JBoss Enterprise Application Platform 7.2 Update 9 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
Notes:
- If using PATCH requests to RESTEasy, a CVE fix does not allow deserialization by default, set -Djackson.deserialization.whitelist.packages=com.github.fge.jsonpatch to reneable, see more details.
- Red Hat JBoss EAP 7.2 Update 9 (7.2.9) is the last maintenance release for EAP 7.2, see more details
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 08
Download This content is not included.JBoss Enterprise Application Platform 7.2 Update 9
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2018-14371 | JSF | jsf-impl: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter |
| CVE-2019-10174 | Clustering | infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods |
| CVE-2020-8840 | REST | jackson-databind: Lacks certain xbean-reflect/JNDI blocking |
| CVE-2020-10718 | Embedded | exposed setting of TCCL via the EmbeddedManagedProcess API |
| CVE-2020-9546 | REST | jackson-databind: Serialization gadgets in shaded-hikari-config |
| CVE-2020-9547 | REST | jackson-databind: Serialization gadgets in ibatis-sqlmap |
| CVE-2020-9548 | REST | jackson-databind: Serialization gadgets in anteros-core |
| CVE-2019-14900 | Hibernate | hibernate: SQL injection issue in Hibernate ORM |
| CVE-2020-10687 | Web (Undertow) | Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests |
| CVE-2020-1748 | Security Manager | Improper authorization issue in WildFlySecurityManager when using alternative protection domain |
| CVE-2020-14307 | EJB | jboss-ejb-client: wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service [details] |
| CVE-2020-10714 | Security | wildfly-elytron: session fixation when using FORM authentication |
| CVE-2020-10693 | Server | hibernate-validator: Improper input validation in the interpolation of constraint error messages |
| CVE-2020-10740 | Server | wildfly: unsafe deserialization in Wildfly Enterprise Java Beans |
| CVE-2020-10683 | JPA / Hibernate | dom4j: XML External Entity vulnerability in default SAX parser |
| CVE-2020-10672 | REST | jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution |
| CVE-2020-10673 | REST | jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution |
| CVE-2020-1710 | Web (Undertow) | undertow: EAP: field-name is not parsed in accordance to RFC7230 |
| CVE-2020-14297 | EJB | jboss-ejb-client: wildfly: Some EJB transaction objects may get accumulated causing Denial of Service |
| CVE-2020-6950 | JSF | jsf-impl: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 |
| CVE-2020-1695 | REST | resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-19543 | XNIO-374 - ByteBufferSlicePool FREE_DIRECT_BUFFERS is always empty | |
| Content from issues.jboss.org is not included.JBEAP-19761 | UT000103 thrown when WildflyClientOutputStream size is exactly 1024 bytes | |
| Content from issues.jboss.org is not included.JBEAP-18904 | CDI / Weld | WELD-2612 - Possible deadlock in conversation map cleanup |
| Content from issues.jboss.org is not included.JBEAP-19122 | CDI / Weld | Weld @Resource injection does not handle expressions in the annotation attributes |
| Content from issues.jboss.org is not included.JBEAP-19308 | CLI | WFCORE-4359 - CommandFormatException: Invalid syntax... when using tab completion |
| Content from issues.jboss.org is not included.JBEAP-19306 | CLI | WFCORE-4543 - CLI output is doubled after embed-server reload |
| Content from issues.jboss.org is not included.JBEAP-19697 | Class Loading | MODULES-392 - java.lang.ClassNotFoundException: java.net.http.HttpClient |
| Content from issues.jboss.org is not included.JBEAP-19890 | Clustering | Active session statistics incorrectly reported for invalidation caches |
| Content from issues.jboss.org is not included.JBEAP-19803 | Clustering | Distributed sessions/SFSBs stored in non-transactional invalidation-cache should schedule expirations locally |
