RHSA-2025:0542 - Security Advisory

Topic

JBoss EAP XP 5.0 Update 1.0 release. See references for release notes.

Description

JBoss EAP XP 5.0 Update 1.0 GA release. See references for release notes.

Security Fix(es):

• io.vertx/vertx-grpc: Vertx gRPC server does not limit the maximum message size (CVE-2024-8391)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to the Using JBoss EAP XP 5 document: https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/using_jboss_eap_xp_5.0/index

Affected Products

• JBoss Enterprise Application Platform Text-Only Advisories x86_64

Fixes

• BZ - 2309758 - CVE-2024-8391 io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size
• JBEAP-24664 - (xp-5.0.z) Add a test case that makes use of a virtual-security-domain with MP-JWT
• JBEAP-26398 - Restore the ignored service-name attribute in the opentelemetry subsystem
• JBEAP-26715 - (xp-5.0.z) WildFly Readiness probe should check the suspended state of the server
• JBEAP-26776 - (8.0.z) WFLY-19209 - WFLYRS0031: Failed to load RESTEasy MicroProfile Configuration
• JBEAP-26798 - (xp-5.0.z) Setting mp.health.disable-default-procedures=true in microprofile-config.properties doesn't disable default procedures
• JBEAP-27331 - XP5 CR2 (Micrometer + OTel collector integration) - JMX metrics are not exported
• JBEAP-27358 - (xp-5.0.z) wildfly-server not found for verification in the distribution module
• JBEAP-27540 - Helm charts for XP5 QS are not correct
• JBEAP-27763 - (xp-5.0.z) Fix typo in pom.xml - goal "provisioning" to "provision"
• JBEAP-27773 - MP Reactive Messaging integration - MP Config defined by env vars is not properly taken into account to set the client SSL context
• JBEAP-27817 - (xp-5.0.z) Upgrade to SmallRye Reactive Messaging 4.24.0
• JBEAP-27942 - (xp-5.0.z) Upgrade to AMQ 7.12.x - follow up
• JBEAP-28074 - (xp-5.0.z) Upgrade MP OpenAPI TCK to 3.1.2
• JBEAP-28075 - (xp-5.0.z) Intermittent failures in MP OpenAPI TCK
• JBEAP-28092 - Upgrade to MP Reactive Messaging API 3.0.1
• JBEAP-28146 - (xp-5.0.z) Fixing mistakes in pom.xml files
• JBEAP-28331 - Add allign-dependencies script to XP5 branch
• JBEAP-28355 - (xp-5.0.z) Upgrade WildFly Core EAP from 21.0.5.Final-redhat-00001 to 21.0.11.Final-redhat-00001
• JBEAP-28357 - (xp-5.0.z) Sync up with EAP 8 Update 4
• JBEAP-28379 - (xp-5.0.z) Remove internal URL from align script
• JBEAP-28400 - (xp-5.0.z) Fix align-dependencies.sh script (multiple input manifests)

CVEs

• CVE-2024-8391

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/red_hat_jboss_eap_xp_5.0_release_notes/index
• https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index
• https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/using_jboss_eap_xp_5.0/index