Red Hat Product Errata RHSA-2025:7620 - Security Advisory
Issued:
2025-05-14
Updated:
2025-05-14

RHSA-2025:7620 - Security Advisory

Synopsis

Important: JBoss EAP XP 5.0 Update 2.0 release. See references for release notes.

Type/Severity

Security Advisory: Important

Topic

JBoss EAP XP 5.0 Update 2.0 release. See references for release notes.

Description

JBoss EAP XP 5.0 Update 2.0 GA release. See references for release notes.

Security Fix(es):

  • org.jboss.narayana-narayana-all: deadlock via multiple join requests sent to LRA Coordinator (CVE-2024-8447)
  • com.google.protobuf/protobuf-java: StackOverflow vulnerability in Protocol Buffers (CVE-2024-7254)
  • org.jboss.eap-jboss-eap-xp: StackOverflow vulnerability in Protocol Buffers (CVE-2024-7254)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide

Affected Products

  • JBoss Enterprise Application Platform Text-Only Advisories x86_64

Fixes

  • BZ - 2313454 - CVE-2024-7254 protobuf: StackOverflow vulnerability in Protocol Buffers
  • BZ - 2335206 - CVE-2024-8447 narayana: deadlock via multiple join requests sent to LRA Coordinator
  • JBEAP-26539 - (xp-5.0.z) [en_US][ALL LANG] Missing mark '*' next to Name in Config Source and Attributes pages of Add Config Source dialog.
  • JBEAP-27340 - (xp-5.0.z) Disable snappy compression for MP Reactive Messaging Kafka connector on non-Linux Systems
  • JBEAP-27477 - (xp-5.0.z) Upgrade to Kafka client 3.7.1
  • JBEAP-28933 - (xp-5.0.z) EAP erroneously allows the EAP operator to scale down when there are LRA transaction records
  • JBEAP-29471 - (xp-5.0.z) Upgrade to Reactive Stream Operators 3.0.1
  • JBEAP-29737 - (xp-5.0.z) Upgrade to Narayana from 6.0.5.Final to 6.0.6.Final
  • JBEAP-29738 - (xp-5.0.z) Update microprofile-lra to 2.0.1
  • JBEAP-30007 - (xp-5.0.z) Upgrade com.google.protobuf to 3.25.7

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.