Acceptor is open after broker starts but before queues are created resulting in QUEUE_DOES_NOT_EXIST message=AMQ229017 (the queue is in the standalone.xml file) |
| Content from issues.jboss.org is not included.JBEAP-17451 | ActiveMQ | ENTMQBR-2759 - ARTEMIS-2451 - Eliminate knownDestinations cache |
| Content from issues.jboss.org is not included.JBEAP-17745 | CDI / Weld | @PreDestroy not called on view scoped using CDI. |
| Content from issues.jboss.org is not included.JBEAP-18033 | CDI / Weld | WFLY-12805 - Loading JTSSynchronizationWrapper gets NoClassDefFoundError: org/jboss/as/naming/context/NamespaceContextSelector [details] |
| Content from issues.jboss.org is not included.JBEAP-18416 | Clustering | HttpSessionListener.sessionDestroyed event can deadlock if it attempts write operations on a session |
| Content from issues.jboss.org is not included.JBEAP-18403 | Clustering | ISPN-11116 - Invalidation commands should not load the previous value from the store |
| Content from issues.jboss.org is not included.JBEAP-18111 | Clustering | JSF is Holding a Lock on an Object While Calling HttpSession.setAttribute on that Object. |
| Content from issues.jboss.org is not included.JBEAP-5947 | EJB | Server should verify EJB business methods during deployment and log a warning |
| Content from issues.jboss.org is not included.JBEAP-18369 | EJB | Calling Asynchronous EJB will use the propagated caller transaction which is not according to the specification |
| Content from issues.jboss.org is not included.JBEAP-18004 | EJB | WEJBHTTP-31 - WildFlyClientInputStream waits for -1 when dealing with an exception result |
| Content from issues.jboss.org is not included.JBEAP-18162 | EJB | WEJBHTTP-32 - Remote duplicate notifyAll call from WildflyClientInputStream read listener after -1 is read |
| Content from issues.jboss.org is not included.JBEAP-18233 | EJB | WFLY-12871 - System Exception (EJBException) should be thrown instead of ApplicationException when rollback=false |
| Content from issues.jboss.org is not included.JBEAP-17486 | Hibernate | HHH-13433 HHH-13737 EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert( e, lockOptions ) |
| Content from issues.jboss.org is not included.JBEAP-18123 | Hibernate | HHH-13651 HHH-13675 NPE on flushing when ElementCollection field contains null element |
| Content from issues.jboss.org is not included.JBEAP-17709 | Hibernate | HHH-12858 HHH-13432 Unable to dynamically set datasource when creating an entity manager factory [details] |
| Content from issues.jboss.org is not included.JBEAP-17982 | JCA | JBJCA-1396 - getConnection in UserTransaction returned closed connection after XAResource#commit() failed on same thread |
| Content from issues.jboss.org is not included.JBEAP-18224 | JCA | JBJCA-1398 - Connection leak when there is an exception during getConnection for NoTransaction resource adapter [details] |
| Content from issues.jboss.org is not included.JBEAP-18232 | JCA | JBJCA-1399 - IJ000608 warnings of connections in excess of max-pool-size when using a capacity incrementer |
| Content from issues.jboss.org is not included.JBEAP-17046 | JPA / Hibernate | HHH-13433 - EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert( e, lockOptions ) |
| Content from issues.jboss.org is not included.JBEAP-17971 | JSF | Mojarra Issue 4650 / ArrayIndexOutOfBoundsException with index -2 in HtmlResponseWriter.writeUnescapedCData(...) |
| Content from issues.jboss.org is not included.JBEAP-18354 | JSF | Mojarra-4500 - NPE when determining converter for primitive values [details] |
| Content from issues.jboss.org is not included.JBEAP-18573 | MP OpenTracing | WFLY-12486 - Memory leak in OpenTracing when deployment is redeployed multiple times |
| Content from issues.jboss.org is not included.JBEAP-17865 | Management | WFCORE-4733 - Server stops after switching from 'local' DC to 'remote' DC |
| Content from issues.jboss.org is not included.JBEAP-17852 | Management | HAL-1649 - HAL Management Console black screen - Syntax Error in polyfill.min.js with IE 11 [details] |
| Content from issues.jboss.org is not included.JBEAP-17804 | Security | File UploadMultipart does not work for files greater than 10 kB with PicketLink SSO is enabled [details] |
| Content from issues.jboss.org is not included.JBEAP-18122 | Security | File upload (multipart) with Picketlink fails with sizes over 20k (using Apache Commons FileUpload) [details] |
| Content from issues.jboss.org is not included.JBEAP-18460 | Security | InputStream is empty if getParameter is called in deployment with Picketlink which causes fileupload to fail with sizes over 20k |
| Content from issues.jboss.org is not included.JBEAP-17658 | Security | WFLY-12518 - ConnectionSecurityContext.getConnectionPrincipals leads to IllegalStateException getConnectionPrincipals [details] |
| Content from issues.jboss.org is not included.JBEAP-18154 | Server | WFCORE-4768 - WFLYIO001: Worker 'default' has auto-configured to 24 core threads should be IO threads |
| Content from issues.jboss.org is not included.JBEAP-15990 | Web (Undertow) | WFLY-11481 - EL expressions that contain unnecessary parentheses fail |
| Content from issues.jboss.org is not included.JBEAP-18674 | Web (Undertow) | wildfly-openssl can not load library wfssl on RHEL6 |
| Content from issues.jboss.org is not included.JBEAP-18102 | Web Console | HAL-1627 - Web management console shows internal error on infinispan configuration page |
| Content from issues.jboss.org is not included.JBEAP-18118 | Web Console | HAL-1646 - GUI has the wrong focus when switching between profiles [details] |
| Content from issues.jboss.org is not included.JBEAP-18149 | Web Console | HAL-1647 - JVM option is saved multiple times [details] |
| Content from issues.jboss.org is not included.JBEAP-16746 | Web Services | Stax maxAttributeSize is only vaguely respected |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.7-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.7-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
Notes
-
JBoss EAP 7.2 CP7 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
-
SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated, see more details.
-
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.