JBoss Enterprise Application Platform 7.4 Update 9 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 08
Download This content is not included.JBoss Enterprise Application Platform 7.4 Update 9
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2018-14041 | Server | bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy |
| CVE-2019-8331 | Server | bootstrap: XSS in the tooltip or popover data-template attribute |
| CVE-2022-42004 | Server | jackson-databind: use of deeply nested arrays |
| CVE-2018-14040 | Server | bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute |
| CVE-2018-14042 | Server | bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip |
| CVE-2022-42003 | Server | jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS |
| CVE-2016-10735 | Server | bootstrap: XSS in the data-target attribute |
| CVE-2022-3143 | Security | wildfly-elytron: possible timing attacks via use of unsafe comparator |
| CVE-2022-40149 | REST | jettison: parser crash by stackoverflow |
| CVE-2019-11358 | Server | jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection |
| CVE-2020-11023 | Server | jquery: Untrusted code execution via |
| CVE-2020-11022 | Server | jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method |
| CVE-2015-9251 | Server | jquery: Cross-site scripting via cross-domain ajax requests |
| CVE-2017-18214 | Server | nodejs-moment: Regular expression denial of service |
| CVE-2022-45693 | Server | jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos |
| CVE-2022-45047 | Management | sshd-common: mina-sshd: Java unsafe deserialization vulnerability |
| CVE-2022-40150 | REST | jettison: memory exhaustion via user-supplied XML or JSON data |
| CVE-2022-46363 | Server | CXF: Apache CXF: directory listing / code exfiltration |
| CVE-2022-40152 | Application Client | woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks |
| CVE-2022-46364 | Web Services | CXF: Apache CXF: SSRF Vulnerability |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-24379 | CLI | Patch rollback fails with NoSuchMethodError on JDK 8 |
| Content from issues.jboss.org is not included.JBEAP-23936 | Clustering | WFLY-17106 - jboss-web.xml replication-config causes failure in non-clustered EAP 7.4 configurations |
| Content from issues.jboss.org is not included.JBEAP-24228 | EJB | Add a global EJB client interceptor for EJB deployments that will runAs the current security identity to activate any outflow identities |
| Content from issues.jboss.org is not included.JBEAP-24148 | EJB | EJBCLIENT-458 - ConfigurationBasedEJBClientContextSelector should not throw an Error if JBoss Modules is not on the classpath [details] |
| Content from issues.jboss.org is not included.JBEAP-24118 | Hibernate | HSEARCH-4107 - Session cast fails when creating a FullTextSession with Spring 2.4.0 This content is not included.[details] |
| Content from issues.jboss.org is not included.JBEAP-24074 | JCA | JBJCA-1429 - Connection leak following transaction timeout during XAResource enlistment |
| Content from issues.jboss.org is not included.JBEAP-24391 | JCA | XAManagedConnectionFactory screws up Datasource urls containing ; |
| Content from issues.jboss.org is not included.JBEAP-24064 | JMS | WFLY-17112 - Can't load a custom load balancing policy on a pooled connection factory |
| Content from issues.jboss.org is not included.JBEAP-13722 | JPA/Hibernate | WFLY-9516 - JPA deployer adding cross sub deployment dependencies when multiple persistence units deployed |
| Content from issues.jboss.org is not included.JBEAP-23885 | JSF | JSF Full State Saving ArrayIndexOutOfBoundsException #4936 |
| Content from issues.jboss.org is not included.JBEAP-24134 | Management | WFCORE-6100 - -D[Server:XXX] JVM parameter is out of order |
| Content from issues.jboss.org is not included.JBEAP-23775 | OpenShift | Logger categories not written to standalone-openshift.xml |
| Content from issues.jboss.org is not included.JBEAP-24190 | Remoting | REM3-393 - Endpoint parsing: add support for max-inbound-channels and max-outbound-channels |
| Content from issues.jboss.org is not included.JBEAP-23501 | Remoting | WFLY-14961 - max-outbound-channels setting in remoting subsystem is not honored |
| Content from issues.jboss.org is not included.JBEAP-23971 | Security | ELYWEB-155 - Don't override the deployment's authentication mechanisms when overrideDeploymentConfig is false and the loginConfig is null |
| Content from issues.jboss.org is not included.JBEAP-24180 | Security | WFCORE - Security domain cache can be created with type default when using a JAAS realm for remoting |
| Content from issues.jboss.org is not included.JBEAP-24199 | Security | WFLY-17316 - SecurityContext callerPrincipal not set with Asynchronous tagged EJB |
| Content from issues.jboss.org is not included.JBEAP-24221 | Security | ELY-2117 - SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) on IBM JDK after ELY-2026 |
| Content from issues.jboss.org is not included.JBEAP-24127 | Undertow | UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value |
| Content from issues.jboss.org is not included.JBEAP-23259 | Undertow | UNDERTOW-2031 - protocol error with HTTP/2 and Expect: 100-continue |
| Content from issues.jboss.org is not included.JBEAP-24141 | Undertow | UNDERTOW-2081 - RejectedExecutionException occurs during shutdown if an open websocket session exists [details] |
| Content from issues.jboss.org is not included.JBEAP-24093 | Undertow | UNDERTOW-2186 - Application sub directories named WEB-INF or META-INF are no longer served |
| Content from issues.jboss.org is not included.JBEAP-15303 | Undertow | WFLY-10912 - CodecSessionConfig#findSessionId() causes an incorrect JSESSIONID Set-Cookie header |
| This content is not included.JBEAP-24106 | Security | ELY-2468 - Security context propagation across deployments when using the RH-SSO OIDC adapter with EAP 7.4 |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.9-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.9-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide
Notes
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- The Helm Chart for JBoss EAP 7.4 / JBoss EAP XP 3 allows to build and deploy applications on OpenShift using Helm package manager
- The IBM WebSphere MQ broker was updated to 9.2 for integration testing, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Tested Integrations for more details.
- Hibernate Search 5 APIs Deprecated in JBoss EAP 7.4 that will be changed in EAP 8 / Hibernate 6
- The RHSSO Galleon Layer is deprecated in JBoss EAP 7.4, see more details.
- JBoss EAP 7.4 Update 7+ now supports OpenJDK 17 , Update 8+ supports Oracle JDK17, see configuration changes needed here.
- Deprecated in Red Hat Enterprise Application Platform (EAP) 7
- jndi-name has been required for admin-object definitions as per the schema, the server will require it to be specified or will result in an error, see more details here
Category
Components
Article Type