Red Hat Product Errata RHBA-2026:26291 - Bug Fix Advisory
Issued:
2026-06-16
Updated:
2026-06-16

RHBA-2026:26291 - Bug Fix Advisory

Synopsis

updated Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 container images

Type/Severity

Bug Fix Advisory

Topic

Updated Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 container images are now available

Description

The Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 container images have been updated to address the following security advisory: RHSA-2026:25239 (see References)

Users of Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.

You can find images updated by this advisory in Red Hat Container Catalog (see References).

Solution

The Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 container images provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).

Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.

Affected Products

  • JBoss Enterprise Application Platform 8.1 for RHEL 9 x86_64

Fixes

  • BZ - 2481879 - CVE-2026-7383 openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode output sizing
  • BZ - 2481880 - CVE-2026-9076 openssl: OpenSSL: Denial of Service due to heap out-of-bounds read in CMS password-based decryption
  • BZ - 2481881 - CVE-2026-34180 openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of service or information disclosure.
  • BZ - 2481882 - CVE-2026-34181 openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys
  • BZ - 2481884 - CVE-2026-34182 openssl: CMS AuthEnvelopedData Processing May Accept Forged Messages
  • BZ - 2481885 - CVE-2026-34183 openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
  • BZ - 2481887 - CVE-2026-42764 openssl: NULL pointer dereference in QUIC server initial packet handling
  • BZ - 2481890 - CVE-2026-42766 openssl: Possible NULL Dereference in Password-Based CMS Decryption
  • BZ - 2481891 - CVE-2026-42767 openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption
  • BZ - 2481892 - CVE-2026-42768 openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()
  • BZ - 2481893 - CVE-2026-42769 openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate
  • BZ - 2481894 - CVE-2026-42770 openssl: FFC-DH Peer Validation Uses Attacker-Supplied q
  • BZ - 2481896 - CVE-2026-45445 openssl: AES-OCB IV Ignored on EVP_Cipher() Path
  • BZ - 2481897 - CVE-2026-45446 openssl: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes
  • BZ - 2481898 - CVE-2026-45447 openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()

aarch64

jboss-eap-8/eap81-openjdk17-builder-openshift-rhel9@sha256:8d941cbc3ac054c35d27869e36ab8502fe5ba6435057b9440402f10b4b76381a
jboss-eap-8/eap81-openjdk17-runtime-openshift-rhel9@sha256:52b21256da092d29aa8a7883139625bcad40aa0fbb3604dbcf8e1e9ad21be613
jboss-eap-8/eap81-openjdk21-builder-openshift-rhel9@sha256:a199b3fcd616a3361ac17498f4ffd53774493686532422ababc7bbab9c937d91
jboss-eap-8/eap81-openjdk21-runtime-openshift-rhel9@sha256:fc3014b0545a554a8700e34a5d3f97794f9b4159308b419c6ba13d0494813a11

ppc64le

jboss-eap-8/eap81-openjdk17-builder-openshift-rhel9@sha256:af05a4c93be2fe91f329d6bd5860f168b82f3b4110f02747722a800e176f9b09
jboss-eap-8/eap81-openjdk17-runtime-openshift-rhel9@sha256:570d8a6232a9026d47f70542632e058a383151c03450519ddbbebc98c459e23f
jboss-eap-8/eap81-openjdk21-builder-openshift-rhel9@sha256:1f9ffa339b0ebba9ffe5014a113275a9bf1cb4f3d4e9e80b1b280e485d454fb6
jboss-eap-8/eap81-openjdk21-runtime-openshift-rhel9@sha256:2fc630eeb7701c79a28148f2530851d7cfdf83b2f891c6800d8f90892bff7cba

s390x

jboss-eap-8/eap81-openjdk17-builder-openshift-rhel9@sha256:dcace49a6703fa1beb54cde3cae26f516a31e6904f1a95c03254efd7f768096b
jboss-eap-8/eap81-openjdk17-runtime-openshift-rhel9@sha256:e086ed178ce20a02cf62221bbe7305b04c147858d683f054140a2163141ca4c5
jboss-eap-8/eap81-openjdk21-builder-openshift-rhel9@sha256:7c4277a94066624fcd0878f28c4377a295c5b88189abbe462986c59f74576527
jboss-eap-8/eap81-openjdk21-runtime-openshift-rhel9@sha256:0164abb53f578ee5ff82e144f25b85f946f9dae648bc4017d581c2ff092c53c3

x86_64

jboss-eap-8/eap81-openjdk17-builder-openshift-rhel9@sha256:24544531bc60f8ed42ee1adbc189c0dc365299aa7bcce4bab421bf1934fd6c5c
jboss-eap-8/eap81-openjdk17-runtime-openshift-rhel9@sha256:301d9611d46a662aaec647816a7b96a687ae38bddffbc8c0993c1513f6a26bee
jboss-eap-8/eap81-openjdk21-builder-openshift-rhel9@sha256:cc35317ab4d2c36bf963d5b595b3e54f5ac58dc7e6544a3a1e15015c4ab28e77
jboss-eap-8/eap81-openjdk21-runtime-openshift-rhel9@sha256:8651e2e1710a99bd18ae5c68da6884d58b32a3630221575f242afc505cfa12ec

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.