JBoss Enterprise Application Platform 7.2 Update 8 Release Notes
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
Notes:
- JBoss EAP 7.2 CP8 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 07
Download This content is not included.JBoss Enterprise Application Platform 7.2 Update 8
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-10172 | Server | jackson-mapper-asl: XML external entity similar to CVE-2016-3720 |
| CVE-2020-10719 | Web (Undertow) | invalid HTTP request with large chunk size |
| CVE-2020-1745 | Web (Undertow) | AJP File Read/Inclusion Vulnerability [details] |
| CVE-2020-1757 | Web (Undertow) | servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass |
| CVE-2020-1732 | Security | Soteria: security identity corruption across concurrent threads |
| CVE-2020-1719 | EJB | EJBContext principal is not popped back after invoking another EJB using a different Security Domain |
| CVE-2019-17573 | Server | cxf: reflected XSS in the services listing page |
| CVE-2019-12423 | Web Services | cxf: OpenId Connect token service does not properly validate the clientId |
| CVE-2020-7226 | Web Services | cryptacular: excessive memory allocation during a decode operation |
| CVE-2020-10705 | Web (Undertow) | Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header |
| CVE-2020-1729 | MP Config | SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loaderheader |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-18495 | EJBCLIENT-365 - EJB client - env property takes not effect when value is an Integer rather than String | |
| Content from issues.jboss.org is not included.JBEAP-18496 | WFNC-56 - Naming client - env property takes no effect when value is an Integer rather than String | |
| Content from issues.jboss.org is not included.JBEAP-19235 | AjpRequestParser improvements | |
| Content from issues.jboss.org is not included.JBEAP-18839 | ARTEMIS-2637 - Resilience around UDP Discovery | |
| Content from issues.jboss.org is not included.JBEAP-18762 | ENTMQBR-3108 - ARTEMIS-2500 - LargeMessage doesn't make a full copy of its props | |
| Content from issues.jboss.org is not included.JBEAP-18739 | SecurityDomainContextRealm is not caching passwords correctly | |
| Content from issues.jboss.org is not included.JBEAP-18927 | Clustering | Session attribute lost issue with the ATTRIBUTE replication-granularity + non-BATCH cache in a failover scenario [details] |
| Content from issues.jboss.org is not included.JBEAP-18410 | Clustering | Sessions timed out may continue to remain in the Java Heap. |
| Content from issues.jboss.org is not included.JBEAP-18447 | Clustering | WFLY-12954 - Web sessions passivated on shutdown |
| Content from issues.jboss.org is not included.JBEAP-18587 | Deployment Framework | REM3-352 - EJB client behaviour is different when deployed in a .war compared to a .ear and can result in a OOME [details] |
| Content from issues.jboss.org is not included.JBEAP-18391 | EE | WFLY-12947 - EL should coerce String to Integer in equals operation [details] |
| Content from issues.jboss.org is not included.JBEAP-18560 | EJB | WFLY-13009 - moduleAvailability message is sent before module has started |
| Content from issues.jboss.org is not included.JBEAP-18357 | EJB | WFCORE-4803 - EJB Client authentication does not work using SASL DIGEST-MD5 and EXTERNAL mechanisms in Legacy security |
| Content from issues.jboss.org is not included.JBEAP-18565 | EJB | EJBCLIENT-361 - DiscoveryEJBClientInterceptor: static blacklist [details] |
| Content from issues.jboss.org is not included.JBEAP-18763 | JMS | ARTEMIS-2513 - Large message's copy may be interfered by other threads |
| Content from issues.jboss.org is not included.JBEAP-19001 | JMS | Messages are being added to topic even if there are no subscribers [details] |
| Content from issues.jboss.org is not included.JBEAP-18832 | JMX | REMJMX-166 - IllegalThreadStateException after idle jmx connection |
| Content from issues.jboss.org is not included.JBEAP-18814 | JSF | JSF IdMapper can create repeated ids in clustered environments causing: IllegalStateException with postback |
| Content from issues.jboss.org is not included.JBEAP-18065 | JSF | WFLY-12869 - Remove Multiple JSF Applications found on same ClassLoader WARN |
