Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Red Hat JBoss Web Server 3.1 Service Pack 8 Release Notes

Red Hat JBoss Web Server 3.1

For Use with the Red Hat JBoss Web Server 3.1

Red Hat Customer Content Services

Abstract

These release notes contain important information related to the Red Hat JBoss Web Server 3.1 Service Pack 8.

Welcome to the Red Hat JBoss Web Server version 3.1 Service Pack 8 release.

The primary focus of this release is to provide security updates to Red Hat JBoss Web Server version 3.1.

Warning

As a result of a security vulnerability (CVE-2020-1938), it is recommended that one disable the AJP Connector, if unusued. Otherwise it is recommended to protect the AJP Connector. For full information and steps, see:https://access.redhat.com/solutions/4851251

When using AJP, it is important to ensure it is not exposed to the internet and that it is bound to the proper IP address.

The JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It consists of:

  • Apache Tomcat: a servlet container in accordance with the Java Servlet Specification. JBoss Web Server contains Apache Tomcat 7 and Apache Tomcat 8.
  • The Apache Tomcat Native Library: a Tomcat library, which improves Tomcat scalability, performance, and integration with native server technologies.
  • The tomcat-vault extension: an extension for the JBoss Web Server used for securely storing passwords and other sensitive information used by a JBoss Web Server.
  • The mod_cluster library: a library that allows communication between Apache Tomcat and the Apache HTTP Server’s mod_proxy_cluster module. This allows the Apache HTTP Server to be used as a load balancer for JBoss Web Server.

Service packs for Red Hat JBoss Web Server are produced when a set of critical bug fixes and/or security patches are required before a new full release.

These service pack releases reduce the number of individual patches that we produce and enable customers to keep up to date.

This update includes all fixes and changes from Red Hat JBoss Web Server 3.1 Service Pack 7.

Note

From Red Hat JBoss Web Server 3.1 Service Pack 2, all the configuration files that were changed in the patch are appended by the suffix .zipnew to avoid overwriting existing configuration files.

If the new or changed properties or configuration options are applicable to you, you will need to manually add or define them in their respective property or configuration file.

The JBoss Web Server 3.1 can be installed using one of the following sections of the installation guide:

To install this service pack:

  1. Download the Red Hat JBoss Web Server 3.1 Service Pack 8 file (.zip format) appropriate to your platform using the download link here (subscription required).
  2. Extract the .zip file to the Red Hat JBoss Web Server installation directory.

For Red Hat Enterprise Linux users who have installed Red Hat JBoss Web Server from RPM packages, can upgrade to the latest service pack using yum: 

# yum upgrade
Copy to Clipboard Toggle word wrap

Chapter 4. OS/JVM Certifications
Copy link

This update includes no additional certifications.

Chapter 5. Security Fixes
Copy link

This update includes fixes for the following security related issues:

Expand
IDImpactSummary

CVE-2018-0495

Moderate

ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries

CVE-2018-0732

Moderate

openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang

CVE-2018-0734

Low

openssl: timing side channel attack in the DSA signature algorithm

CVE-2018-0737

Low

openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys

CVE-2019-0221

Low

tomcat: XSS in SSI printenv

CVE-2019-1559

Moderate

openssl: 0-byte record padding oracle

CVE-2019-12418

Moderate

tomcat: local privilege escalation

CVE-2019-17563

Low

tomcat: session fixation when using FORM authentication

CVE-2020-1938

Important

Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability (CNVD-2020-10487)

Chapter 6. Resolved issues
Copy link

The following issues are resolved in the current service pack:

Expand
IssueDescription

JWS-1527

Use latest JBCS and tomcat-native

JWS-1578

Add rpm changelog entry for CVE-2018-1336

Chapter 7. Known issues
Copy link

The following issues are known in the current service pack release:

Expand
IssueDescription

JWS-1583

Update all of the StringManager references back to the original class reference and add the call to getPackage().getName() so that the inits are able to find LocalStrings.properties in the correct packages

Bugzilla Bug-1455483

RFE: Add support for characters "<" and ">" to the possible whitelist values

Chapter 8. Upgraded components
Copy link

The following components were upgraded in the Red Hat JBoss Web Server 3.1 Service Pack 8 Release:

Expand
ComponentVersion

OpenSSL

1.1.1c

Tomcat-native

1.2.23

Legal Notice
Copy link

Copyright © 2020 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat