Red Hat JBoss Enterprise Application Platform 7.4.18 addresses several security vulnerabilities: CVE-2024-3653 (Undertow LearningPushHandler remote memory DoS), CVE-2024-5971 (Undertow response write hangs with Java 17 TLSv1.3 NewSessionTicket), CVE-2024-30171 (BouncyCastle timing variant of Bleichenbacher attack), CVE-2024-29857 (BouncyCastle EC certificate crafted parameters leading to DoS), CVE-2024-29025 (Netty HTTP codec resource allocation without limits), CVE-2024-30172 (BouncyCastle infinite loop in ED25519 verification), and CVE-2024-27316 (HTTP/2 CONTINUATION frames DoS). These vulnerabilities impact various components of the platform, potentially leading to denial of service or cryptographic weaknesses. The update includes upgraded versions of affected components and is intended to fix these issues.

The vulnerabilities fixed in this update can lead to denial of service conditions through remote memory exhaustion, infinite loops, or hangs in response handling. Additionally, cryptographic weaknesses in BouncyCastle could allow timing attacks or denial of service when processing specially crafted certificates. Resource allocation issues in Netty could be exploited to exhaust system resources. These impacts can degrade service availability or compromise cryptographic operations within the affected platform.

Red Hat has released version 7.4.18 of JBoss Enterprise Application Platform 7.4 for RHEL 7 to address these vulnerabilities. Users should apply this update after ensuring all previous errata are applied and backing up their systems. The vendor advisory provides detailed instructions for applying the update. No alternative mitigations or workarounds are indicated; applying the official update is the recommended remediation.