JBoss Enterprise Application Platform 7.4 Update 5 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 04
Download This content is not included.JBoss Enterprise Application Platform 7.4 Update 5
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2022-23913 | Server | artemis-commons: Apache ActiveMQ Artemis DoS |
| CVE-2021-42392 | Server | h2: Remote Code Execution in Console |
| CVE-2022-0084 | Server | xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr |
| CVE-2022-23437 | Server | xerces-j2: infinite loop when handling specially crafted XML document payloads |
| CVE-2022-1319 | Undertow | undertow: Double AJP response for 400 from EAP 7 results in CPING failures |
| CVE-2020-36518 | Server | jackson-databind: denial of service via a large depth of nested objects |
| CVE-2022-0866 | Server | Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled |
| CVE-2021-37136 | Server | netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data |
| CVE-2021-37137 | Server | netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way |
| CVE-2022-21363 | Server | mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors |
| CVE-2022-24785 | Server | Moment.js: Path traversal in moment.locale |
| CVE-2022-23221 | Server | h2: Loading of custom classes from remote servers through JNDI |
| CVE-2022-21299 | XML Frameworks | xercesimpl: OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) |
| CVE-2021-43797 | Server | netty: control chars in header names may lead to HTTP request smuggling |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-23240 | Batch | JBERET-537 - Error closing ItemReader.: javax.transaction.TransactionalException: ARJUNA016110: Transaction is required for invocation |
| Content from issues.jboss.org is not included.JBEAP-23193 | Bean Validation | HV-1878 - Hibernate validator: UnsupportedOperationException at java.sql.Date.toInstant(Date.java:316) |
| Content from issues.jboss.org is not included.JBEAP-22842 | Clustering | Defend against ConcurrentModificationExceptions while marshalling collections/maps |
| Content from issues.jboss.org is not included.JBEAP-22724 | EJB | WFCORE-5861 - InaccessibleObjectException with OpenJDK17 and embed-server |
| Content from issues.jboss.org is not included.JBEAP-21282 | EJB | Verify EJB over HTTP transactional behavior in OpenShift environment |
| Content from issues.jboss.org is not included.JBEAP-22012 | Hibernate | HHH-14624 HHH-14649 HHH-14819 Oracle 'offset ? rows fetch next ? rows' pagination support [details] |
| Content from issues.jboss.org is not included.JBEAP-23147 | Hibernate | HHH-15106 - Associations with @NotFound should always be left joined when de-referenced in HQL/Criteria |
| Content from issues.jboss.org is not included.JBEAP-23291 | JSF | Some Form attributes are lost by JSF rendering when enabling javax.faces.FACELETS_REFRESH_PERIOD |
| Content from issues.jboss.org is not included.JBEAP-23179 | OpenShift | Jolokia #438 Reading runtime mbean fails on JDK11 |
| Content from issues.jboss.org is not included.JBEAP-23202 | Remoting | IOException with message ack timeout expired before timeout has ellapsed |
| Content from issues.jboss.org is not included.JBEAP-22923 | Remoting | XNIO-402 - Log Xnio thread size config at debug |
| Content from issues.jboss.org is not included.JBEAP-23515 | Remoting | XNIO-404 - Channels cannot open file "NUL:" on Windows [details] |
| Content from issues.jboss.org is not included.JBEAP-2903 | Security | User with slash or backslash char in LDAP name cannot log in through security-realm |
| Content from issues.jboss.org is not included.JBEAP-23421 | Security | ELY-2326 - Elytron GSSCredentialSecurityFactory does not check validity of KerberosTicket. |
| Content from issues.jboss.org is not included.JBEAP-23162 | Security | ELY-2304 - Wildfly Elytron Tool, location is required even for non-filebased type e.g. PKCS11 |
| Content from issues.jboss.org is not included.JBEAP-21954 | Server | WFCORE-5416 Jgit incorrect reference in org.jboss.as.controller module |
| Content from issues.jboss.org is not included.JBEAP-22907 | Server | WFCORE-5792 Configuration changes made to embedded server are not stored in expected location |
| Content from issues.jboss.org is not included.JBEAP-23530 | Undertow | UNDERTOW-2079 - CPU spinning in AbstractFramedStreamSinkChannel |
| Content from issues.jboss.org is not included.JBEAP-23537 | Undertow | UNDERTOW-2080 - Use currentTimeMillis instead of nanoTime to measure times in awaitWritable |
| Content from issues.jboss.org is not included.JBEAP-21806 | Undertow | WFLY-13044: WFLYSEC0012 Error in web.xml with similar Patterns |
| Content from issues.jboss.org is not included.JBEAP-23154 | Web Console | HAL-1767 - Active threads count missing in batch preview |
| Content from issues.jboss.org is not included.JBEAP-12667 | Web Services | java.lang.RuntimeException: MQJCA1018: Only one session per connection is allowed [details] |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.5-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.5-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide
Notes
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- The Helm Chart for JBoss EAP 7.4 / JBoss EAP XP 3 allows to build and deploy applications on OpenShift using Helm package manager
- The IBM WebSphere MQ broker was updated to 9.2 for integration testing, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Tested Integrations for more details.
- Hibernate Search 5 APIs Deprecated in JBoss EAP 7.4 that will be changed in EAP 8 / Hibernate 6
- The RHSSO Galleon Layer is deprecated in JBoss EAP 7.4, see more details.
- JBoss EAP 7.4 Update 5+ support for JDK 17 is in technical preview, see configuration changes needed here.
Category
Components
Article Type