SB20251210181 - Multiple vulnerabilities in Red Hat JBoss Web Server

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2025-48989)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can send specially crafted HTTP request to the web server and consume all available memory resources, leading to a denial of service. 

Note, this vulnerability is known as HTTP/2 Made You Reset Attack.

2) Input validation error (CVE-ID: CVE-2025-31651)

The vulnerability allows a remote attacker to bypass rewrite rules.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted input to the application and bypass configured rewrite rules.

3) Path traversal (CVE-ID: CVE-2025-55752)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via Rewrite Valve. A remote attacker can send a specially crafted HTTP PUT request and write arbitrary files to the server, leading to remote code execution. 

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2025:22925"
• https://access.redhat.com/errata/RHSA-2025:22925</a></p><p>
• https://access.redhat.com/errata/RHSA-2025:22924</p><p><br></p>