JBoss Enterprise Application Platform 7.3 Update 2 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.3 Update 01
Download This content is not included.JBoss Enterprise Application Platform 7.3 Update 2
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-10718 | Embedded | exposed setting of TCCL via the EmbeddedManagedProcess API |
| CVE-2019-14900 | JPA / Hibernate | hibernate: SQL injection issue in Hibernate ORM |
| CVE-2020-11612 | JMS | netty: compression/decompression codecs don't enforce limits on buffer allocation sizes |
| CVE-2020-10687 | Web (Undertow) | Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests |
| CVE-2020-1748 | Security Manager | Improper authorization issue in WildFlySecurityManager when using alternative protection domain |
| CVE-2020-14307 | EJB | jboss-ejb-client: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service [details] |
| CVE-2020-10714 | Security | wildfly-elytron: session fixation when using FORM authentication |
| CVE-2020-10693 | Server | hibernate-validator: Improper input validation in the interpolation of constraint error messages |
| CVE-2020-10740 | EJB | unsafe deserialization in Wildfly Enterprise Java Beans |
| CVE-2020-10683 | JPA / Hibernate | dom4j: XML External Entity vulnerability in default SAX parser |
| CVE-2020-10672 | REST | jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution |
| CVE-2020-10673 | REST | jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution |
| CVE-2020-1710 | Web (Undertow) | undertow: EAP: field-name is not parsed in accordance to RFC7230 |
| CVE-2020-14297 | EJB | jboss-ejb-client: Some EJB transaction objects may get accumulated causing Denial of Service |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-19498 | ELY-1953 - Elytron tool command execution fails with java.nio.file.NoSuchFileException | |
| Content from issues.jboss.org is not included.JBEAP-19542 | XNIO-374 - ByteBufferSlicePool FREE_DIRECT_BUFFERS is always empty | |
| Content from issues.jboss.org is not included.JBEAP-19568 | Add EJB hibernate validator phase | |
| Content from issues.jboss.org is not included.JBEAP-19760 | WEJBHTTP-45 - UT000103 thrown when WildflyClientOutputStream size is exactly 1024 bytes | |
| Content from issues.jboss.org is not included.JBEAP-19108 | CDI / Weld | WFLY-13297 - Weld @Resource injection does not handle expressions in the annotation attributes |
| Content from issues.jboss.org is not included.JBEAP-19744 | Clustering | WFLY-13616 - Distributed session manager should trigger HttpSessionAttributeListener.attributeRemoved events on session destroy |
| Content from issues.jboss.org is not included.JBEAP-19802 | Clustering | WFLY-13627 - Distributed sessions/SFSBs stored in non-transactional invalidation-cache should schedule expirations locally |
| Content from issues.jboss.org is not included.JBEAP-19804 | Clustering | WFLY-13628 - Invalidation caches need to consider keys in the cache store when reassigning ownership |
| Content from issues.jboss.org is not included.JBEAP-19889 | Clustering | WFLY-13658 - Active session statistics incorrectly reported for non-tx invalidation caches |
| Content from issues.jboss.org is not included.JBEAP-19398 | EJB | WFLY-13381- Unable to disable security on EJB over Http endpoint |
| Content from issues.jboss.org is not included.JBEAP-19562 | EJB | EJBCLIENT-373 - Don't throw XAException.XAER_NOTA in EAP6 <-> EAP7 interoperability scenario |
| Content from issues.jboss.org is not included.JBEAP-19541 | EJB | Large growth in EJB3 SimpleCache expirationFutures |
| Content from issues.jboss.org is not included.JBEAP-18605 | EJB | WEJBHTTP-30 - Thousand of unauthorized requests in between balancer and backend if backend is running in a cluster |
| Content from issues.jboss.org is not included.JBEAP-19510 | EJB | WFLY-13152 - WFLYEJB0094: EJB 3.1 FR 5.4.2 MessageDrivenBean does not implement 1 interface nor specifies message listener interface |
| Content from issues.jboss.org is not included.JBEAP-19539 | EJB | WFLY-13386 - Hung process instances and associated server.log WARN "Failed to reinstate timer 'kie-server.kie-server.EJBTimerScheduler' " |
| Content from issues.jboss.org is not included.JBEAP-18167 | Generic JMS RA | Generic RA ManagedConnection opens 2 connections to the broker [details] |
| Content from issues.jboss.org is not included.JBEAP-19465 | Generic JMS RA | WFLY-13457 - Generic JMS RA leaks memory when using JMS 2.0 API with TIBCO EMS |
| Content from issues.jboss.org is not included.JBEAP-18825 | Hibernate | HHH-13695 - DDL export forgets to close a Statement |
| Content from issues.jboss.org is not included.JBEAP-19333 | Hibernate | HHH-13960 - Add SAXReader sec features to match the defaults |
| Content from issues.jboss.org is not included.JBEAP-16113 | Hibernate | WFLY-11566 - ConstraintDeclarationException on JAX-RS/EJB Methods with List/Set query parameter |
| Content from issues.jboss.org is not included.JBEAP-19321 | IO | XNIO-372 - NPE happens on ByteBufferSlicePool.clean() for non-direct buffers |
| Content from issues.jboss.org is not included.JBEAP-19193 | JCA | JBJCA-1407 - Exception in thread "ConnectionValidator" java.lang.IllegalMonitorStateException in server shutdown |
| Content from issues.jboss.org is not included.JBEAP-18960 | JCA | JBJCA-1404 - Race condition involving Pool.fillTo [details] |
