Red Hat Product Errata RHSA-2025:11695 - Security Advisory
Issued:
2025-07-28
Updated:
2025-07-28

RHSA-2025:11695 - Security Advisory

Synopsis

Moderate: Red Hat JBoss Web Server 5.8.5 release and security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Web Server 5.8 on Red Hat Enterprise Linux versions 7, 8, and 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 5.8.5 serves as a replacement for Red Hat JBoss Web Server 5.8.4. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes that are linked to in the References section.

Security Fix(es):

  • tomcat: Apache Tomcat DoS in multipart upload [jws-5] (CVE-2025-48988)
  • tomcat-catalina: Apache Tomcat: Security constraint bypass for pre/post-resources [jws-5] (CVE-2025-49125)
  • tomcat: Apache Commons FileUpload DoS via part headers [jws-5] (CVE-2025-48976)
  • jws5-tomcat: Apache Tomcat denial of service [jws-5] (CVE-2025-52520)
  • jws5-tomcat: Apache Tomcat denial of service [jws-5] (CVE-2025-52434)
  • jws5-tomcat: Apache Tomcat denial of service [jws-5] (CVE-2025-53506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Web Server 5 for RHEL 9 x86_64
  • JBoss Enterprise Web Server 5 for RHEL 8 x86_64
  • JBoss Enterprise Web Server 5 for RHEL 7 x86_64

Fixes

  • BZ - 2373015 - CVE-2025-48988 tomcat: Apache Tomcat DoS in multipart upload
  • BZ - 2373018 - CVE-2025-49125 tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources
  • BZ - 2373020 - CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers

JBoss Enterprise Web Server 5 for RHEL 9

SRPM
jws5-tomcat-9.0.87-12.redhat_00011.1.el9jws.src.rpm SHA-256: deb0d6ca324099177bf8fa3b24614a205b0a8487696181a9e4f7255f2ddab22a
x86_64
jws5-tomcat-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: df9e4bb2dfc91df019f205a85d8e3e96e3292e1eeb9b628a492a4eb06ca99b83
jws5-tomcat-admin-webapps-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: ecdd1882de8569a573385b8c82adaec5941de676455e3d6cb6ae342d17cddb0d
jws5-tomcat-docs-webapp-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: a4e75906b66bcff33d73ca9db2b9e074b0f52c16b038d678140c66019facc8f4
jws5-tomcat-el-3.0-api-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: 3750861dc0ba6d56219be6d34668e38dcf7024e8bfe943e6dd1508c5fb8594c7
jws5-tomcat-javadoc-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: 5c7285d16d4d88c37f5a4f0c06e5623d87f567b5157100157f3202628e0ebd29
jws5-tomcat-jsp-2.3-api-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: 016c6ef701aecce738ea1cca20d084e1a1f27dbb4fc281aa97b6e79368c19c41
jws5-tomcat-lib-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: 72167dc11b7c1b022d523c6cc70e7a3c2d503939f9bf6e73ca096f920f4f4c7c
jws5-tomcat-selinux-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: 7daa80bbd960d5380b3be45fc78774201573c7bcc4581113bb93ed191c7dbc29
jws5-tomcat-servlet-4.0-api-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: c32c2ffd89fbe221d9ce3773084bbf892c04033ef4932817aa872123eb96031b
jws5-tomcat-webapps-9.0.87-12.redhat_00011.1.el9jws.noarch.rpm SHA-256: d49e9b269fb4b931661e33365f9e88ea6cc8c5ab7056af25437f40a49c7fee86

JBoss Enterprise Web Server 5 for RHEL 8

SRPM
jws5-tomcat-9.0.87-12.redhat_00011.1.el8jws.src.rpm SHA-256: 07a8cfed00f5f4748c1dc61edacc84066a96386f4e1a76f020b80fc00743879d
x86_64
jws5-tomcat-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: 674a87c748a36ca1574d250a0765c69824a208a9bf5003a1522563396f2ab0f5
jws5-tomcat-admin-webapps-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: 638ef012100aee8e6198f280ae2997795a4ff1f95e267e67acbea0911ba875b2
jws5-tomcat-docs-webapp-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: e4e3d8a925c5f5ae2f36de99f1f72771727e4e15cfa5ebbea289ee35fb8b426b
jws5-tomcat-el-3.0-api-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: 30d6499c12c7f410b584e98c088137684f091e09df30bbb949bcc601f2df5ca5
jws5-tomcat-javadoc-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: 7a96202931db4b21709eeeb4ee7bb44d9aedfb3fff19b90f68e404ef0b93db05
jws5-tomcat-jsp-2.3-api-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: 10b37721e3e762daac0f8004b9a133d7e706af4b13da02cb3a0e3604fdacf923
jws5-tomcat-lib-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: 25fa9ef33cdb084dcbc29eaa77f46a40db7da8a20e41c4593b87d4d099ec067c
jws5-tomcat-selinux-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: adb808d7f98a3869a116f05ed3e11b4c11fb88bd2631633733d1b103fac2b3d2
jws5-tomcat-servlet-4.0-api-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: a28fd152ed0b45aa3095e1580b32d534855356277f4ba6cd086cf0ed84b2ebb8
jws5-tomcat-webapps-9.0.87-12.redhat_00011.1.el8jws.noarch.rpm SHA-256: 7282481233ce4c5024756d214a7351990bf41bbe154660895866b501ee46de3e

JBoss Enterprise Web Server 5 for RHEL 7

SRPM
jws5-tomcat-9.0.87-12.redhat_00011.1.el7jws.src.rpm SHA-256: 85ac99e3db6e9199e72245531fe41d123ae53f7d88ec40067918753c22b5291f
x86_64
jws5-tomcat-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: 1956c40c419ab91da6553c9dd5c4184aeb86771ad7e9a4a8c459bbdd96d76477
jws5-tomcat-admin-webapps-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: aa8c1cbd4d63dd15c3de18de1379245b0b7728f51043b57814f3d493f55096e7
jws5-tomcat-docs-webapp-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: c03f7acc934936207c3f6dfa9853dd5c3d5df3072105461054a8d461d2bb0419
jws5-tomcat-el-3.0-api-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: 4551faa8faac3a9940190b334bab56777b05291c5ebdb47d990cb7ee99d0303d
jws5-tomcat-java-jdk11-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: 565420cf75440396ba82c4a96f23be09f8cc784e56a499bee081137c6aa82fa5
jws5-tomcat-java-jdk8-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: 10d79b345a69547523e7f521c0a60e79cbdbef0d5646d4337def40aae658b349
jws5-tomcat-javadoc-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: af86f99a1b5ddb49e7666bad8d540f282952af9c2678bf4757933a43533f0449
jws5-tomcat-jsp-2.3-api-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: 8ad7f64959f0affdc704c0abe3f1de7fa2b42f91c2f5b3661fcdce0ed688c4ae
jws5-tomcat-lib-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: 7242688d4fc7fc2bee240e962044e641da0a47e46be0944c781e1af9e2cc9308
jws5-tomcat-selinux-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: 4455048a197a0e7b53ae866279c7727a958753b862e3964c4a65f38629418d81
jws5-tomcat-servlet-4.0-api-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: 06de144eb39de6ac59574e83f4b1a85626c42f47b925047d17160351d1fa0fb0
jws5-tomcat-webapps-9.0.87-12.redhat_00011.1.el7jws.noarch.rpm SHA-256: b097c01d37b6f21f2cd57ff94a592a14f5cec02a49f6f0aa8130b7b5aa865ec9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.