Red Hat JBoss Web Server 6.2.3 is a security update that addresses seven distinct vulnerabilities in the Apache Tomcat components it includes. These vulnerabilities are: CVE-2026-24880 (HTTP Request/Response Smuggling via invalid chunk extension), CVE-2026-25854 (Open Redirect via LoadBalancerDrainingValve), CVE-2026-29145 and CVE-2026-34500 (Authentication bypass due to client certificate misconfiguration), CVE-2026-29146 (Information disclosure via Padding Oracle vulnerability in EncryptInterceptor), CVE-2026-34483 (Information disclosure due to improper encoding in JsonAccessLogValve), and CVE-2026-34487 (Information disclosure via sensitive data in log files). The update includes bug fixes, enhancements, and component upgrades and is intended to replace the previous 6.2.2 release. Red Hat rates the security impact as Important and provides the update for multiple Red Hat Enterprise Linux versions and Windows Server.

The vulnerabilities fixed in this update could allow attackers to perform HTTP request/response smuggling, redirect users to malicious sites, bypass authentication mechanisms due to client certificate misconfigurations, and gain unauthorized access to sensitive information through various information disclosure flaws. These issues could compromise the confidentiality and integrity of hosted Java web applications. However, no known exploits in the wild have been reported. The overall security impact is rated as Important by Red Hat.

Red Hat has released Red Hat JBoss Web Server 6.2.3 as a security update that addresses these vulnerabilities. Users should back up their existing installations, including applications and configuration files, before applying the update. Applying this official update is the recommended remediation. Since this is not a cloud service, users must manually apply the patch. There is no indication from the vendor advisory that no action is required or that these issues are already mitigated without updating.