| Content from issues.jboss.org is not included.JBEAP-19805 | Clustering | Invalidation caches need to consider keys in the cache store when reassigning ownership |
| Content from issues.jboss.org is not included.JBEAP-19745 | Clustering | WFLY-13616 - Distributed session manager should trigger HttpSessionAttributeListener.attributeRemoved events on session destroy |
| Content from issues.jboss.org is not included.JBEAP-16383 | EJB | WFLY-13381 - Unable to disable security on EJB over Http endpoint [details] |
| Content from issues.jboss.org is not included.JBEAP-19563 | EJB | EJBCLIENT-373 - Don't throw XAException.XAER_NOTA in EAP6 <-> EAP7 interoperability scenario |
| Content from issues.jboss.org is not included.JBEAP-19544 | EJB | Large growth in EJB3 SimpleCache expirationFutures |
| Content from issues.jboss.org is not included.JBEAP-17633 | EJB | WEJBHTTP-30 - Thousand of unauthorized requests in between balancer and backend if backend is running in a cluster |
| Content from issues.jboss.org is not included.JBEAP-19518 | EJB | WFLY-13386 - Hung process instances and associated server.log WARN "Failed to reinstate timer 'kie-server.kie-server.EJBTimerScheduler' " |
| Content from issues.jboss.org is not included.JBEAP-18794 | EJB | WFLYEJB0094: EJB 3.1 FR 5.4.2 MessageDrivenBean does not implement 1 interface nor specifies message listener interface [details] |
| Content from issues.jboss.org is not included.JBEAP-19492 | Embedded | WFCORE-4436 - NPE with the CLI embedded server when in admin-only mode |
| Content from issues.jboss.org is not included.JBEAP-18191 | Generic JMS RA | Generic RA ManagedConnection opens 2 connections to the broker |
| Content from issues.jboss.org is not included.JBEAP-18059 | Generic JMS RA | Generic RA does not support JMS 1.1 in EAP 7.x |
| Content from issues.jboss.org is not included.JBEAP-19586 | Generic JMS RA | WFLY-13457 - Generic JMS RA leaks memory when using JMS 2.0 API with TIBCO EMS |
| Content from issues.jboss.org is not included.JBEAP-18826 | Hibernate | HHH-13695 DDL export forgets to close a Statement |
| Content from issues.jboss.org is not included.JBEAP-19334 | Hibernate | HHH-13960 - Add SAXReader sec features to match the defaults |
| Content from issues.jboss.org is not included.JBEAP-19078 | Hibernate | HHH-13851: ProxyFactory should not be built if any ID or property getter/setter methods are final |
| Content from issues.jboss.org is not included.JBEAP-18576 | Hibernate | HHH-13184 - Hibernate is unable to determine dialect for Oracle 19 |
| Content from issues.jboss.org is not included.JBEAP-19049 | IO | XNIO-372 - NPE happens on XNIO ByteBufferSlicePool.clean() for non-direct buffers during the shutdown [details] |
| Content from issues.jboss.org is not included.JBEAP-19592 | JCA | JBJCA-1407 - Exception in thread "ConnectionValidator" java.lang.IllegalMonitorStateException in server shutdown |
| Content from issues.jboss.org is not included.JBEAP-18961 | JCA | JBJCA-1404 - Race condition involving Pool.fillTo [details] |
| Content from issues.jboss.org is not included.JBEAP-19423 | JMS | WFTC-82 - Unfinished transactions in JMS crash recovery scenario using JTA [details] |
| Content from issues.jboss.org is not included.JBEAP-19594 | JSF | Wrong behaviour in JSF UIInput's component |
| Content from issues.jboss.org is not included.JBEAP-19307 | Logging | WFCORE-4458 - StackOverflowError during server start |
| Content from issues.jboss.org is not included.JBEAP-19309 | Logging | WFLY-13273 - Create tests for WFCORE-4860 |
| Content from issues.jboss.org is not included.JBEAP-18947 | Logging | LOGMGR-263 - Logger Lookup is much slower as with JDK 8 [details] |
| Content from issues.jboss.org is not included.JBEAP-19305 | Logging | WFCORE-4860 - Performance degradation with the LogContextSelector on Java 11 |
| Content from issues.jboss.org is not included.JBEAP-19303 | Management | WFCORE-4935 - When server is started at suspend mode, :shutdown does not trigger a shutdown |
