This advisory covers a security update for Red Hat JBoss Enterprise Application Platform 7.4.18, which fixes multiple vulnerabilities: CVE-2024-3653 (remote memory DoS via Undertow's LearningPushHandler), CVE-2024-5971 (response write hangs with Java 17 TLSv1.3 NewSessionTicket), CVE-2024-30171 (timing variant of Bleichenbacher attack on BouncyCastle), CVE-2024-29857 (DoS via crafted EC certificate import in BouncyCastle), CVE-2024-29025 (resource allocation without limits in netty-codec-http), CVE-2024-30172 (infinite loop in ED25519 verification in BouncyCastle), and CVE-2024-27316 (HTTP/2 CONTINUATION frames DoS). The update upgrades multiple components including Undertow, BouncyCastle, Netty, and others to remediate these issues. Red Hat rates the security impact as Important and provides detailed errata and upgrade instructions in their advisory RHSA-2024:5144.

The vulnerabilities fixed in this update can lead to denial of service conditions through remote memory exhaustion, infinite loops, or hangs in processing TLS or HTTP/2 frames. Additionally, cryptographic components are vulnerable to timing attacks and malformed certificate inputs that may compromise security operations. These issues could disrupt availability or weaken cryptographic assurances in affected Red Hat JBoss EAP 7.4 deployments. No known exploits in the wild have been reported at the time of this advisory.

A security update to Red Hat JBoss Enterprise Application Platform 7.4.18 is available and should be applied to remediate these vulnerabilities. Before applying the update, ensure all previously released errata are installed and back up all applications, configurations, and databases. Follow Red Hat's official guidance at https://access.redhat.com/articles/11258 for applying the update. No additional mitigations are indicated beyond applying this official patch.