Threats Tagged 'cve-2025-58056'

Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is an update for Red Hat JBoss Enterprise Application Platform 8.1. See Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions [eap-8.1.z] (CVE-2025-58056) * netty-codec-http2: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions [eap-8.1.z] (CVE-2025-58056) * cxf: CXF JMS Code Execution Vulnerability [eap-8.1.z] (CVE-2025-48913) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is an update for Red Hat JBoss Enterprise Application Platform 8.0. See Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163) * netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions [eap-8.0.z] (CVE-2025-58056) * cxf: CXF JMS Code Execution Vulnerability (CVE-2025-48913) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is an update for Red Hat JBoss Enterprise Application Platform 8.0. See Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163) * netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions [eap-8.0.z] (CVE-2025-58056) * cxf: CXF JMS Code Execution Vulnerability (CVE-2025-48913) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat build of Apache Camel 4.10.7 for Spring Boot patch release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Security Fix(es): * spring-security-core: Spring Security authorization bypass (CVE-2025-41248) * spring-core: Spring Framework Annotation Detection Vulnerability (CVE-2025-41249) * spring-core-test: Spring Framework Annotation Detection Vulnerability (CVE-2025-41249) * org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability (CVE-2025-41249) * org.eclipse.jgit: XXE vulnerability in Eclipse JGit (CVE-2025-4949) * netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056) * netty-codec-http2: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056) * minio: minio-java Client XML Tag is Vulnerable to Value Substitution (CVE-2025-59952) * io.minio/minio: minio-java Client XML Tag is Vulnerable to Value Substitution (CVE-2025-59952)

Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat Streams for Apache Kafka 3.1.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.0.1, and includes security and bug fixes, and enhancements. Security Fix(es): * Apache Kafka, Drain Cleaner, Bridge, Cruise Conreol, Proxy, Console: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack"(CVE-2025-58057)" * Apache Kafka, Proxy: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions"(CVE-2025-58056)" * Apache Kafka, Bridge, Drain Cleaner, Cruise Control, Console: Netty MadeYouReset HTTP/2 DDoS Vulnerability ("CVE-2025-55163") * Apache Kafka: org.apache.commons:commons-lang3 : Uncontrolled Recursion("CVE-2025-48924") * Drain Cleaner: io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout("CVE-2025-1634") * Drain Cleaner, Console: Data leak vulnerability in io.quarkus:quarkus-vertx package ("CVE-2025-49574") * Cruise Control: org.apache.kafka/kafka_2.13: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption (" CVE-2024-56128") * Cruise Control: org.apache.kafka: Kafka Client Arbitrary File Read SSRF("CVE-2025-27817") * Cruise Control: Kafka Clients Vulnerabiliy("CVE-2025-27819") * Cruise Control: Kafka Clients Vulnerabiliy("CVE-2025-27818") * Cruise Control, Console: io.vertx/vertx-core: Eclipse Vert.x Access Control Flaw ("CVE-2025-11965") * Cruise Control, Console: Vertx - Cross-site scripting (XSS) vulnerability ("CVE-2025-11966")

The multicluster engine for Kubernetes v2.10 images The multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.65. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2026:7238 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes

Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat Streams for Apache Kafka 3.2.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.1.0, and includes security and bug fixes, and enhancements. Security Fix(es): * Drain Cleaner, Kafks Exporter - Eclipse Vert.x Web static handler file access denial [amq-st-3.2]"(CVE-2026-1002)" * Drain Cleaner, Kroxylicous - Netty denial of service[amqst-3.2]"(CVE-2026-33871)" * Drain Cleaner, Kroxylicous - Netty request smuggling attacks[amqst-3.2]"(CVE-2026-33870)" * Cruise Control - jose4j denial of service [amqst-3.2]"(CVE-2024-29371)" * Kafka Exporter - golang-github-danielqsj-kafka_exporter: Memory exhaustion in query parameter parsing in net/url [amq-st-3.2]"(CVE-2025-61726)" * Kafka Exporter - golang-github-danielqsj-kafka_exporter: golang: Denial of Service due to excessive resource consumption via crafted certificate [amq-st-3.2]"(CVE-2025-61729)" * Kafka Exporter - golang-github-danielqsj-kafka_exporter: Unexpected session resumption in crypto/tls [amqst-3.2]"(CVE-2025-68121)" * console UI - Next.js Server-Side Request Forgery in Server Actions [amqst-3.2]"(CVE-2024-34351)" * console UI - com.github.streamshub-console: Next.js: Unbounded next/image disk cache growth can exhaust storage[amqst-3.2]"(CVE-2026-27980)" * console UI - Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [amqst-3.2]"(CVE-2025-62718)" * console UI - React Server Components: Denial of Service via specially crafted HTTP requests [amqst-3.2]"(CVE-2026-23864)" * console UI - Axios: Remote Code Execution via Prototype Pollution escalation [amqst-3.2]"(CVE-2026-40175)" * console UI - lodash: Arbitrary code execution via untrusted input in template imports [amqst-3.2]"(CVE-2026-4800)"

The cert-manager Operator for Red Hat OpenShift builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide certificates-as-a-service to developers working within your Kubernetes cluster.