JBoss Enterprise Application Platform 7.4 Update 4 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 03
Download This content is not included.JBoss Enterprise Application Platform 7.4 Update 4
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2021-45046 | Server | log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) |
| CVE-2022-23307 | Server | log4j: Unsafe deserialization flaw in Chainsaw log viewer |
| CVE-2022-23305 | Server | log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender |
| CVE-2022-23302 | Server | log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink |
| CVE-2021-45105 | Server | log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern |
| CVE-2021-44832 | Server | log4j-core: remote code execution via JDBC Appender |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-22103 | WFLY-14792 - ParsedServiceDeploymentProcessor unnecessarily does deep reflection on JDK classes | |
| Content from issues.jboss.org is not included.JBEAP-22670 | A-MQ7 | ENTMQBR-5725 - JMS broker fails to load if there is a prepared transaction with an ACK is pending on an non existent page |
| Content from issues.jboss.org is not included.JBEAP-23107 | Batch | WFLY-15921 - JobOperator.getJobNames() does only return Names of Jobs that have already been executed since server start |
| Content from issues.jboss.org is not included.JBEAP-23114 | Batch | WFLY-15954 - getJobInstances, getJobInstanceCount, getRunningExecutions should include jobs that have not been started |
| Content from issues.jboss.org is not included.JBEAP-23323 | Batch | WFLY-16112 - Batch JobOperatorService should look for only active job names to stop during suspend |
| Content from issues.jboss.org is not included.JBEAP-22290 | CDI / Weld | WFLY-11817 - CDI @Resource(lookup=...) processing does not start corresponding binder service |
| Content from issues.jboss.org is not included.JBEAP-23010 | CLI | WFCORE-5765 - Unable to check the result containing whitespace with the equals to (==) comparison operator in the "if-else" control flow in JBoss-CLI |
| Content from issues.jboss.org is not included.JBEAP-23071 | Clustering | WFLY-14746 - JGRP000014: STABLE.stability_delay has been deprecated: always 0 |
| Content from issues.jboss.org is not included.JBEAP-22746 | Clustering | WFLY-15677 - Disable simple cache optimization when statistics are enabled |
| Content from issues.jboss.org is not included.JBEAP-22727 | EE | WFLY-14919 - Credential store expression resolution not usable for deployment descriptors and annotations. |
| Content from issues.jboss.org is not included.JBEAP-22722 | EE | WFLY-15494 - Duplicate dependencies in system module.xmls |
| Content from issues.jboss.org is not included.JBEAP-22263 | EE | Serialization of a Map fails if the key uses a custom Serializer |
| Content from issues.jboss.org is not included.JBEAP-23008 | EJB | WFLY-15335 - Simplify the processing of ejb timer timeout method params |
| Content from issues.jboss.org is not included.JBEAP-23009 | EJB | WFLY-15499 - Honor sybase as database value, and remove the unused field databaseDialects in DatabaseTimerPersistence class |
| Content from issues.jboss.org is not included.JBEAP-23007 | EJB | WFLY-15583 - Adjust sql statements during initialization of DatabaseTimerPersistence |
| Content from issues.jboss.org is not included.JBEAP-22996 | EJB | EJB timer: need to consider existing timers in database when switching to truncated timestamp |
| Content from issues.jboss.org is not included.JBEAP-22995 | EJB | WFLY-15569 - Database persistent auto timer are created twice |
| Content from issues.jboss.org is not included.JBEAP-22425 | JCA | WFLY-15228 - Improve RA and DS subsystems' handling of the absence of legacy security |
| Content from issues.jboss.org is not included.JBEAP-23097 | Management | Elytron local authentication doesn't work if no standalone/tmp/auth dir exists and no legacy security-realm is configured |
| Content from issues.jboss.org is not included.JBEAP-22638 | Management | WFCORE-5675 - NPE sending transformed operation results in OperationTransformationTestCase failing when SE 17 is used |
