JBoss Enterprise Application Platform 7.4 Update 10 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 09
Download This content is not included.JBoss Enterprise Application Platform 7.4 Update 10
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2023-1108 | Undertow | UNDERTOW-2239 - Infinite loop in SslConduit during close on JDK 11 [details] |
| CVE-2022-41881 | Server | codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS |
| CVE-2022-45787 | Server | apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider |
| CVE-2022-41854 | Management | dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow |
| CVE-2022-1471 | Server | RESTEASY-3260 - CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [details] |
| CVE-2022-41853 | Server | hsqldb: Untrusted input may lead to RCE attack |
| CVE-2022-4492 | Undertow | undertow: Server identity in https connection is not checked by the undertow client [details] |
| CVE-2023-0482 | Server | RESTEasy: creation of insecure temp files [details] |
| CVE-2022-38752 | Management | snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-24604 | ActiveMQ | Artemis natives no longer being loaded |
| Content from issues.jboss.org is not included.JBEAP-24405 | Clustering | ISPN-13229 - Memory leak if iteration is used with the internal Infinispan cache API |
| Content from issues.jboss.org is not included.JBEAP-24441 | Clustering | WFLY-17149 - Failures due to invalid lambda deserialization should invalidate session |
| Content from issues.jboss.org is not included.JBEAP-24073 | EE | JBEE-258 - FactoryFinderCache does not properly handle comments in service |
| Content from issues.jboss.org is not included.JBEAP-24401 | EJB | java.lang.IllegalArgumentException: No marshaller registered for Java type org.jboss.ejb.client.UUIDSessionID in EAP 7.4 |
| Content from issues.jboss.org is not included.JBEAP-24450 | EJB | StrictMaxPoolDerivedSizeReadHandler incorrectly requires exclusive lock and higher level RBAC perms |
| Content from issues.jboss.org is not included.JBEAP-24376 | EJB | EJBCLIENT-485 - Set default value for discovery.additional-node-timeout |
| Content from issues.jboss.org is not included.JBEAP-24157 | EJB | WEJBHTTP-74 - The http ejb client should use the servers hostname for the TLS SNI extension during handshake |
| Content from issues.jboss.org is not included.JBEAP-23904 | EJB | WFLY-16796 - LocalEjbReceiver response contains ContextData that has been removed on the server side |
| Content from issues.jboss.org is not included.JBEAP-24371 | JMS | Messaging - Transaction remained in prepared state after failover |
| Content from issues.jboss.org is not included.JBEAP-24522 | JMS | AMQ172015: Can not connect to XARecoveryConfig |
| Content from issues.jboss.org is not included.JBEAP-24346 | Management | WFCORE-6169 - Disable YAML deserialization in the YAML Configuration Extension |
| Content from issues.jboss.org is not included.JBEAP-24410 | Modules | WFCORE-6188 - Eliminate useless locking in ServiceModuleLoader |
| Content from issues.jboss.org is not included.JBEAP-24443 | Modules | WFCORE-6199 - JBoss allows duplicate user and local dependencies |
| Content from issues.jboss.org is not included.JBEAP-24496 | Modules | WFCORE-6211 - Remove ModuleIdentifier from ServiceModuleLoader.preloadModule |
| Content from issues.jboss.org is not included.JBEAP-24194 | REST | RESTEASY-3256 - CDI managed beans do not inject @Context injection targets |
| Content from issues.jboss.org is not included.JBEAP-24613 | RPM | RHEL7/8 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9 |
| Content from issues.jboss.org is not included.JBEAP-24499 | RPM | EAP 7.4 rpm should Obsoletes: eap7-netty-all-4.1.77-3.Final_redhat_00001.1.el8eap.noarch [details] |
| Content from issues.jboss.org is not included.JBEAP-24583 | Scripts | Fix enable-elytron-se17.cli script |
| Content from issues.jboss.org is not included.JBEAP-24254 | Scripts | JDK17, CLI script to update security doesn't apply to microprofile |
| Content from issues.jboss.org is not included.JBEAP-23416 | Security | JBWS-4251 - Add UsernameToken profile integration with Elytron |
| Content from issues.jboss.org is not included.JBEAP-23415 | Security | WFLY-15598 - No migration path from wildfly-24's picketbox UsersRolesLoginModule to wildfly-25 elytron |
| Content from issues.jboss.org is not included.JBEAP-24266 | Security | jbossws-cxf-5.4.x elyron/picketbox support |
| Content from issues.jboss.org is not included.JBEAP-24367 | Security | Getting java.util.ConcurrentModificationException while deploying the application |
| Content from issues.jboss.org is not included.JBEAP-23166 | Security | UNDERTOW-2211 |
| Content from issues.jboss.org is not included.JBEAP-24168 | Security | No security domain associated error when using WS-Security username authentication |
| Content from issues.jboss.org is not included.JBEAP-23682 | Server | Adapt S3Discovery option for EAP 7.4 and EAP 8.x mixed domains |
| Content from issues.jboss.org is not included.JBEAP-24498 | Server | deny-uncovered-http-methods truncates parsing of web.xml file |
| Content from issues.jboss.org is not included.JBEAP-24375 | Undertow | UNDERTOW-2214 - Jastow compilation error when mixing EL and scriptlet expressions after UNDERTOW-1319 |
| Content from issues.jboss.org is not included.JBEAP-24415 | Undertow | UNDERTOW-2221 - Undertow can add unwanted semicolon to path parameter when client http request packets are separated in the middle of path parameter |
| Content from issues.jboss.org is not included.JBEAP-24421 | Undertow | UNDERTOW-2222 - Jastow should use UTF-8 for default URI encoding like Undertow |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.10-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.10-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide
Notes
- Red Hat Insights is available for JBoss EAP 7.4 Update 11+, see more details
- Helm Chart for EAP 7.4 Updates
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- The Helm Chart for JBoss EAP 7.4 / JBoss EAP XP 3 allows to build and deploy applications on OpenShift using Helm package manager
- The IBM WebSphere MQ broker was updated to 9.2 for integration testing, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Tested Integrations for more details.
- Hibernate Search 5 APIs Deprecated in JBoss EAP 7.4 that will be changed in EAP 8 / Hibernate 6
- The RHSSO Galleon Layer is deprecated in JBoss EAP 7.4, see more details.
- JBoss EAP 7.4 Update 8+ now supports OpenJDK 17 / Oracle JDK 17, see configuration changes needed here.
- Deprecated in Red Hat Enterprise Application Platform (EAP) 7
- jndi-name has been required for admin-object definitions as per the schema, the server will require it to be specified or will result in an error, see more details here
Category
Components
Article Type