| Content from issues.jboss.org is not included.JBEAP-17499 | JSF | f:viewParam component only works for the first ajax request, but for the second ajax request and so forth the submitted value is null |
| Content from issues.jboss.org is not included.JBEAP-15235 | Management | WFCORE-4764 - Availability of web console during the startup of the Domain Controller [details] |
| Content from issues.jboss.org is not included.JBEAP-18593 | Management | WFCORE-4830 - HCs (slaves) can not register to the DC (master) during DC and its servers start up |
| Content from issues.jboss.org is not included.JBEAP-18544 | Modules | MODULES-378 - Symbolic links in config files are not working |
| Content from issues.jboss.org is not included.JBEAP-18124 | OpenShift | Need to configure PREFIX_TX_ISOLATION with NONXA datasource on Openshift |
| Content from issues.jboss.org is not included.JBEAP-18663 | Patching | [WFCORE-4596] Write lock is acquired reading patching resource using include-runtime |
| Content from issues.jboss.org is not included.JBEAP-7045 | Scripts | Startup error when started as system service |
| Content from issues.jboss.org is not included.JBEAP-18917 | Security | Elytron LDAP Squashes Authentication Exception [details] |
| Content from issues.jboss.org is not included.JBEAP-18012 | Security | HAL-1651 - For slave node jvm instance which is running on another VM, start/stop and other option are not showing in EAP 7.2.4 in management console when rbac is enabled. [details] |
| Content from issues.jboss.org is not included.JBEAP-18786 | Security | JASPIC module's initialize() is called multiple times |
| Content from issues.jboss.org is not included.JBEAP-18531 | Security | Picketlink: TLS handshakes with ECDHE fail with Bouncy Castle and Java 11.0.5 [details] |
| Content from issues.jboss.org is not included.JBEAP-18426 | Security | WFLY-13161 - CLIENT-CERT login does not work in intermediate elytron setup |
| Content from issues.jboss.org is not included.JBEAP-19204 | Web (Undertow) | HTTP continue tests fail with HTTP2 in use |
| Content from issues.jboss.org is not included.JBEAP-18201 | Web (Undertow) | WFLY-12822 - UNDERTOW-1623 - Undertow Deadlock |
| Content from issues.jboss.org is not included.JBEAP-18378 | Web (Undertow) | UNDERTOW-1637 - Http-404 is returned when accessing protected application context resource without a trailing slash [details] |
| Content from issues.jboss.org is not included.JBEAP-18857 | Web (Undertow) | UNDERTOW-1661 - Exchange already complete when rendering a JSP. |
| Content from issues.jboss.org is not included.JBEAP-18890 | Web (Undertow) | WFLYCLWEBUT0002 error occurs in first cross-context request creating a shared session |
| Content from issues.jboss.org is not included.JBEAP-18657 | Web Console | [HAL-1653] Topology is not refreshed automatically after restart the domain |
| Content from issues.jboss.org is not included.JBEAP-18810 | Web Console | HAL-1670 Cannot add Oracle URL to XA Datasource |
| Content from issues.jboss.org is not included.JBEAP-18368 | Web Console | [HAL-1669] Cannot add IDP resource in keycloak-saml subsystem using EAP admin console |
| Content from issues.jboss.org is not included.JBEAP-18650 | Web Console | [WFCORE-4809] Allow composite operation to read the model without need to acquired the write lock in domain mode |
| Content from issues.jboss.org is not included.JBEAP-18613 | Web Services | RESTEASY-2492 - RESTEASY-1986 - RESTEASY002030: Failed to write event org.jboss.resteasy.plugins.providers.sse.OutboundSseEventImpl@42adbd75: java.io.IOException: Broken pipe [details] |
| Content from issues.jboss.org is not included.JBEAP-18610 | mod_cluster | application context is enabled to mod_cluster for servers that are started as suspended in the JBoss EAP 7.2 [details] |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.8-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.8-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
Notes
-
JBoss EAP 7.2 CP8 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
-
SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated.
-
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.