JBoss Enterprise Application Platform 7.3 Update 1 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
Download This content is not included.JBoss Enterprise Application Platform 7.3 Update 1
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2018-14371 | JSF | Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 |
| CVE-2019-10172 | Server | jackson-mapper-asl: XML external entity similar to CVE-2016-3720 |
| CVE-2020-10719 | Undertow | undertow: invalid HTTP request with large chunk size |
| CVE-2020-8840 | REST | jackson-databind: Lacks certain xbean-reflect/JNDI blocking |
| CVE-2020-9546 | REST | jackson-databind: Serialization gadgets in shaded-hikari-config |
| CVE-2020-9547 | REST | jackson-databind: Serialization gadgets in ibatis-sqlmap |
| CVE-2020-9548 | REST | jackson-databind: Serialization gadgets in anteros-core |
| CVE-2020-1719 | EJB | EJBContext principal is not popped back after invoking another EJB using a different Security Domain |
| CVE-2019-12423 | Web Services | cxf: OpenId Connect token service does not properly validate the clientId |
| CVE-2020-10688 | REST | resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack |
| CVE-2019-14887 | Security | wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use |
| CVE-2019-0210 | MP OpenTracing | thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol |
| CVE-2020-10705 | Undertow | undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header |
| CVE-2020-1729 | MP Config | SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader |
| CVE-2020-1745 | Undertow | undertow: AJP File Read/Inclusion Vulnerability [details] |
| CVE-2019-0205 | MP OpenTracing | thrift: Endless loop when feed with specific input data |
| CVE-2020-1757 | Undertow | undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass |
| CVE-2019-17573 | Server | cxf: reflected XSS in the services listing page |
| CVE-2020-7226 | Web Services | cryptacular: excessive memory allocation during a decode operation |
| CVE-2020-6950 | JSF | Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 |
| CVE-2020-1695 | REST | resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-18501 | WFNC-56 - Naming client - env property takes no effect when value is an Integer rather than String | |
| Content from issues.jboss.org is not included.JBEAP-18840 | ARTEMIS-2637 - Resilience around UDP Discovery | |
| Content from issues.jboss.org is not included.JBEAP-18293 | JAXB Unmarshaller tries to instantiate abstract class ignoring xsi:type if it is a list element | |
| Content from issues.jboss.org is not included.JBEAP-18738 | SecurityDomainContextRealm is not caching passwords correctly | |
| Content from issues.jboss.org is not included.JBEAP-18304 | WEJBHTTP-32 - Remote duplicate notifyAll call from WildflyClientInputStream read listener after -1 is read | |
| Content from issues.jboss.org is not included.JBEAP-18316 | ActiveMQ | ENTMQBR-2759 - ARTEMIS-2451 - Eliminate knownDestinations cache |
| Content from issues.jboss.org is not included.JBEAP-18342 | ActiveMQ | WFLY-12859 - Acceptor is open after broker starts but before queues are created resulting in QUEUE_DOES_NOT_EXIST message=AMQ229017 (the queue is in the standalone.xml file) |
| Content from issues.jboss.org is not included.JBEAP-18737 | CDI / Weld | Can not inject MP Config property to a HealthCheck bean |
| Content from issues.jboss.org is not included.JBEAP-18068 | CDI / Weld | @PreDestroy not called on view scoped using CDI. |
| Content from issues.jboss.org is not included.JBEAP-18903 | CDI / Weld | WELD-2612 - Possible deadlock in conversation map cleanup |
| Content from issues.jboss.org is not included.JBEAP-18148 | CDI / Weld | WFLY-12805 - Loading JTSSynchronizationWrapper gets NoClassDefFoundError: org/jboss/as/naming/context/NamespaceContextSelector |
| Content from issues.jboss.org is not included.JBEAP-18067 | Clustering | ISPN-10984 - Clustering: java.lang.StackOverflowError in scattered cache scenarios |
| Content from issues.jboss.org is not included.JBEAP-18433 | Clustering | Sessions timed out may continue to remain in the Java Heap. |
| Content from issues.jboss.org is not included.JBEAP-18408 | Clustering | ISPN-11116 - Invalidation commands should not load the previous value from the store |
| Content from issues.jboss.org is not included.JBEAP-18951 | Clustering | Object returned by HttpSession.getAttribute(...) following a previous setAttribute(...), not mutating correctly using ATTRIBUTE granularity when cache is non-transactional. [details] |
