Main Vulnerability Database SB2026021723

SB2026021723 - Multiple vulnerabilities in JBoss Enterprise Application Platform 8.1 for RHEL 9 x86_64

Published: February 17, 2026

Security Bulletin ID SB2026021723

Severity

Medium

Patch available

YES

Number of vulnerabilities 4

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper Neutralization of HTTP Headers for Scripting Syntax (CVE-ID: CVE-2025-12543)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper input validation when processing HTTP requests. A remote non-authenticated attacker can send a specially crafted HTTP request with an arbitrary Host header that will be accepted by the application.

Successful exploitation of the vulnerability may allow an attacker to perform cross-site scripting, cache poisoning or session hijacking attacks.

2) Resource exhaustion (CVE-ID: CVE-2025-23184)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in CachedOutputStream instances allowing creation of enormous amount of temporary files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Resource exhaustion (CVE-ID: CVE-2025-9784)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

The vulnerability was dubbed HTTP/2 Made You Reset Attack.

4) Resource exhaustion (CVE-ID: CVE-2024-3884)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the FormEncodedDataDefinition.doParse(StreamSourceChannel) method. A remote attacker can send a large form data encoding with application/x-www-form-urlencoded to trigger resource exhaustion and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2026:0384

Vulnerable Software

eap8-wildfly-javadocs (Red Hat package): before 8.1.1-4.GA_redhat_00007.1.el9eap
eap8-wildfly-elytron (Red Hat package): before 2.6.6-1.Final_redhat_00001.1.el9eap
eap8-wildfly-clustering (Red Hat package): before 5.0.12-1.Final_redhat_00001.1.el9eap
eap8-wildfly (Red Hat package): before 8.1.3-4.GA_redhat_00006.1.el9eap
eap8-undertow (Red Hat package): before 2.3.20-2.SP4_redhat_00001.1.el9eap
eap8-jboss-threads (Red Hat package): before 2.5.0-1.redhat_00001.1.el9eap
eap8-hibernate (Red Hat package): before 6.6.36-1.Final_redhat_00001.1.el9eap
eap8-eventstream (Red Hat package): before 1.0.1-3.redhat_00003.1.el9eap
eap8-eap-product-conf-parent (Red Hat package): before 801.3.0-1.GA_redhat_00001.1.el9eap
eap8-apache-cxf (Red Hat package): before 4.0.10-1.redhat_00001.1.el9eap
eap8-jboss-el (Red Hat package): before api_5.0_spec-4.0.2-1.Final_redhat_00001.1.el9eap
eap8-bouncycastle (Red Hat package): before 1.82.0-1.redhat_00001.1.el9eap

SB2026021723 - Multiple vulnerabilities in JBoss Enterprise Application Platform 8.1 for RHEL 9 x86_64

Breakdown by Severity

Description

Remediation

References

Please verify you're human