| Content from issues.jboss.org is not included.JBEAP-19593 | JSF | WFLY-13497 - Wrong behaviour in JSF UIInput's component |
| Content from issues.jboss.org is not included.JBEAP-19407 | JSF | Memory leak in FlashScope - expired elements are not cleared |
| Content from issues.jboss.org is not included.JBEAP-19267 | Logging | LOGMGR-263 - Logger Lookup is much slower as with JDK 8 |
| Content from issues.jboss.org is not included.JBEAP-19276 | Logging | WFCORE-4860 - Performance degradation with the LogContextSelector on Java 11 |
| Content from issues.jboss.org is not included.JBEAP-19302 | Management | When server is started at suspend mode, :shutdown does not trigger a shutdown |
| Content from issues.jboss.org is not included.JBEAP-19051 | Migration | HAL-1677 - Broken 'domain.xml' after migration of |
| Content from issues.jboss.org is not included.JBEAP-19064 | Naming | WFLY-13375 - JNDI view does not show implementation classes for connection factories and destinations registered by 3rd party resource adapters |
| Content from issues.jboss.org is not included.JBEAP-19640 | Security | ELY-1979 - Elytron needs to deal with JEPS 244 in the org.wildfly.security.ssl package |
| Content from issues.jboss.org is not included.JBEAP-19641 | Security | ELY-1981 - SSL Module missing plugin configuration to assemble multi-version jar |
| Content from issues.jboss.org is not included.JBEAP-19659 | Security | UNDERTOW-1713 - Calling isReady may start async IO too early |
| Content from issues.jboss.org is not included.JBEAP-19336 | Security | WFCORE-4932 - Reading of identity from security domain causes NPE |
| Content from issues.jboss.org is not included.JBEAP-19375 | Security | WFCORE-4950 - Regression: Legacy Ldap Realm securing EJB with JDK8 not working |
| Content from issues.jboss.org is not included.JBEAP-19446 | Security | WFCORE-4965 - Error loading a PKCS12 keystore inside a security-realm when using a credential-reference |
| Content from issues.jboss.org is not included.JBEAP-19337 | Security | ELY-1954 - Submission for "j_security_check" login does not work if URL has no trailing slash |
| Content from issues.jboss.org is not included.JBEAP-19331 | Web (JBoss Web) | Session externalization tests are hanging with ATTRIBUTE granularity + EAP7.3+hotrod-session-management |
| Content from issues.jboss.org is not included.JBEAP-19638 | Web (Undertow) | UNDERTOW-1702 - SameSiteCookieHandler can throw NPE if request doesn't contain user-agent header |
| Content from issues.jboss.org is not included.JBEAP-19590 | Web (Undertow) | UNDERTOW-1716 - Allow colon in the request cookie value regardless of setting ALLOW_HTTP_SEPARATORS_IN_V0 |
| Content from issues.jboss.org is not included.JBEAP-19631 | Web (Undertow) | UNDERTOW-1726 - Check Java version in the JDK9AlpnProvider |
| Content from issues.jboss.org is not included.JBEAP-19623 | Web (Undertow) | UNDERTOW-1719 - getRequestURI returning a wrong path when URL uses semicolon |
| Content from issues.jboss.org is not included.JBEAP-19086 | Web (Undertow) | WFLY-13293 - When deploying "ROOT.war" in EAP7.x, the context root value output through jboss-cli is not valid |
| Content from issues.jboss.org is not included.JBEAP-19328 | Web (Undertow) | UNDERTOW-1197 - Response not reused when processing async request |
| Content from issues.jboss.org is not included.JBEAP-19474 | Web (Undertow) | UNDERTOW-1419 - bumpTimeout method usage in InMemorySessionManager |
| Content from issues.jboss.org is not included.JBEAP-19245 | Web (Undertow) | UNDERTOW-1683 - UT000146 is improperly thrown |
| Content from issues.jboss.org is not included.JBEAP-19567 | Web (Undertow) | UNDERTOW-1717 - Return 416 Range Not Satisfiable when first-byte-pos of Range request header is equal to the content-length [details] |
| Content from issues.jboss.org is not included.JBEAP-19577 | Web (Undertow) | UNDERTOW-1720 - NullPointerException at channel.write(buffer) due to a race condition in AsyncSenderImpl [details] |
| Content from issues.jboss.org is not included.JBEAP-19264 | Web (Undertow) | WFLY-13392 - WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp |
| Content from issues.jboss.org is not included.JBEAP-19449 | Web (Undertow) | WFLY-13447 - Undertow request failure happens due to "IllegalArgumentException: Comparison method violates its general contract!" when many filter-ref are defined [details] |
| Content from issues.jboss.org is not included.JBEAP-19581 | Web (Undertow) | WFLY-13527 - Thousand of unauthorized requests in between balancer and backend if backend is running in a cluster |
| Content from issues.jboss.org is not included.JBEAP-19200 | Web Console | HAL-1679 - Cannot undeploy from Server Groups [details] |
| Content from issues.jboss.org is not included.JBEAP-19199 | Web Console | HAL-1680 - Take a Tour needs is not loading RBAC pages properly |
| Content from issues.jboss.org is not included.JBEAP-19324 | Web Console | HAL-1684 - java.lang.IllegalArgumentException when adding JVM Options with ${} expressions |
| Content from issues.jboss.org is not included.JBEAP-19262 | Web Console | HAL-1682 Webconsole failed to move messages from queue1 to queue2 |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.3.2-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.3.2-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.3 Patching And Upgrading Guide
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
Category
Components
Article Type