| Content from issues.jboss.org is not included.JBEAP-18445 | Clustering | Web sessions passivated on shutdown |
| Content from issues.jboss.org is not included.JBEAP-18661 | Deployment Framework | REM3-352 - EJB client behaviour is different when deployed in a .war compared to a .ear and can result in a OOME |
| Content from issues.jboss.org is not included.JBEAP-10883 | EE | Allow core-size=0 |
| Content from issues.jboss.org is not included.JBEAP-18440 | EE | WFLY-12947 - EL should coerce String to Integer in equals operation |
| Content from issues.jboss.org is not included.JBEAP-18559 | EJB | WFLY-13009 - moduleAvailability message is sent before module has started |
| Content from issues.jboss.org is not included.JBEAP-18499 | EJB | EJBCLIENT-365 - EJB client - env property takes not effect when value is an Integer rather than String |
| Content from issues.jboss.org is not included.JBEAP-18833 | EJB | Expressions in jboss-ejb-client.xml don't work for client-context invocation-timeout |
| Content from issues.jboss.org is not included.JBEAP-18606 | EJB | EJB Client authentication does not work using SASL DIGEST-MD5 and EXTERNAL mechanisms in Legacy security |
| Content from issues.jboss.org is not included.JBEAP-18564 | EJB | EJBCLIENT-361 - DiscoveryEJBClientInterceptor: static blacklist |
| Content from issues.jboss.org is not included.JBEAP-18301 | EJB | WEJBHTTP-31 - WildFlyClientInputStream waits for -1 when dealing with an exception result |
| Content from issues.jboss.org is not included.JBEAP-18281 | EJB | WFLY-12871 - System Exception (EJBException) should be thrown instead of ApplicationException when rollback=false |
| Content from issues.jboss.org is not included.JBEAP-18715 | EJB | ejb: binding should not be listed if there is no Remote interface |
| Content from issues.jboss.org is not included.JBEAP-18192 | Generic JMS RA | Generic RA does not support JMS 1.1 in EAP 7.x |
| Content from issues.jboss.org is not included.JBEAP-18526 | Hibernate | HHH-13184 - Hibernate is unable to determine dialect for Oracle 19 |
| Content from issues.jboss.org is not included.JBEAP-18305 | Hibernate | HHH-13433 HHH-13737 EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert( e, lockOptions ) |
| Content from issues.jboss.org is not included.JBEAP-18307 | Hibernate | HHH-13651 HHH-13675 NPE on flushing when ElementCollection field contains null element |
| Content from issues.jboss.org is not included.JBEAP-18306 | Hibernate | HHH-12858 HHH-13432 Unable to dynamically set datasource when creating an entity manager factory [details] |
| Content from issues.jboss.org is not included.JBEAP-19092 | Hibernate | HHH-12977 HHH-13910: MySQL57Dialect selected by automatic dialect resolution when using MySQL 8.0 database |
| Content from issues.jboss.org is not included.JBEAP-18889 | Hibernate | HHH-13851 HHH-13891: ProxyFactory should not be built if any ID or property getter/setter methods are final |
| Content from issues.jboss.org is not included.JBEAP-18094 | JCA | JBJCA-1396 - getConnection in UserTransaction returned closed connection after XAResource#commit() failed on same thread [details] |
| Content from issues.jboss.org is not included.JBEAP-18272 | JCA | JBJCA-1398 - Connection leak when there is an exception during getConnection for NoTransaction resource adapter |
| Content from issues.jboss.org is not included.JBEAP-18289 | JCA | JBJCA-1399 - IJ000608 warnings of connections in excess of max-pool-size when using a capacity incrementer [details] |
| Content from issues.jboss.org is not included.JBEAP-18783 | JMS | ARTEMIS-2513 - Large message's copy may be interfered by other threads |
| Content from issues.jboss.org is not included.JBEAP-18784 | JMS | ENTMQBR-3108 - ARTEMIS-2500 - LargeMessage doesn't make a full copy of its props |
| Content from issues.jboss.org is not included.JBEAP-18976 | JSF | JSF IdMapper can create repeated ids in clustered environments causing: IllegalStateException with postback |
| Content from issues.jboss.org is not included.JBEAP-18330 | JSF | Mojarra Issue 4650 / ArrayIndexOutOfBoundsException with index -2 in HtmlResponseWriter.writeUnescapedCData(...) |
| Content from issues.jboss.org is not included.JBEAP-18355 | JSF | Mojarra-4500 - NPE when determining converter for primitive values |
| Content from issues.jboss.org is not included.JBEAP-18275 | JSF | WFLY-12869 - Remove Multiple JSF Applications found on same ClassLoader WARN |
| Content from issues.jboss.org is not included.JBEAP-17931 | JSF | f:viewParam component only works for the first ajax request, but for the second ajax request and so forth the submitted value is null |