| Content from issues.jboss.org is not included.JBEAP-17564 | Migration | HAL-1677 - Broken 'domain.xml' after migration of |
| Content from issues.jboss.org is not included.JBEAP-18969 | Naming | WFLY-13375 - JNDI view does not show implementation classes for connection factories and destinations registered by 3rd party resource adapters |
| Content from issues.jboss.org is not included.JBEAP-18802 | REST | RESTEASY-2522 - Inconsistent response code when calling JAXRS-based endpoint with BeanValidation Constraints |
| Content from issues.jboss.org is not included.JBEAP-19660 | Security | UNDERTOW-1713 - Calling isReady may start async IO too early |
| Content from issues.jboss.org is not included.JBEAP-19513 | Security | ELY-1954 - Submission for "j_security_check" login does not work if URL has no trailing slash |
| Content from issues.jboss.org is not included.JBEAP-19639 | Web (Undertow) | UNDERTOW-1702 - SameSiteCookieHandler can throw NPE if request doesn't contain user-agent header |
| Content from issues.jboss.org is not included.JBEAP-19591 | Web (Undertow) | UNDERTOW-1716 - Allow colon in the request cookie value regardless of setting ALLOW_HTTP_SEPARATORS_IN_V0 |
| Content from issues.jboss.org is not included.JBEAP-19632 | Web (Undertow) | UNDERTOW-1726 - Check Java version in the JDK9AlpnProvider |
| Content from issues.jboss.org is not included.JBEAP-19546 | Web (Undertow) | UNDERTOW-1719 - getRequestURI returning a wrong path when URL uses semicolon [details] |
| Content from issues.jboss.org is not included.JBEAP-19032 | Web (Undertow) | WFLY-13293 - When deploying "ROOT.war" in EAP7.x, the context root value output through jboss-cli is not valid |
| Content from issues.jboss.org is not included.JBEAP-19452 | Web (Undertow) | UNDERTOW-1197 - Response not reused when processing async request |
| Content from issues.jboss.org is not included.JBEAP-19475 | Web (Undertow) | UNDERTOW-1419 - bumpTimeout method usage in InMemorySessionManager |
| Content from issues.jboss.org is not included.JBEAP-19246 | Web (Undertow) | UNDERTOW-1683 - UT000146 is improperly thrown |
| Content from issues.jboss.org is not included.JBEAP-19256 | Web (Undertow) | UNDERTOW-1703 - WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp [details] |
| Content from issues.jboss.org is not included.JBEAP-19566 | Web (Undertow) | UNDERTOW-1717 - Return 416 Range Not Satisfiable when first-byte-pos of Range request header is equal to the content-length [details] |
| Content from issues.jboss.org is not included.JBEAP-19578 | Web (Undertow) | UNDERTOW-1720 - NullPointerException at channel.write(buffer) due to a race condition in AsyncSenderImpl [details] |
| Content from issues.jboss.org is not included.JBEAP-19450 | Web (Undertow) | Undertow request failure happens due to "IllegalArgumentException: Comparison method violates its general contract!" when many filter-ref are defined [details] |
| Content from issues.jboss.org is not included.JBEAP-19582 | Web (Undertow) | WFLY-13527 - Thousand of unauthorized requests in between balancer and backend if backend is running in a cluster |
| Content from issues.jboss.org is not included.JBEAP-19266 | Web (Undertow) | UNDERTOW-1709 - NullPointerException when calling the AJP port |
| Content from issues.jboss.org is not included.JBEAP-18911 | Web Console | HAL-1658 - No resource definition registered for ejb deployments on a host slave |
| Content from issues.jboss.org is not included.JBEAP-19236 | Web Console | HAL-1682 Webconsole failed to move messages from queue1 to queue2 |
| Content from issues.jboss.org is not included.JBEAP-19124 | Web Console | HAL-1684 - java.lang.IllegalArgumentException when adding JVM Options with ${} expressions |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.9-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.9-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
Notes
-
SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated.
-
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
Category
Components
Article Type