红帽全球峰会此内容没有您所选择的语言版本。
Red Hat JBoss Web Server 5.3 Release Notes
For Use with the Red Hat JBoss Web Server 5.3
Abstract
Chapter 1. RedHat JBoss Web Server 5.3
Welcome to the Red Hat JBoss Web Server version 5.3 release.
As a result of a security vulnerability (CVE-2020-1938), changes were made to the AJP Connector. By default the AJP connector will not be enabled. If it is required that you use the AJP connector with your build, ensure that you set the secret attribute as well as set your the bind address for your server.
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It consists of a web server (Apache HTTP Server), an application server (Apache Tomcat Servlet container), load balancers (mod_jk and mod_cluster), and the Tomcat Native Library. A short description of key components is given below:
- Apache tomcat: a servlet container in accordance with the Java Servlet Specification. JBoss Web Server contains Apache Tomcat 9.
- Apache tomcat native library: a Tomcat library, which improves Tomcat scalability, performance, and integration with native server technologies.
- tomcat-vault: an extension for the JBoss Web Server used for securely storing passwords and other sensitive information used by a JBoss Web Server.
- mod_cluster library: a library that allows communication between Apache Tomcat and the Apache HTTP Server’s mod_proxy_cluster module. This allows the Apache HTTP Server to be used as a load balancer for JBoss Web Server. For information on the configuration of mod_cluster, or for information on the installation and configuration of the alternative load balancers mod_jk and mod_proxy, see the HTTP Connectors and Load Balancing Guide.
- Apache portable runtime(APR): A runtime which provides superior scalability, performance, and improved integration with native server technologies. APR is a highly portable library that is at the heart of Apache HTTP Server 2.x. It enables access to advanced IO functionality (for example: sendfile, epoll and OpenSSL), Operating System level functionality (for example: random number generation and system status), and native process handling (shared memory, NT pipes and Unix sockets).
- OpenSSL: A software library which implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a basic cryptographic library.
This release of JBoss Web Server covers several quality of life updates, some key component rebased to newer versions and a few major security updates. Tomcat, tomcat-native, and Apache CXF were all rebased to newer versions.
One major change directly of note was the addition of the catalina-ssi.jar file. Previously, these classes were included as part of catalina.jar and tomcat-embed-core.jar. These changes do no impact unaltered Red Hat JBoss Web Server configurations. However, it is recommended that you check any dependencies your system has on these files after updating to JBoss Web Server 5.3. The catalina-ssi.jar file contains code used by the SsiInvoker and effects the following ssi commands:
- SsiConfig
- SsiEcho
- SsiExec
- SsiFlastMod
- SsiFsize
- SsiInclude
Chapter 2. Installing the Red Hat JBoss Web Server 5.3
The JBoss Web Server 5.3 can be installed using one of the following sections of the installation guide:
Chapter 3. OS/JVM Certifications
| Operating System | Chipset Architecture | Java Virtual Machine |
|---|---|---|
| Red Hat Enterprise Linux 8 | x86_64 | Red Hat OpenJDK 1.8.x, Red Hat OpenJDK 11, OracleJDK 11 |
| Red Hat Enterprise Linux 7 | x86_64 | Red Hat OpenJDK 1.8.x, Red Hat OpenJDK 11, Oracle JDK 1.8.x, Oracle JDK 11, IBM JDK 1.8.x |
| Red Hat Enterpries Linux 6 | x86_64, x86 | Red Hat OpenJDK 1.8.x, Oracle JDK 1.8.x, Oracle JDK 11(x86_64 Only), IBM JDK 1.8.x |
| Microsoft Windows 2016 Server | x86_64 | Red Hat OpenJDK 1.8.x, Red Hat OpenJDK 11, Oracle JDK 1.8.x, Oracle JDK 11 |
| Microsoft Windows 2012 Server R2 | x86_64 | Red Hat OpenJDK 1.8.x, Red Hat OpenJDK 11, Oracle JDK 1.8.x, Oracle JDK 11 |
Chapter 4. Security Fixes
This update includes fixes for the following security related issues:
| ID | Impact | Summary |
|---|---|---|
| Moderate | tomcat: local privilege escalation | |
| Low | tomcat: session fixation when using FORM authentication | |
| Low | tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling | |
| Low | tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling | |
| Moderate | openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) |
Chapter 5. Resolved issues
| Issue | Description |
|---|---|
| JWS-1055 | Improve description of Tomcat Natives in the install guide |
| JWS-1056 | [Docs] add that JWS_HOME is /opt/rh/jws5/root/usr/share for RPM distribution |
| JWS-1113 | Provide brief overview of the difference between Apache Tomcat on RHEL and JWS |
| JWS-1306 | Windows and Linux: Intermittent SIGSEGV in Java_org_apache_tomcat_jni_SSLSocket_handshake with HTTP/2 |
| JWS-1311 | Websocket: autobahn test suite reports issues with echoBasicEndpoint |
| JWS-1419 | java-headless requirement forces OpenJDK install |
| JWS-1438 | Document additional set to configure the SSI filter |
| JWS-1450 | Review tomcat-librarypath.patch logic |
| JWS-1459 | Tomcat Embedded with Apache CXF is not Java 11 ready |
| JWS-1463 | [ASF BZ 63356] OCSP_parse_url error while parsing Authority Information Access extension |
| JWS-1465 | Rebase tomcat-native to 1.2.23 |
| JWS-1468 | Rebase tomcat to version 9.0.30 |
| JWS-1470 | Rebase Apache CXF to version 3.3.2.redhat |
| JWS-1478 | rpm install/update overwrites context.xml for host-manager and manager applications |
| JWS-1499 | Update to the latest released JBCS version |
| JWS-1579 | Add missing rpm changelog entries for CVEs |
| JWS-1592 | Missing jar file in maven repository |
| JWS-1593 | Tomcat throws exception when starting |
| JWS-1594 | Tomcat is undiscoverable to my proxy after updating |
| JWS-1598 | Storing configuration fails with java.lang.NoSuchMethodException |
Chapter 6. Known issues
There are no known issues this release.
Chapter 7. Components included in Red Hat JBoss Web Server 5.3
| Component | Version |
|---|---|
| Apache CXF | 3.3.2 |
| Apache Tomcat 9 | 9.0.30 |
| ECJ | 4.12.0 |
| Hibernate | 5.3.10 |
| JBoss logging | 3.3.2 |
| libapr | 1.6.3 |
| mod_cluster | 1.4.1.Final |
| OpenSSL | 1.1.1c |
| Tomcat-Native | 1.2.23 |
| Tomcat-Vault | 1.1.8.Final |