| Content from issues.jboss.org is not included.JBEAP-18744 | MP Config | MicroProfile ConfigProviderResolver should be set eagerly |
| Content from issues.jboss.org is not included.JBEAP-18720 | MP Config | MicroProfile capability names are mangled "org.wildlfy..." |
| Content from issues.jboss.org is not included.JBEAP-18746 | MP Config | Workaround for MicroProfile Config TCK "ShouldThrowException" failure |
| Content from issues.jboss.org is not included.JBEAP-18745 | MP Health | MP Health returns UP when checks are expected but not installed yet. |
| Content from issues.jboss.org is not included.JBEAP-18743 | MP Health | microprofile-health subsystem should not expose smallrye implementation to deployments |
| Content from issues.jboss.org is not included.JBEAP-19164 | MP JWT | JwtActivationProcessor throws NPE when LoginConfig#realmName not declared |
| Content from issues.jboss.org is not included.JBEAP-19560 | MP Metrics | second TYPE line for metric name "base_gc_total", or TYPE reported after samples |
| Content from issues.jboss.org is not included.JBEAP-19140 | MP OpenTracing | MicroProfile OpenTracing integration requires scope request |
| Content from issues.jboss.org is not included.JBEAP-18326 | Management | Availability of web console during the startup of the Domain Controller |
| Content from issues.jboss.org is not included.JBEAP-18297 | Management | HAL-1649 - HAL Management Console black screen - Syntax Error in polyfill.min.js with IE 11 [details] |
| Content from issues.jboss.org is not included.JBEAP-18647 | Management | HCs (slaves) can not register to the DC (master) during DC and its servers start up |
| Content from issues.jboss.org is not included.JBEAP-18726 | Management | WFCORE-4594 - Expose CoreProcessStateService functionality used by subsystems via a capability |
| Content from issues.jboss.org is not included.JBEAP-18728 | Management | WFCORE-4595 - ControlledProcessState.State should expose whether a state means a running server |
| Content from issues.jboss.org is not included.JBEAP-18311 | Management | WFCORE-4733 - Server stops after switching from 'local' DC to 'remote' DC |
| Content from issues.jboss.org is not included.JBEAP-18600 | Management | WFCORE-4820 - Error: WFLYDM0042: Multiple CallbackHandlerServices for the same mechanism (PLAIN) |
| Content from issues.jboss.org is not included.JBEAP-19060 | Management | java.lang.StackOverflowError adding credential-store after setting a node-identifier [details] |
| Content from issues.jboss.org is not included.JBEAP-18585 | Modules | MODULES-378 - Symbolic links in config files are not working |
| Content from issues.jboss.org is not included.JBEAP-18998 | OpenShift | Chained s2i builder image with binary artifact is taking too much space |
| Content from issues.jboss.org is not included.JBEAP-18660 | OpenShift | Need to configure PREFIX_TX_ISOLATION with NONXA datasource on Openshift |
| Content from issues.jboss.org is not included.JBEAP-19167 | OpenShift | Placeholder ##DEFAULT_DATASOURCE## is not replaced during the container startup process [details] |
| Content from issues.jboss.org is not included.JBEAP-18666 | Patching | WFCORE-4596 - Write lock is acquired reading patching resource using include-runtime |
| Content from issues.jboss.org is not included.JBEAP-18287 | REST | RESTEASY-2387 - FasterXML Jackson reports incorrect line number for JSON parsing errors. |
| Content from issues.jboss.org is not included.JBEAP-18831 | Remoting | IllegalThreadStateException after idle jmx connection |
| Content from issues.jboss.org is not included.JBEAP-16749 | Security | ELY-1890 - Adding to the credential store changes the file mode of the credential store |
| Content from issues.jboss.org is not included.JBEAP-18734 | Security | ELYWEB-67 - A doPrivileged it required to access the JASPI AuthConfigFactory |
| Content from issues.jboss.org is not included.JBEAP-18704 | Security | ELYWEB-79 - For a root deployment the context-path should be empty string not "/" |
| Content from issues.jboss.org is not included.JBEAP-18756 | Security | Backport new MicroProfile JWT module |
| Content from issues.jboss.org is not included.JBEAP-18930 | Security | ELY-1940 - Elytron LDAP Squashes Authentication Exception |
| Content from issues.jboss.org is not included.JBEAP-18290 | Security | File UploadMultipart does not work for files greater than 10 kB with PicketLink SSO is enabled |
