RHSA-2025:22622 - Security Advisory

Topic

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description

This release of Red Hat build of Quarkus 3.27.1 includes the following CVE fix:

• cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection [quarkus-3.27] (CVE-2025-64518)

For more information, see the release notes page listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat build of Quarkus Text-Only Advisories x86_64

Fixes

• QUARKUS-6260 - OIDC: Add bearer token step up authentication
• QUARKUS-6935 - [3.27] Avoid using COPY_ATTRIBUTES when copying the jars of fast jar
• QUARKUS-6933 - Fix a few issues with Java 25 compatibility and include Java 25 in CI
• QUARKUS-6932 - Handle backpressure whilst not on the event loop
• QUARKUS-6931 - Qute: fix error propagation from section helpers
• QUARKUS-6928 - Opens java.lang as it's required for Java 24+
• QUARKUS-6927 - Fix bootstrap when module is pointing to POM file directly
• QUARKUS-6925 - Fix DEV UI workspace directory worktree and item selection on Windows
• QUARKUS-6922 - Modify @RequestParam presence handling
• QUARKUS-6920 - Correct setting kafka graceful-shutdown property for dev and test profiles
• QUARKUS-6919 - Ensure that Liquibase pre-conditions work for MongoDB
• QUARKUS-6916 - Bump the hibernate group with 8 updates
• QUARKUS-6913 - Avoid importing BOMs managing extensions managed by BOMs with higher preferences
• QUARKUS-6912 - Set correct quarkus.oidc.token.require-jwt-introspection-only default value
• QUARKUS-6911 - Fix incorrect timing computation
• QUARKUS-6909 - Correctly restore query params when OIDC does not drop redirect params
• QUARKUS-6906 - Configure Infinispan tx caches on client side
• QUARKUS-6903 - Fix podman machine setup command order
• QUARKUS-6902 - Removed extra '=' when converting single add opns jvm option
• QUARKUS-6900 - Update logging configuration property from .enable to .enabled in application properties
• QUARKUS-6899 - Minor update to rest-client.adoc
• QUARKUS-6898 - Add a clarification about OAuth2 protected resource metadata route address
• QUARKUS-6897 - Fix NPE when no library versions exist in the DevUI
• QUARKUS-6895 - Bypass filters looking for a test class in the application module
• QUARKUS-6894 - Update link and improve link text for WireMock
• QUARKUS-6893 - Ignore quarkus-core in non-platform extension catalogs
• QUARKUS-6890 - Only add quotes to channel name if required
• QUARKUS-6889 - Fix Liquibase `runCommand` in native mode
• QUARKUS-6888 - Use podman when building container image from the CLI
• QUARKUS-6887 - Use Path.resolve to check for unknown configuration files
• QUARKUS-6886 - Fix OCP build and deploy command
• QUARKUS-6885 - Bump Microsoft SQL Server JDBC driver to 13.2.1
• QUARKUS-6884 - Bump to Vert.x 4.5.22
• QUARKUS-6883 - [3.27] Bump to Mutiny 2.9.5
• QUARKUS-6875 - Update links to Cassandra demo UI
• QUARKUS-6874 - Log OIDC Client requests in debug mode
• QUARKUS-6873 - Use annotationProcessorPathsUseDepMgmt in Jakarta Data docs
• QUARKUS-6872 - Application using Hibernate offline startup tries to connect to database in DEV mode on startup
• QUARKUS-6871 - Update security-openid-connect-providers.adoc
• QUARKUS-6870 - When an error occurs during a streaming response, call `HttpServerResponse.reset()`
• QUARKUS-6869 - Fix OIDC Redis Token State Manager serialization in native mode
• QUARKUS-6868 - Dev MCP: Don't set empty params
• QUARKUS-6867 - Bump the hibernate group with 9 updates
• QUARKUS-6866 - ArC: fix construction of interception proxies, part 2
• QUARKUS-6865 - Bump the hibernate group with 9 updates
• QUARKUS-6864 - Update Elasticsearch clients + dev service image version to 9.1.5
• QUARKUS-6863 - Make `org.graalvm.sdk:nativebridge` dependency parent first
• QUARKUS-6862 - Adding prefix handling to base uri
• QUARKUS-6861 - Make test-fixture sources available to continuous testing
• QUARKUS-6860 - ArC: fix NPE in InvokerGenerator
• QUARKUS-6859 - Fix Kotlin reflection issue in native mode
• QUARKUS-6858 - Prevent simultaneous use of @InjectMock and @InjectSpy
• QUARKUS-6857 - LGTM: Update grafana-dashboard-opentelemetry-logging.json TimeStamp
• QUARKUS-6856 - Include suggestions on what to customize when migrating to own FormatMappers
• QUARKUS-6855 - Change the max connections defaults for the Hibernate Search's Elasticsearch client
• QUARKUS-6854 - Fix native issue with FlywaySqlException
• QUARKUS-6853 - Fix deprecated javax Hibernate properties
• QUARKUS-6852 - ArC: fix construction of interception proxies
• QUARKUS-6851 - Bump bouncycastle.version from 1.81 to 1.82
• QUARKUS-6850 - Bump org.bouncycastle:bc-fips from 2.1.1 to 2.1.2
• QUARKUS-6849 - Bump Keycloak version to 26.3.4
• QUARKUS-6848 - Fix server requests metrics tags for 404s when initialPath ends with /
• QUARKUS-6847 - Allow ecosystem extensions to use dev service result builder
• QUARKUS-6845 - Fix improper equals method implementation
• QUARKUS-6844 - Register Reactive SQL Client Drivers
• QUARKUS-6843 - Simplify inference of the SupportedDbKind and avoid NoClassDefFoundError on `CommunityDatabase`
• QUARKUS-6842 - Fix mouse move on active cards
• QUARKUS-6841 - Correctly handle multiple Set-Cookie headers for API Gateway v2
• QUARKUS-6840 - Redis: improvements
• QUARKUS-6839 - Bump io.quarkus:quarkus-platform-bom-maven-plugin from 0.0.123 to 0.0.124
• QUARKUS-6838 - Bump io.quarkus:quarkus-platform-bom-maven-plugin from 0.0.122 to 0.0.123
• QUARKUS-6837 - Bump Elasticsearch version to 9.1.4
• QUARKUS-6836 - Bump hibernate-orm.version from 7.1.0.Final to 7.1.1.Final
• QUARKUS-6772 - [3.27] DEV UI HQL console doesn't work as Quarkus returns invalid JSON
• QUARKUS-6686 - OIDC Step-Up Authentication fails, WWW-Authenticate header is missing challenge details when acr claim is a single string
• QUARKUS-6640 - [3.27] quarkus_websockets_server_connections_opened_errors_total metric doesn't increment when exception is thrown on websocket opening
• QUARKUS-6583 - Some extensions don't have their -dev dependencies managed in RHBQ platform bom compared to upstream platform bom
• QUARKUS-6582 - [3.27] org.slf4j:slf4j-api dependency has different version from upstream

CVEs

• CVE-2025-64518

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/products/quarkus/
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=3.27.1
• https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27