PATCH NAME: BZ-1214695 PRODUCT NAME: JBoss Fuse Service Works 6 VERSION: 6.0.0 SHORT DESCRIPTION: Roll up patch FSW_6.0_2_2015 LONG DESCRIPTION: This is a roll-up patch for FSW 6.0.0. This patch includes the following fixes: [BZ-1214550] (6.0.x) HTTP headers are not available with SwitchYard SOAP binding [BZ-1215572] (6.0.x) Injected Context becomes invalid after Service Reference is invoked [BZ-1223867] FSW6 rollup patches 3 and 4 cause Ambiguous WELD dependencies [BZ-1235185] Missing support for X509Certificate from the transport layer [BZ-1240345] change security-domain to != "other" not working [BZ-1240383] SOAP response version mismatch at SOAP gateway binding [BZ-1241859] "NoSuchBeanException: No bean could be found in the registry for: ..." when deploying multiple SwitchYard applications with Camel services [BZ-1242374] @Inject UserTransaction doesn't work in the SwitchYard test case [BZ-1245719] Fix RTGov so it starts when Roll up patch is applied on top of previous Roll up patch [BZ-1247347] Allow new Security use cases [BZ-1252416] (6.0.x) New deployment of another SwitchYard application disables ExchangeInterceptors [BZ-1253398] ClusteredInvoker should reuse HttpInvokers (performance) [BZ-1266864] (6.0.x) cxf.xml works in community, not in product (SwitchYard) and includes the following fixes from Roll up patch FSW_6.0_1_2015 [BZ-1150752] CVE-2013-7398 async-http-client: missing hostname verification for SSL certificates [fsw-6.0.x] [BZ-1150774] CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions [fsw-6.0.x] [BZ-1174871] [GSS] (6.1.3 patch) SECURITY-871, WFLY-1904 - Vault fixes for system properties and LDAP integration [BZ-1191864] (6.0.x) WSS UsernameToken fails to propagate at SOAP reference binding with WSS Policy [BZ-1197881] Roll up 3 has broken FSW. Only the most recent REST application will function correctly. [BZ-1202701] (6.0.x) Unexpected behavior in fault handling with doTry/doCatch in Camel service [BZ-1203814] XmlValidator converts String contents to platform default encoding, causes data corruption / SWITCHYARD-2000 and includes the following fixes from Roll up patch FSW_6.0_4_2014 [BZ-1017768] Throttling timePeriod configuration in switchyard.xml not used at runtime [BZ-1092783] CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation [BZ-1088342] CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs [BZ-1102030] CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header [BZ-1072776] CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter [BZ-1102038] CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application [BZ-1109196] CVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter [BZ-1112987] CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage [BZ-1103815] CVE-2014-3472 JBoss AS Security: Invalid EJB caller role check implementation [BZ-1120495] CVE-2014-3558 Hibernate Validator: JSM bypass via ReflectionHelper [BZ-1107901] CVE-2014-3490 RESTEasy: XXE via parameter entities [BZ-1105242] CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal Entity (XXE) [BZ-1128720] DTGov: Artifact undeployment not using classifier/type info [BZ-1129074] CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix [BZ-1129916] CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix [BZ-1141960] Please fix 'org.postgresql.util.PSQLException: Large Objects may not be used in auto-commit mode.' bug in DTGov/Postgres [BZ-1145207] s-ramp-demos-switchyard-multiapp is not properly deployed, rework [BZ-1145976] BPM/Rules properties are not set in org.kie.api.runtime.Environment [BZ-1152670] Multiple BPEL jars deployed in an .ear result in monitor contention [BZ-1019176] CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) [BZ-1164809] Unexpected behavior of 'Fail' button [BZ-1131882] CVE-2014-3578 Spring Framework: Directory traversal [BZ-1165936] CVE-2014-3625 Spring Framework: directory traversal flaw [BZ-1065139] CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions [BZ-1049736] CVE-2014-0005 PicketBox/JBossSX: Unauthorized access to and modification of application server configuration and state by application [BZ-1167422] Please implement mechanisms to compensate for partner link exceptions [BZ-878082] [BZ-1170277] Upgrade Camel version to Fuse build 60065 [BZ-1182877] Camel OutboundHandler doesn't apply MessageComposer to out message and includes the following fixes from roll up patch FSW_6.0_3_2014: [BZ-958618] CVE-2013-2035 jansi: HawtJNI: predictable temporary file name leading to local arbitrary code execution [fsw-6] [BZ-1043332] CVE-2013-6440 xmltooling: XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter [fsw-6] [BZ-1052783] CVE-2014-0018 jboss-as-server: Unchecked access to MSC Service Registry under JSM [fsw-6] [BZ-1070046] CVE-2014-0093 eap: JBoss EAP 6: JSM policy not respected by deployed applications [fsw-6] [BZ-1063641] CVE-2014-0058 eap: Red Hat JBoss EAP6: Plain