This security advisory for Red Hat JBoss Enterprise Application Platform 7.4.23 addresses several vulnerabilities: CVE-2024-10234 (WildFly core management subsystem vulnerable to XSS), CVE-2025-2251 (Improper deserialization in JBoss Marshalling allowing remote code execution), CVE-2025-2901 (Stored XSS in JBoss EAP Management Console), CVE-2025-23184 (Denial of Service in Apache CXF via temporary files), CVE-2025-35036 (Hibernate Validator Expression Language Injection), and CVE-2025-48734 (Apache Commons BeanUtils PropertyUtilsBean does not suppress an enum's declaredClass property by default). The update includes bug fixes and enhancements and replaces the previous 7.4.22 release. Red Hat rates the security impact as Important and provides updated packages for JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.

The vulnerabilities fixed in this update include cross-site scripting flaws that could allow attackers to execute scripts in the context of the management console, an expression language injection that could lead to unauthorized expression evaluation, denial of service conditions via temporary file handling in Apache CXF, and improper deserialization that could enable remote code execution. These issues could compromise the confidentiality, integrity, and availability of affected systems running Red Hat JBoss EAP 7.4 prior to 7.4.23.

A security update is available in Red Hat JBoss Enterprise Application Platform 7.4.23, which replaces version 7.4.22. Users should apply this update after ensuring all previously released errata are applied and backing up their systems. The vendor advisory provides detailed instructions for applying the update. No indication of alternative mitigations or workarounds is provided, so applying the official update is the recommended remediation.