Chapter 6. Resolved Issues

The Hot Rod Java client in JBoss Data Grid automatically deserialized byte array message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

This issue is resolved as of JBoss Data Grid 7.1.1.

When attempting to configure cross-site replication with multiple site masters, data inconsistencies are possible due to updates being routed differently for each request. This can result in the same key traversing two separate routes, leading to differing values.

This issue is resolved as of JBoss Data Grid 7.1.1.

When two caches were configured each with a different remote site, after clicking on a cache container, both remote sites were displayed on both cache cards.

This issue is resolved as of JBoss Data Grid 7.1.1.

Indexing is not a valid configuration for invalidation caches; however, it was possible to define this element using the Administration console. The indexing tab is not available for the invalidation-cache now.

This issue is resolved as of JBoss Data Grid 7.1.1.

Previously, when enabling security with JBoss Data Grid with an LDAP backend using common-role-name-mapper for authorization, the role name failed to extract when its attribute in the distinguished name was cn instead of CN.

This issue is resolved as of JBoss Data Grid 7.1.1.

Previously, in the Nodes table of the Administration Console, an average read time value was displayed under the following columns: Total reads, Total failed reads, Total writes, and Total failed writes. With this update, Total failed writes is removed and the correct data for Total reads, Total failed reads, and Total writes is displayed.

This issue is resolved as of JBoss Data Grid 7.1.1.

After navigating to the Nodes tab of a non-default cache, when going to the General Status tab a redirect to the General Status tab of the default cache occured, not the non-default cache, as expected.

This issue is resolved as of JBoss Data Grid 7.1.1.

The CDI Quickstart Guide demontrates injection of Infinispan caches into a web application using CDI. Previously, the guide instructed the reader to bundle the JBoss Data Grid EAP modules with the application. However, this is not the recommended way to setup CDI. The quickstart now specifies the JDG EAP modules be installed directly on the server.

This issue is resolved as of JBoss Data Grid 7.1.1.

When ASYNC caches were in use JBoss Data Grid could not handle out-of-order operations.

This issue is resolved as of JBoss Data Grid 7.1.1.

When using storeAsBinary if the stored value was a MarshalledValue and it didn’t match the passed in unmarshalled value, the conditional RemoveCommand would fail.

This issue is resolved as of JBoss Data Grid 7.1.1.

With text based content, writing via Hot Rod and reading via Rest worked, but not the other way around. Writing via Rest and reading via Hot Rod required deploying a modified StringMarshaller in the server.

This issue is resolved as of JBoss Data Grid 7.1.1.

Methods buildQueryBuilderForClass and getClusteredQuery were both listed as experimental in the API docs. This was corrected.

This issue is resolved as of JBoss Data Grid 7.1.1.

Previously, JBoss Data Grid did not allow a custom maxContentLength. With this update, a new attribute named max-content-length has been added that allows the maximum content length of a POST/PUT request to be specified.

This issue is resolved as of JBoss Data Grid 7.1.1.

The following warning messages were shown if an application with module dependencies was started:

WARN [org.jboss.as.weld] JBAS016017: Using deployment classloader to load proxy classes for module org.infinispan.jcache:jdg-7.1. Package-private access will not work. To fix this the module should declare dependencies on [org.jboss.weld.core, org.javassist]

WARN [org.jboss.as.weld] JBAS016017: Using deployment classloader to load proxy classes for module org.infinispan.cdi.embedded:jdg-7.1. Package-private access will not work. To fix this the module should declare dependencies on [org.jboss.weld.core, org.javassist]

This issue is resolved as of JBoss Data Grid 7.1.1.

Add licensing information for third party packages used by JBoss Data Grid. In jboss-datagrid-7.1.1-server.zip, there is a docs/licenses directory. Under that directory, the files jdg/licenses.html and jdg/licenses.xml document the licenses of third party packages used by JDG.

This issue is resolved as of JBoss Data Grid 7.1.1.

In the JBoss Data Grid sources zip archive, infinispan-logging.xml did not set the correct category for the rest logging handler. It was RestAccessLoggingHandler when it should have been org.infinispan.rest.logging.RestAccessLoggingHandler.

This issue is resolved as of JBoss Data Grid 7.1.1.

Previously, log4j was enabled by default. However, JBoss Data Grid supports multiple logging methods and is logging agnostic. As such, it is no longer enabled by default. It should be a manually provided dependency if needed.

This issue is resolved as of JBoss Data Grid 7.1.1.

Using a spatial query in library mode with a web application under high load could cause an exception.

This issue is resolved as of JBoss Data Grid 7.1.1.

JBoss Enterprise Application Platform 7.1.0 included jboss-logging 3.3.1, but JBoss Data Grid 7.1.0 includes jboss-logging 3.3.0. Update jboss-logging in JDG 7.1.1 to 3.3.1 to be compatible with EAP 7.1.0.

This issue is resolved as of JBoss Data Grid 7.1.1.

When configuring the Hot Rod server for SSL the validation code required a trust store to be enabled when one wasn’t actually needed.

This issue is resolved as of JBoss Data Grid 7.1.1.

In a query if the WHERE clause was empty, or a tautology (true), the query was wrongly executed unindexed even though the index should at least be used for filtering on type. Example queries that could cause this are below:

FROM org.infinispan.test.Person

// and:

qf.from(Person.class).build();

This issue is resolved as of JBoss Data Grid 7.1.1.

The following packages were missing from the API documentation:

In the Spark Quickstart README.md file there were references to ispn-cli.sh and ispn-cli.bat but the filesnames are actualy cli.sh and cli.bat. Additionally, the Spark version referenced was 1.6+ but the quickstart actually works with version 2.0.2+.

This issue is resolved as of JBoss Data Grid 7.1.1.

It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr’s Config API.

JBoss Data Grid included only the Lucene components relevant to this flaw, and was not vulnerable to the second portion of the vulnerability, the code execution exploit. As such, the impact of this flaw was determined to be Moderate.

This issue is resolved as of JBoss Data Grid 7.1.1.