RHSA-2026:1872
Vulnerability from csaf_redhat - Published: 2026-02-04 04:47 - Updated: 2026-03-24 13:18Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.1.4 security update
Severity
Important
Notes
Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 8.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.1.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 8.1.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 8.1.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure (CVE-2025-12183)
* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in lz4-java. This vulnerability allows remote attackers to cause denial of service (DoS) and read adjacent memory via untrusted compressed input. This vulnerability affects only programs using the unsafe LZ4_decompress_fast API, known as the "fast" decompressor.
6.5 (Medium)
Vendor Fix
Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2026:1872
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.
7.5 (High)
Vendor Fix
Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2026:1872
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 8.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.1.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 8.1.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 8.1.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure (CVE-2025-12183)\n\n* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:1872",
"url": "https://access.redhat.com/errata/RHSA-2026:1872"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1/html/release_notes_for_red_hat_jboss_enterprise_application_platform_8.1/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1/html/release_notes_for_red_hat_jboss_enterprise_application_platform_8.1/index"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/7136166",
"url": "https://access.redhat.com/articles/7136166"
},
{
"category": "external",
"summary": "2417718",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417718"
},
{
"category": "external",
"summary": "2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "JBEAP-31416",
"url": "https://issues.redhat.com/browse/JBEAP-31416"
},
{
"category": "external",
"summary": "JBEAP-31437",
"url": "https://issues.redhat.com/browse/JBEAP-31437"
},
{
"category": "external",
"summary": "JBEAP-31454",
"url": "https://issues.redhat.com/browse/JBEAP-31454"
},
{
"category": "external",
"summary": "JBEAP-31498",
"url": "https://issues.redhat.com/browse/JBEAP-31498"
},
{
"category": "external",
"summary": "JBEAP-31543",
"url": "https://issues.redhat.com/browse/JBEAP-31543"
},
{
"category": "external",
"summary": "JBEAP-31547",
"url": "https://issues.redhat.com/browse/JBEAP-31547"
},
{
"category": "external",
"summary": "JBEAP-31559",
"url": "https://issues.redhat.com/browse/JBEAP-31559"
},
{
"category": "external",
"summary": "JBEAP-31567",
"url": "https://issues.redhat.com/browse/JBEAP-31567"
},
{
"category": "external",
"summary": "JBEAP-31577",
"url": "https://issues.redhat.com/browse/JBEAP-31577"
},
{
"category": "external",
"summary": "JBEAP-31595",
"url": "https://issues.redhat.com/browse/JBEAP-31595"
},
{
"category": "external",
"summary": "JBEAP-31676",
"url": "https://issues.redhat.com/browse/JBEAP-31676"
},
{
"category": "external",
"summary": "JBEAP-31680",
"url": "https://issues.redhat.com/browse/JBEAP-31680"
},
{
"category": "external",
"summary": "JBEAP-31690",
"url": "https://issues.redhat.com/browse/JBEAP-31690"
},
{
"category": "external",
"summary": "JBEAP-31762",
"url": "https://issues.redhat.com/browse/JBEAP-31762"
},
{
"category": "external",
"summary": "JBEAP-31767",
"url": "https://issues.redhat.com/browse/JBEAP-31767"
},
{
"category": "external",
"summary": "JBEAP-31800",
"url": "https://issues.redhat.com/browse/JBEAP-31800"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_1872.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.1.4 security update",
"tracking": {
"current_release_date": "2026-03-24T13:18:43+00:00",
"generator": {
"date": "2026-03-24T13:18:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2026:1872",
"initial_release_date": "2026-02-04T04:47:19+00:00",
"revision_history": [
{
"date": "2026-02-04T04:47:19+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-04T04:47:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-24T13:18:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 8.1",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 8.1",
"product_id": "Red Hat JBoss Enterprise Application Platform 8.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-12183",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-11-28T16:00:42.516514+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2417718"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows remote attackers to cause denial of service (DoS) and read adjacent memory via untrusted compressed input. This vulnerability affects only programs using the unsafe LZ4_decompress_fast API, known as the \"fast\" decompressor.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability affects the \"fast\" decompressor, this is due to the fact such implementation relies on LZ4_decompress_fast API of the lz4 C library. This function was deprecated in the lz4 library as it misses boundary checks and is considered insecure when processing untrusted inputs.\nRed Hat has considered this vulnerability as having a security impact of Moderate as the attack may be considered of a high complexity, additionally when exploited the attacker doesn\u0027t have full control over the memory read and its content.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 8.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12183"
},
{
"category": "external",
"summary": "RHBZ#2417718",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417718"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1",
"url": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1"
},
{
"category": "external",
"summary": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183",
"url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183"
}
],
"release_date": "2025-11-28T15:52:56.140000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-04T04:47:19+00:00",
"details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:1872"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 8.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure"
},
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 8.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-04T04:47:19+00:00",
"details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:1872"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 8.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…