This security advisory from Red Hat addresses four vulnerabilities in Red Hat JBoss Enterprise Application Platform 8.0.6. The first vulnerability (CVE-2024-8447) involves a deadlock caused by multiple join requests sent to the LRA Coordinator component of the Narayana transaction manager. The second and fourth vulnerabilities (CVE-2024-47535 and CVE-2025-25193) are denial of service issues affecting Windows applications using the Netty networking library. The third vulnerability (CVE-2025-24970) concerns improper packet validation in the Netty SslHandler, which may lead to a native crash when using the native SSLEngine. Red Hat has released an asynchronous patch updating Netty to version 4.1.119.Final-redhat-00002 to address these issues. The advisory recommends applying this update after backing up existing installations and ensuring all previous errata are applied. No CVSS scores are provided in the advisory itself, but they are available on the CVE pages referenced.

The vulnerabilities can cause deadlocks in transaction coordination and denial of service conditions on affected systems, potentially disrupting application availability. The SslHandler flaw may lead to native crashes, impacting application stability. These issues affect Red Hat JBoss Enterprise Application Platform 8.0 running on affected versions. There are no reports of active exploitation in the wild as of the advisory date.

Red Hat has released an official security update (Red Hat JBoss Enterprise Application Platform 8.0.6) that addresses these vulnerabilities. Users should apply this update after ensuring all previously released errata are installed and backing up their existing installations, including applications and configurations. Detailed update instructions are available at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated by the vendor advisory.