text password logging during security audit [fsw-6] [BZ-1080248] CVE-2014-0107 xalan-j2: Xalan-Java: insufficient constraints in secure processing feature (oCERT-2014-002) [fsw-6] [BZ-1120380] Please include EAP 6.1.2 in the next FSW Roll up patch. [BZ-1131156] Please fix SOAP fault handling in FSW 6.0 [BZ-1138135] CVE-2014-3574 CVE-2014-3529 apache-poi: various flaws [fsw-6.0.x] [BZ-1138738] Please apply Context Class Loader fix to SCA Invoker [BZ-1142876] Timeout occurs when setting handled(true) in Camel route's onException() [BZ-1144127] Please fix NPE while serializing SOAPFaultInfo#role property [BZ-1144148] Runtime access to config model in SCA binding [BZ-1146205] Context properties from RemoteMessage not passed to service [BZ-1146206] RTGov UI no longer working on FSW 6.0 [BZ-1146207] RemoteMessage#context is empty [BZ-1146241] Null details in SOAP fault returned to Camel Route [BZ-1146951] java.lang.IllegalArgumentException after redeploy application [BZ-1146953] Namespace context not set for camel bindings with unmanaged threads [BZ-1149180] Elastrcsearch mapping for rtgov activities results in spurious events included in call trace and the following fixes from roll up patch FSW_6.0_2_2014: [BZ-1067642] Switchyard component hot deployment via JBoss CLI fails. [BZ-1076358] XmlValidator converts String contents to platform default encoding, causes data corruption [BZ-1092697] Authentication/Authorization fails with RESTEasy component [BZ-1105052] Missing lucene-queryparser jar in fsw 6.0.0.GA repository [BZ-1110484] [GSS] (one-off) EAP 6.1.1, Cannot get exception as pass-by-reference (for FSW) [BZ-1114732] Please do not allow types with spaces, these break the repository and the following fixes from roll up patch FSW_6.0_1_2014: [BZ-1030518] s-ramp-demos-switchyard-multiapp is not properly deployed [BZ-1049696] CVE-2014-0002 Camel: XML eXternal Entity (XXE) flaw in XSLT component [BZ-1049700] CVE-2014-0003 Camel: remote code execution via XSL [BZ-1057210] There is no pagination in DTGov TaskInbox [BZ-1063344] bpm signal_event returns null when completing existing process [BZ-1067501] Switchyard component hot deployment via JBoss CLI fails. [BZ-1067634] Please change SCAInvoker so it contains setOperation() to enable multiple-operation interfaces [BZ-1063604] CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization [fsw-6] [BZ-1072509] CVE-2013-4286 jbossweb: various flaws [fsw-6] [BZ-1064679] CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used bt MultipartStream [fsw-6] PATCH INSTALLATION INSTRUCTIONS: Backup and remove every file and directory listed in the files: All installations: removed-list-base.txt DT-Gov installations: removed-list-dtgov.txt RT-Gov Client installations: removed-list-rtgov-client.txt - This step is valid if you ONLY have the RT-Gov client components installed RT-Gov Server installations: removed-list-rtgov-server.txt - This step is valid if you have installed the RT-Gov Server components installed S-RAMP installations: removed-list-s-ramp.txt SwitchYard installations: removed-list-switchyard.txt At the directory containing the jboss-eap-6.1 directory, unzip the files: All installations: fsw-6.0_4_2014-base.zip DT-Gov installations: fsw-6.0_4_2014-dtgov.zip RT-Gov Server installations: fsw-6.0_4_2014-rtgov-server.zip - This step is valid if you ONLY have the RT-Gov Server components installed RT-Gov Client installations: fsw-6.0_4_2014-rtgov-client.zip - This step is valid if you have installed the RT-Gov Client components installed S-RAMP installations: fsw-6.0_4_2014-s-ramp.zip SwitchYard installations: fsw-6.0_4_2014-switchyard.zip NOTES: This patch includes upgrades to the underlying EAP component, some of which affect operation of the Java Security Manager. If your do not run with JSM (a common practice) you do not need to be further concerned. If you do use JSM, Red Hat recommends you start the server with the following arguments: "-Djboss.modules.policy-permissions=true" -secmgr Edit the jboss-eap-6.1/standalone/configuration/dtgov.properties file and remove the JavaArchive governance query. The single line to be removed starts with this text: governance.queries=/s-ramp/ext/JavaArchive|overlord.demo.SimpleReleaseProcess NOTE FOR RTGov Users: This patch is suitable for use by all users of Fuse Service Works. RTGov users should read carefully the next statements. If you are using RTGov and have not previously patched Fuse Service Works, you can apply this patch as described with no further concerns. If you are using RTGov and have previously patched Fuse Service Works (you are using a prior Roll up patch), you will require special instructions to successfully utilize this patch. Please open a support ticket to discuss patch application with your support team. COMPATIBILITY: JBoss Fuse Service Works 6 DEPENDENCIES: N/A SUPERSEDES: BZ-1183067 CREATOR: G Varsamis DATE: 4 November, 2015