| Content from issues.jboss.org is not included.JBEAP-22751 | Management | WFCORE-5709 - Invalid read-attribute and read-resource output for credential store expressions with resolve-expressions=true |
| Content from issues.jboss.org is not included.JBEAP-22098 | Scripts | WFCORE-5406 - For JDK 16+ server requires --add-opens to allow reflective access to JDK classes |
| Content from issues.jboss.org is not included.JBEAP-22972 | Security | ELY-2067 - Elytron tool should log a warning that mask password command is not FIPS compliant |
| Content from issues.jboss.org is not included.JBEAP-22951 | Security | ELY-2232 - OIDC AccessToken::getResourceAccessClaim always returns en empty map |
| Content from issues.jboss.org is not included.JBEAP-22953 | Security | ELY-2242 - OidcRequestAuthenticator.rewrittenRedirectUri retains url query when there's no rewrite rule, but removes it when there's a rewrite rule |
| Content from issues.jboss.org is not included.JBEAP-23077 | Security | ELY-2284 - ELY-2290 - Wildfly OIDC secured App generates a lot of keycloak requests |
| Content from issues.jboss.org is not included.JBEAP-23106 | Security | ELY-2286 - OIDC-Adapter should support multi tenancy |
| Content from issues.jboss.org is not included.JBEAP-22726 | Security | WFCORE-5696 - Credential store expression resolution not usable for deployment descriptors and annotations. |
| Content from issues.jboss.org is not included.JBEAP-22563 | Security | WFLY-15274 - Make JBoss EAP able to use latest OpenSSL 3.0.0 libraries |
| Content from issues.jboss.org is not included.JBEAP-23123 | Security | ELY-303 ELY-2298 - The 'Basic' and 'Digest' HTTP Authentication Schemes not compatible with RFC7617 and RFC7616 |
| Content from issues.jboss.org is not included.JBEAP-23013 | Security | WFCORE-5490 - Elytron Expression Resolution too late to handle system properties. |
| Content from issues.jboss.org is not included.JBEAP-23369 | Security | OpenSSL doesn't work with JDK 8 |
| Content from issues.jboss.org is not included.JBEAP-23085 | Server | ISPN-13549 - Data race in EntryWrappingInterceptor handling expired entries |
| Content from issues.jboss.org is not included.JBEAP-23104 | Transactions | WFLY-15945 - Performance regression when using the journal store with Naranaya 5.12.4.Final |
| Content from issues.jboss.org is not included.JBEAP-22349 | Undertow | WFLY-14945 - JSP Compiler regression on most recent JDK17 EA build |
| Content from issues.jboss.org is not included.JBEAP-22861 | Undertow | UNDERTOW-2002 - StackOverflowError upon AJP read timeout |
| Content from issues.jboss.org is not included.JBEAP-23027 | Undertow | UNDERTOW-2015 - Undertow AJP listener does not ignore a query parameter that name and value are empty |
| Content from issues.jboss.org is not included.JBEAP-22320 | Undertow | WFLY-15117 - NullPointerException during server startup, when called by monitoring tool |
| Content from issues.jboss.org is not included.JBEAP-22921 | VFS | JBVFS - Delay openStream call for each entry in VirtualJarInputStream |
| Content from issues.jboss.org is not included.JBEAP-22819 | Web Console | HAL-1762 - Aliases are removed from the credential store when passwords are updated from the admin console |
| Content from issues.jboss.org is not included.JBEAP-22744 | Web Console | HAL-1760 - Editing credential reference for mail server is not working |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.4-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.4-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide
Notes
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- The Helm Chart for JBoss EAP 7.4 / JBoss EAP XP 3 allows to build and deploy applications on OpenShift using Helm package manager
- The IBM WebSphere MQ broker was updated to 9.2 for integration testing, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Tested Integrations for more details.
- Hibernate Search 5 APIs Deprecated in JBoss EAP 7.4 that will be changed in EAP 8 / Hibernate 6
Category
Components
Article Type