JBoss EAP XP 4 Maintenance Schedule
Note: Updates are cumulative, it is always recommended to apply the latest Update which will contain the latest as well as all previous bug and CVE fixes.
This content is not included.EAP XP 4.0 Update 2 Details
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2023-26049 | Server | jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies [eapxp-4] |
| CVE-2023-26048 | Server | jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() [eapxp-4] |
| CVE-2023-3635 | Server | okio: GzipSource class improper exception handling [eapxp-4] |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.JBEAP-24592 | MP Reactive Messaging | EAP XP lacks support for LZ4 compression, which is needed by Kafka clients |
This content is not included.EAP XP 4.0 Update 1 Details
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2022-1278 | Server | wildfly: possible information disclosure |
| CVE-2022-3510 | Server | protobuf-java: Message-Type Extensions parsing issue leads to DoS |
| CVE-2021-0341 | MP OpenTracing | okhttp: information disclosure via improperly used cryptographic function |
| CVE-2022-3509 | Server | protobuf-java: Textformat parsing issue leads to DoS |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-18847 | MP JWT | When "corrupted" public key is supplied to server, user is not informed |
| Content from issues.jboss.org is not included.JBEAP-23505 | MP OpenTracing | Tracer Instance Leak in WildFlyClientTracingRegistrarProvider |
| Content from issues.jboss.org is not included.JBEAP-25109 | Patching | XP manager masks patch failure |
| Content from issues.jboss.org is not included.JBEAP-25009 | Security | WFLY-15485 - OIDC client adapter doesn't work correct with Bearer-only |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-4.0.z-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-4.0.z-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the This content is not included.JBoss EAP 4.0 Patching And Upgrading Guide
Deprecated
Deprecated in Red Hat JBoss Enterprise Application Platform expansion pack (EAP XP) 4