Red Hat Product Errata RHSA-2025:16668 - Security Advisory
Issued:
2025-09-25
Updated:
2025-09-25

RHSA-2025:16668 - Security Advisory

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 7.1.12 on RHEL 7 security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.12 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.11, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.12 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

  • commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default (CVE-2025-48734)
  • org.hornetq/hornetq-core-client: Arbitrarily overwrite files or access sensitive information [eap-7.1.z] (CVE-2024-51127)
  • HTTP-2: httpd: CONTINUATION frames DoS [eap-7.1.z] (CVE-2024-27316)
  • undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header [eap-7.1.z] (CVE-2020-10705)
  • undertow: information leakage via HTTP/2 request header reuse [eap-7.1.z] (CVE-2024-4109)
  • undertow: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [eap-7.1.z] (CVE-2023-44487)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Application Platform 7.1 EUS 7.1 x86_64

Fixes

  • BZ - 1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header
  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2268277 - CVE-2024-27316 httpd: CONTINUATION frames DoS
  • BZ - 2272325 - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
  • BZ - 2323697 - CVE-2024-51127 hornetq-core-client: Arbitrarily overwrite files or access sensitive information
  • BZ - 2368956 - CVE-2025-48734 commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
  • JBEAP-30523 - Tracker bug for the EAP 7.1.12 release for RHEL-7
  • JBEAP-30484 - (7.1.z) Upgrade commons-beanutils from 1.9.4.redhat-00002 to 1.11.0.redhat-00001
  • JBEAP-30522 - Metadata of the eap7-wildfly RPM package are not accurate

JBoss Enterprise Application Platform 7.1 EUS 7.1

SRPM
eap7-apache-commons-beanutils-1.11.0-1.redhat_00001.1.ep7.el7.src.rpm SHA-256: 434fccce7c2379d913684262b29814aa13041316edc889e5963f73cbf0a9e8fd
eap7-hibernate-validator-5.3.6-1.SP1_redhat_00001.1.ep7.el7.src.rpm SHA-256: 0c006228c89632880efa5e9ea286284eec2c19d437d96154fad55b92190d4f43
eap7-hornetq-2.4.11-1.Final_redhat_00001.1.ep7.el7.src.rpm SHA-256: 52bcbaf4199fe33e7985dac4670183243182b4b2291ef43203694d8d383fe79d
eap7-undertow-1.4.18-17.SP15_redhat_00001.1.ep7.el7.src.rpm SHA-256: 8096a2035fc9908fe66bbc5f28a96b1e448c2a547ee09961f42b6ad3011e26e1
eap7-wildfly-7.1.12-2.GA_redhat_00002.1.ep7.el7.src.rpm SHA-256: 0827881ffe31ed9d39f51dde9359816aee70a9a52539bf5291ba34e6eee11076
x86_64
eap7-apache-commons-beanutils-1.11.0-1.redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 37bbc3045ec738cdfa27932b28ef00b0e9cd9960773c10749ac0fe9b22b5cb03
eap7-hibernate-validator-5.3.6-1.SP1_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 952c624da634d55a49a89bb0d802561b667d7e5d917787371e2e33476e5e56ef
eap7-hibernate-validator-cdi-5.3.6-1.SP1_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 7d752b88e9fd5fd89a490d0ce425fd3905eb4b63d28ce94c564fa632843dfc42
eap7-hornetq-2.4.11-1.Final_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 774f3051f410aa5504805162b44da416c926e9933cbcb3db3a657e183620fa0f
eap7-hornetq-commons-2.4.11-1.Final_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 57f8f953f47f9e72976ddb9c34e6cb698decff0c43d20cf0ca3ff6f6fd184041
eap7-hornetq-core-client-2.4.11-1.Final_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 2e867ab4f82f57d416e0e6fcd7c701698e485e6de852b51512a50a94bb5317a3
eap7-hornetq-jms-client-2.4.11-1.Final_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 845dfda73e598b5465ba2cc59453a9f60e5fb1f9451837172e1ce39c31817133
eap7-undertow-1.4.18-17.SP15_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 7c3b929e822c0f71d05b19b400a5498e28d14927f87b96cd7a6cc380d7cd9547
eap7-wildfly-7.1.12-2.GA_redhat_00002.1.ep7.el7.noarch.rpm SHA-256: 74954476ef584436de7c762d5256f02b17242cbca1d708f27f7c423fbf9f5237
eap7-wildfly-modules-7.1.12-2.GA_redhat_00002.1.ep7.el7.noarch.rpm SHA-256: e095bbe9204df5f748e6b73e371fb4e179ee4d50754eda2b64dbd555ecdff5c1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.