This advisory covers a security update for Red Hat JBoss Enterprise Application Platform 8.0.3, which addresses six CVEs affecting components such as Apache CXF, BouncyCastle, and Netty. The vulnerabilities include SSRF (CVE-2024-28752), resource exhaustion (CVE-2024-29025), timing attacks (CVE-2024-30171), infinite loops causing potential denial of service (CVE-2024-30172), and crafted EC certificate import leading to denial of service (CVE-2024-29857). The update is a replacement for version 8.0.2 and includes other bug fixes and enhancements. Red Hat rates the security impact as Important and provides official patches in this release. The advisory references multiple bugzilla entries and Red Hat errata for detailed information.

The vulnerabilities fixed in this update could allow an attacker to perform server-side request forgery, cause denial of service through infinite loops or crafted certificates, exploit timing side channels, or exhaust server resources without limits or throttling. These issues could impact the availability and security of applications running on the affected platform. However, no known exploits in the wild have been reported. The overall security impact is rated Important by Red Hat.

An official security update is available in Red Hat JBoss Enterprise Application Platform 8.0.3, which replaces version 8.0.2 and includes fixes for all listed vulnerabilities. Users should apply this update after ensuring all previous errata are applied and backing up their systems. Detailed update instructions are available in the Red Hat advisory at https://access.redhat.com/errata/RHSA-2024:5479 and the update article https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the official update.