JBoss Enterprise Application Platform 8.0 Update 8 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 8 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
This update includes all fixes and changes from JBoss Enterprise Application Platform 8.0 Update 7
Download This content is not included.JBoss Enterprise Application Platform 8.0 Update 8
This update includes fixes for the following security related issues:
| ID | Component | Impact | Summary |
|---|---|---|---|
| CVE-2025-2251 | EJB | Major | wildfly-ejb3: Improper Deserialization in JBoss Marshalling Allows Remote Code Execution [details] |
| CVE-2025-23184 | Server | Major | org.apache.cxf/cxf-core: Apache CXF: Denial of Service vulnerability with temporary files |
| CVE-2025-27611 | Server | Major | org.jboss.hal-hal-parent: base-x homograph attack allows Unicode lookalike characters to bypass validation. |
| CVE-2025-48734 | Server | Major | commons-beanutils-commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default |
| CVE-2025-2901 | Server | Major | org.jboss.hal-hal-parent: Stored Cross-Site Scripting (XSS) in JBoss EAP Management Console |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.JBEAP-29239 | ActiveMQ | This content is not included.ENTMQBR-9460 / Content from issues.apache.org is not included.ARTEMIS-5085 - retryIntervalMultiplier Parameter Not Applied as Expected in Artemis AMQ Reconnect Attempts |
| This content is not included.JBEAP-29736 | BOM | Jboss-eap-ee-with-tools BOM may have a transitive dependency inconsistent with manifest |
| This content is not included.JBEAP-28831 | CLI | CLI display of transaction heuristics is imprecise |
| This content is not included.JBEAP-29491 | EJB | This content is not included.WFLY-20432 - EJB: String[] method parameter in ejb-jar.xml interceptor-binding is failing to deploy |
| This content is not included.JBEAP-29898 | EJB | This content is not included.WFLY-20557 - Application deployment with container-interceptors fails with 'IllegalArgumentException: WFLYEE0079: Can't add ..., priority 0x249 is already taken by ...' |
| This content is not included.JBEAP-29617 | Hibernate | Content from hibernate.atlassian.net is not included.HHH-19246 - Fetch join makes partially covered EntityGraph ineffective |
| This content is not included.JBEAP-29309 | Migration | This content is not included.CMTOOL-388 - Unrecognized option: -Djboss.server.migration.domain.skip=true while ruining jboss-server-migration |
| This content is not included.JBEAP-30129 | OpenShift | org.jboss.modules.ModuleNotFoundException: org.keycloak.keycloak-saml-wildfly-elytron-adapter |
| This content is not included.JBEAP-30056 | Packaging and Installing | [installation-manager] Prospero copied something during negative scenarios on Windows |
| This content is not included.JBEAP-29582 | Scripts | Duplicated jboss.server.base.dir when server is launched from initd scripts |
| This content is not included.JBEAP-30011 | Security | This content is not included.ELY-2893 - No SocketConfig is set for Connection Manager in HttpClientBuilder which can cause indefinetly hangs |
| This content is not included.JBEAP-29984 | Security | This content is not included.ELY-2903 - Fix for CVE-2024-12369 (This content is not included.ELY-2887) breaks OIDC usage with refresh tokens |
| This content is not included.JBEAP-30001 | Security | This content is not included.ELY-2753 - Add connection-timeout-millis, connection-ttl-millis and socket-timeout-millis to OidcJsonConfiguration to allow oidc.json configuration to parse these attributes |
| This content is not included.JBEAP-29571 | Security | This content is not included.WFLY-20433 - Unescaped characters throw a NPE although allowed in settings |
| This content is not included.JBEAP-29893 | Undertow | ListenerService closes port after unregistering listener |
| This content is not included.JBEAP-29895 | Undertow | This content is not included.WFLY-20545 - Undertow.Server.lookupSecurePort can throw NPE |
| This content is not included.JBEAP-29902 | Web Console | This content is not included.HAL-2007 - Fix utilization bar |
| This content is not included.JBEAP-28985 | Web Services | This content is not included.JBWS-4438 - Authentication always failed when the webservice security is configured with a custom realm |
| This content is not included.JBEAP-28791 | Web Services | This content is not included.JBWS-4444 - Sever throws IllegalStateException when call a getHeaders/handleFault/close in soap handler with the CDI bean invocation |
| This content is not included.JBEAP-30105 | Web Services | This content is not included.JBWS-4445 - Implement ports cache for service instances |
Installation
Archive / zip / installer based installations
Note: This update zip should only be applied to installer or zip-based installations.
See the documentation: JBoss EAP 8.0 update methods
RPM installations
See the documentation: Updating an RPM installation
OpenShift Container installations
Update the containers to use the latest tag., to be current on OpenJDK and RHEL fixes.
Notes
- JBoss EAP 8.0 Update 4+ now supports OpenJDK 21 / Oracle JDK 21 / Adoptium JDK 21, see Supported Configurations.
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- Red Hat Insights is available for JBoss EAP 8 and accessible on the This content is not included.Red Hat Hybrid Cloud Console, see more details.
- Deprecated in Red Hat Enterprise Application Platform (EAP) 8
Category
Components
Article Type