—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Red Hat JBoss 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Systems Affected

JBoss Enterprise Application Platform 8.1 for RHEL 9 x86_64

JBoss Enterprise Application Platform 8.1 for RHEL 8 x86_64

JBoss Enterprise Application Platform Text-Only Advisories x86_64

Overview

Multiple vulnerabilities have been reported in Red Hat JBoss Enterprise Application Platform which allow a remote attacker to cause a denial-of-service (DoS) condition, enable cache poisoning and perform server-side request forgery (SSRF) on the targeted system.

Target Audience:

Large-scale enterprises and organizations using Red Hat JBoss products.

Risk Assessment:

High risk of system compromise, service disruption or cache manipulation.

Impact Assessment:

Potential for sensitive data exposure, unauthorized access, disruption of services.

Description

Red Hat JBoss Enterprise Application Platform (EAP) is a supported, open-source Java EE/Jakarta EE application server built on the WildFly runtime for deploying and hosting enterprise web applications. It provides scalable, secure, and high-availability middleware services for mission-critical applications.

These vulnerabilities exist in Red Hat JBoss Enterprise Application Platform due to improper request validation, flaw in the HTTP/2 client, and OutOfMemory issue. A remote attacker could exploit these vulnerabilities by sending specially crafted HTTP or HTTP/2 requests, including malformed headers or form-encoded data.

Successful exploitation of these vulnerabilities could allow a remote attacker to cause a denial-of-service (DoS) condition and potentially perform cache poisoning or server-side request forgery (SSRF) attacks on the targeted system.

Solution

Apply appropriate updates as mentioned:

https://access.redhat.com/errata/RHSA-2026:0386

https://access.redhat.com/errata/RHSA-2026:0384

https://access.redhat.com/errata/RHSA-2026:0383

Vendor Information

RedHat

https://access.redhat.com/errata/RHSA-2026:0386

https://access.redhat.com/errata/RHSA-2026:0384

https://access.redhat.com/errata/RHSA-2026:0383

References

RedHat

https://access.redhat.com/errata/RHSA-2026:0386

https://access.redhat.com/errata/RHSA-2026:0384

https://access.redhat.com/errata/RHSA-2026:0383

CVE Name

CVE-2024-3884

CVE-2025-9784

CVE-2025-12543

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmllCGoACgkQ3jCgcSdc

ys+XJQ//VGWFY4MXnlJ3GV0ImK+LPg42BSa32fwz+Z3eUaf0GPhPkDhFmkE0Re4E

idRwjz7atpamxvg1+kA/0v4P1fIHRYwtuEU7fQyw9STjG6uxq4R9veqZKPTYBmqB

dEiVCGROG+dDpj2ZdGhQYIajYrd6mxKEGxV0RiirtkzIMvoXwxDrOR9D4sZk6mN3

0MBCZ+UPMZLlsU1cUcHVvqLepc0hPtI2ERhs8jFgwICub8Y7xkMwWXHvp207Qd4H

5W3m27nY4RaEtArwDCQoLT+mNq5fWUh8w5kSXSO/dxH7aq0qbLblQXhspv4mI72J

uFRJkJvt4U68tr4xpeQpR649dG5I/uMOPxI3yainIQpwbpkZmWrwTaup3Mc/RZlE

gd+18Ube49ck9WRK0X4SiUJngLT4EOexRyD7CawavbwHMBvVcFjTguJ8jKrb1/DN

2qNHa+vRY1jiuULUx+UI4bMol6+F0PkRes1KvsZUFJvWCbMcOrFh7KeptQzG5W/2

7cxCnRejP+biBx/in05aq5/59aZMgQWz70Ycwwv8b44N7OxiaWHLnQ/zHnEHB11d

xFkagAJWAxGWMFIGgxUSo/lbQNMmPSISUf/Kpcf8Hbn+VwbfsoLmS4MuIIiidu9B

z71kmqhTVNa4daFTyMsQysQvg7ULO+PiciheXl8h4Tj9uwf/gBs=

=M3bF

—–END PGP SIGNATURE—–