| Content from issues.jboss.org is not included.JBEAP-18203 | Security | File upload (multipart) with Picketlink fails with sizes over 20k (using Apache Commons FileUpload) |
| Content from issues.jboss.org is not included.JBEAP-18298 | Security | HAL-1651 / HAL-1640 - For slave node jvm instance which is running on another VM, start/stop and other option are not showing in EAP 7.2.4 in management console when rbac is enabled. |
| Content from issues.jboss.org is not included.JBEAP-18505 | Security | InputStream is empty if getParameter is called in deployment with Picketlink which causes fileupload to fail with sizes over 20k |
| Content from issues.jboss.org is not included.JBEAP-18785 | Security | JASPIC module's initialize() is called multiple times |
| Content from issues.jboss.org is not included.JBEAP-18599 | Security | Picketlink: TLS handshakes with ECDHE fail with Bouncy Castle and Java 11.0.5 |
| Content from issues.jboss.org is not included.JBEAP-18805 | Security | WFLY-13161 - CLIENT-CERT login does not work in intermediate elytron setup |
| Content from issues.jboss.org is not included.JBEAP-18393 | Server | Update $JBOSS_HOME/docs/schema to show https schema URL instead of http |
| Content from issues.jboss.org is not included.JBEAP-18269 | Server | WFCORE-4768 - WFLYIO001: Worker 'default' has auto-configured to 24 core threads should be IO threads |
| Content from issues.jboss.org is not included.JBEAP-19408 | Transactions | Unfinished transactions in JMS crash recovery scenario using JTA [details] |
| Content from issues.jboss.org is not included.JBEAP-17638 | Undertow | Enabling one-way ssl using elytron with key length < 2048 returns non user friendly error message |
| Content from issues.jboss.org is not included.JBEAP-19202 | Undertow | UNDERTOW-1657 - HttpReadListener.handleEventWithNoRunningRequest leaks buffer |
| Content from issues.jboss.org is not included.JBEAP-18488 | Undertow | UNDERTOW-1637 - Http-404 is returned when accessing protected application context resource without a trailing slash [details] |
| Content from issues.jboss.org is not included.JBEAP-18858 | Undertow | UNDERTOW-1661 - Exchange already complete when rendering a JSP. |
| Content from issues.jboss.org is not included.JBEAP-18323 | Undertow | WFLY-11481 - EL expressions that contain unnecessary parentheses fail |
| Content from issues.jboss.org is not included.JBEAP-18265 | Undertow | WFLY-12822 - Undertow Deadlock |
| Content from issues.jboss.org is not included.JBEAP-19075 | Undertow | WFLYCLWEBUT0002 error occurs in first cross-context request creating a shared session |
| Content from issues.jboss.org is not included.JBEAP-19280 | Undertow | NullPointerException when calling the AJP port |
| Content from issues.jboss.org is not included.JBEAP-18698 | Undertow | wildfly-openssl can not load library wfssl on RHEL6 |
| Content from issues.jboss.org is not included.JBEAP-18651 | Web Console | Allow composite operation to read the model without need to acquired the write lock in domain mode |
| Content from issues.jboss.org is not included.JBEAP-18157 | Web Console | HAL-1646 - GUI has the wrong focus when switching between profiles |
| Content from issues.jboss.org is not included.JBEAP-18171 | Web Console | HAL-1647 - JVM option is saved multiple times |
| Content from issues.jboss.org is not included.JBEAP-18656 | Web Console | HAL-1653 - Topology is not refreshed automatically after restart the domain |
| Content from issues.jboss.org is not included.JBEAP-18910 | Web Console | HAL-1658 - No resource definition registered for ejb deployments on a host slave |
| Content from issues.jboss.org is not included.JBEAP-18759 | Web Console | HAL-1669 - Cannot add IDP resource in keycloak-saml subsystem using EAP admin console |
| Content from issues.jboss.org is not included.JBEAP-18823 | Web Console | HAL-1670 - Cannot add Oracle URL to XA Datasource |
| Content from issues.jboss.org is not included.JBEAP-18363 | Web Services | Stax maxAttributeSize is only vaguely respected |
| Content from issues.jboss.org is not included.JBEAP-18702 | mod_cluster | application context is enabled to mod_cluster for servers that are started as suspended |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.3.1-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.3.1-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.3 Patching And Upgrading Guide
Notes
-
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
-
Removal of org.jboss.spec.javax.rmi:jboss-rmi-api_1.0_spec from JBoss EAP 7.3 maven BOM
SBR
Category
Components
Article Type