Red Hat JBoss Enterprise Application Platform 7.4.23 is a security update that fixes several vulnerabilities: CVE-2024-10234 (WildFly Cross-Site Scripting), CVE-2025-2251 (Improper Deserialization in JBoss Marshalling allowing Remote Code Execution), CVE-2025-2901 (Stored XSS in JBoss EAP Management Console), CVE-2025-23184 (Apache CXF Denial of Service via temporary files), CVE-2025-35036 (Hibernate Validator Expression Language Injection), and CVE-2025-48734 (Apache Commons BeanUtils PropertyUtilsBean enum declaredClass property not suppressed). These vulnerabilities impact the security of Java applications running on the platform and could allow attackers to execute code remotely, perform XSS attacks, or cause denial of service. The update is a replacement for version 7.4.22 and includes bug fixes and enhancements beyond security patches.

The vulnerabilities fixed in this update include risks of remote code execution via improper deserialization, cross-site scripting in management consoles and WildFly core, denial of service through Apache CXF temporary file handling, and expression language injection in Hibernate Validator. These issues could allow attackers to execute arbitrary code, steal or manipulate data via XSS, or disrupt service availability. The overall security impact is rated as Important by Red Hat Product Security.

A security update to Red Hat JBoss Enterprise Application Platform 7.4.23 is available and should be applied. This update replaces version 7.4.22 and includes fixes for all listed vulnerabilities. Before applying the update, ensure all previously released errata are applied and back up all applications, configuration files, and databases. Follow Red Hat's official update instructions at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying this official patch.