JBoss Enterprise Application Platform 7.3 Update 10 Release Notes
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.3 Update 09
Download This content is not included.JBoss Enterprise Application Platform 7.3 Update 10
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2021-37714 | Bean Validation | jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck |
| CVE-2021-3642 | Security | wildfly-elytron: possible timing attack in ScramServer |
| CVE-2021-40690 | Server | xmlsec: xml-security: XPath Transform abuse allows for information disclosure |
| CVE-2021-3717 | Security | wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users |
| CVE-2021-3629 | Undertow | undertow: potential security issue in flow control over HTTP/2 may lead to DOS |
| CVE-2021-20289 | REST | resteasy-jaxrs: resteasy: Error message exposes endpoint class information |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-20522 | A-MQ7 | WFLY-15039 - Cluster Intermittently Fails to Reestablish After a Node is Restarted |
| Content from issues.jboss.org is not included.JBEAP-22646 | ActiveMQ | WFLY-15597 - Can't create a pooled CF with a discovery group |
| Content from issues.jboss.org is not included.JBEAP-22392 | Clustering | JBEAP-22175 - WFLY-7115 - KeyAffinityService blocks Infinispan's topology change thread - Fix clustering issues during merge |
| Content from issues.jboss.org is not included.JBEAP-22153 | EJB | EJBCLIENT-408 - Racecondition in RemotingEJBDiscoveryProvider is causing a NullPointerException |
| Content from issues.jboss.org is not included.JBEAP-22479 | JCA | JBJCA-1421 - Use Connection.isValid() in org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker |
| Content from issues.jboss.org is not included.JBEAP-22449 | JCA | JBJCA-1429 - Connection leak following transaction timeout during XAResource enlistment |
| Content from issues.jboss.org is not included.JBEAP-22468 | JCA | WFLY-15189 - JCA: Disable logging for failed connections found during validation |
| Content from issues.jboss.org is not included.JBEAP-22300 | JCA | JBJCA-1427 - not possible to bypass GSSCredentials using Datasource.getConnection(username,password) |
| Content from issues.jboss.org is not included.JBEAP-19866 | OpenShift | CLOUD-3649 - Datasource driver module not supported by environment variable based configuration |
| Content from issues.jboss.org is not included.JBEAP-19838 | OpenShift | CLOUD-3674 - Unable to set datasource class / driver class at the pool level |
| Content from issues.jboss.org is not included.JBEAP-22129 | OpenShift | CLOUD-4001 - EAP Configuration using embedded server ignores JAVA_OPTS_APPEND [details] |
| Content from issues.jboss.org is not included.JBEAP-22006 | REST | RESTEASY-2914 - ResteasyViolationException#toString concurrency generate a java.util.ConcurrentModificationException |
| Content from issues.jboss.org is not included.JBEAP-22339 | Security | ELY-2194 - JWK implementation in JwkManager does not work properly on key rotation |
| Content from issues.jboss.org is not included.JBEAP-22372 | Server | WFCORE-5543 - Operation-scoped caching of static module Jandex indices |
| Content from issues.jboss.org is not included.JBEAP-22512 | Undertow | UNDERTOW-1972 - InMemorySessionManager can mistake PLACE_HOLDER_SESSION with a real session |
| Content from issues.jboss.org is not included.JBEAP-22177 | Undertow | UNDERTOW-1869 - InMemorySessionManager Session Creation Not Thread Safe |
| Content from issues.jboss.org is not included.JBEAP-22025 | Undertow | UNDERTOW-1898 - DefaultServlet will not serve content from any directories starting with WEB-INF or META-INF [details] |
| Content from issues.jboss.org is not included.JBEAP-22498 | Web Services | CXF-8596 - Fix infinite loop in WebFaultOutInterceptor |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.3.10-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.3.10-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.3 Patching And Upgrading Guide
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.