JBoss Enterprise Application Platform 7.4 Update 13 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.4 Update 12
Download This content is not included.JBoss Enterprise Application Platform 7.4 Update 13
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2023-26136 | Server | tough-cookie: prototype pollution in cookie memstore |
| CVE-2023-26464 | Server | log4j: log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging |
| CVE-2023-4061 | Server | wildfly-core: Management User RBAC permission allows unexpected reading of system-properties to an Unauthorized actor |
| CVE-2023-3171 | Server | eap-7: heap exhaustion via deserialization [details] |
| CVE-2023-34462 | Server | netty: io.netty:netty-handler: SniHandler 16MB allocation |
| CVE-2023-33201 | Security | bouncycastle: potential blind LDAP injection attack using a self-signed certificate |
| CVE-2022-25883 | Server | nodejs-semver: Regular expression denial of service |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-24947 | A-MQ7 | This content is not included.ENTMQBR-8122 - Unhandled NullPointerException in JournalTransaction::forget |
| Content from issues.jboss.org is not included.JBEAP-25261 | ActiveMQ | NettyConnection.batchBufferSize() is broken after upgrading netty to 4.1.94.Final |
| Content from issues.jboss.org is not included.JBEAP-25318 | BOM | wildfly-jms-client-bom missing some netty dependencies |
| Content from issues.jboss.org is not included.JBEAP-23209 | Bean Validation | Improve error message for duplicate EE components |
| Content from issues.jboss.org is not included.JBEAP-25131 | CLI | This content is not included.WFCORE-6424 - Generic command argument value issue with List containing Object |
| Content from issues.jboss.org is not included.JBEAP-25196 | Hibernate | Content from hibernate.atlassian.net is not included.HHH-16586 - When merging a persisted entity with a null Version, Hibernate treats entity as transient instead of throwing an Exception |
| Content from issues.jboss.org is not included.JBEAP-24501 | JCA | This content is not included.JBJCA-1467 - Possible data inconsistency when CMR fails at Commit phase |
| Content from issues.jboss.org is not included.JBEAP-25148 | JCA | This content is not included.JBJCA-1471 - Prefill pool after returned connection has been destroyed |
| Content from issues.jboss.org is not included.JBEAP-25270 | Logging | This content is not included.MODULES-439 - Create a delegating LoggerFinder |
| Content from issues.jboss.org is not included.JBEAP-25349 | Management | This content is not included.WFCORE-6434 - Managed servers could ignore restart/reload required operations when HC reconnects to the domain |
| Content from issues.jboss.org is not included.JBEAP-24931 | Management | Sync model operations fail when a HC with stopped managed servers is registered back in the domain |
| Content from issues.jboss.org is not included.JBEAP-24811 | OpenShift | Improve message for CLI_GRACEFUL_SHUTDOWN at container startup [details] |
| Content from issues.jboss.org is not included.JBEAP-25203 | REST | This content is not included.RESTEASY-3322 - ClassCastException: org.jboss.resteasy.core.registry.ConstantResourceInvoker cannot be cast to org.jboss.resteasy.core.ResourceMethodInvoker |
| Content from issues.jboss.org is not included.JBEAP-24949 | REST | This content is not included.RESTEASY-3341 - The RESTEasy multipart provider changed the default entity response from binary to base64 |
| Content from issues.jboss.org is not included.JBEAP-25317 | Server | This content is not included.WFCORE-6442 - ModuleSpecification discards dependency information |
| Content from issues.jboss.org is not included.JBEAP-24362 | Undertow | web session invalidation outside of a request gets IllegalStateException [details] |
| Content from issues.jboss.org is not included.JBEAP-25037 | Undertow | This content is not included.UNDERTOW-2285 - Request parameters lost via jsp:include chain |
| Content from issues.jboss.org is not included.JBEAP-24358 | Undertow | This content is not included.UNDERTOW-2228 - Undertow write-timeout can cause a truncate response for request coming through keep-alive connection |
| Content from issues.jboss.org is not included.JBEAP-24842 | Undertow | This content is not included.UNDERTOW-2228 - Undertow write-timeout can cause a closing TCP connection without response for long-running remote EJB request [details] |
| Content from issues.jboss.org is not included.JBEAP-24861 | Undertow | This content is not included.UNDERTOW-2275 Undertow read-timeout can close connection unexpectedly before returning response for POST request larger than the default buffer size |
| Content from issues.jboss.org is not included.JBEAP-4217 | Undertow | This content is not included.WFLY-12019 - Cannot remove a undertow server resource at one time |
| Content from issues.jboss.org is not included.JBEAP-25369 | Web Services | ClassNotFoundException com.sun.security.jgss.InquireType |
| Content from issues.jboss.org is not included.JBEAP-23679 | mod_cluster | This content is not included.MODCLUSTER-754 - Modcluster: Contexts not registered on proxy when server started in suspend mode |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.4.13-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.4.13-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.4 Patching And Upgrading Guide
Notes
- JBoss EAP 7.4 Update 13+ contains some bug fixes that did not make it into EAP 8.0 GA, it is recommended you wait for EAP 8.0 Update 1 before upgrading to EAP 8.0
- Red Hat Insights is available for JBoss EAP 7.4 Update 11+, see more details
- Helm Chart for EAP 7.4 Updates
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- The Helm Chart for JBoss EAP 7.4 / JBoss EAP XP 3 allows to build and deploy applications on OpenShift using Helm package manager
- The IBM WebSphere MQ broker was updated to 9.2 for integration testing, see the Red Hat JBoss Enterprise Application Platform (EAP) 7 Tested Integrations for more details.
- Hibernate Search 5 APIs Deprecated in JBoss EAP 7.4 that will be changed in EAP 8 / Hibernate 6
- The RHSSO Galleon Layer is deprecated in JBoss EAP 7.4, see more details.
- JBoss EAP 7.4 Update 8+ now supports OpenJDK 17 / Oracle JDK 17, see configuration changes needed here.
- Deprecated in Red Hat Enterprise Application Platform (EAP) 7
- jndi-name has been required for admin-object definitions as per the schema, the server will require it to be specified or will result in an error, see more details here
Category
Components
Article Type