This Important update for Red Hat JBoss Web Server 6.2.3 addresses multiple vulnerabilities in the bundled Apache Tomcat, including HTTP request smuggling (CVE-2026-24880, CVSS 7.5), critical authentication bypasses (CVE-2026-29145, CVSS 9.1), and information disclosure flaws. The affected Tomcat versions are Apache Tomcat 9.0.0 through 9.0.115, 10.1.0 through 10.1.52, and 11.0.0 through 11.0.19. The fix is provided by upgrading the integrated components within JBoss Web Server to version 6.2.3.
Red Hat Product Errata RHSA-2026:20405 - Security Advisory Issued: 2026-05-26 Updated: 2026-05-26 RHSA-2026:20405 - Security Advisory Overview Updated Packages Synopsis Important: Red Hat JBoss Web Server 6.2.3 release and security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic Red Hat JBoss Web Server 6.2.3 is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 6.2.3 serves as a replacement for Red Hat JBoss Web Server 6.2.2. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes that are linked to in the References section. Security Fix(es): tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension (CVE-2026-24880) tomcat: Apache Tomcat: Open Redirect vulnerability via LoadBalancerDrainingValve (CVE-2026-25854) tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration (CVE-2026-29145) tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor (CVE-2026-29146) tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve (CVE-2026-34483) tomcat: Apache Tomcat: Information disclosure via sensitive data in log files (CVE-2026-34487) tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration (CVE-2026-34500) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 Affected Products JBoss Enterprise Web Server 6 for RHEL 10 x86_64 JBoss Enterprise Web Server 6 for RHEL 9 x86_64 JBoss Enterprise Web Server 6 for RHEL 8 x86_64 Fixes BZ - 2457020 - CVE-2026-29146 Apache Tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor BZ - 2457037 - CVE-2026-29145 Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration BZ - 2457038 - CVE-2026-34487 Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files BZ - 2457039 - CVE-2026-25854 Apache Tomcat: Apache Tomcat: Open Redirect vulnerability via LoadBalancerDrainingValve BZ - 2457040 - CVE-2026-24880 Apache Tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension BZ - 2457043 - CVE-2026-34500 Apache Tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration BZ - 2457044 - CVE-2026-34483 Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve CVEs CVE-2026-24880 CVE-2026-25854 CVE-2026-29145 CVE-2026-29146 CVE-2026-34483 CVE-2026-34487 CVE-2026-34500 References https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/en/documentation/red_hat_jboss_web_server/6.2/html/red_hat_jboss_web_server_6.2_service_pack_3_release_notes/index Note: More recent versions of these packages may be available. Click a package name for more details. JBoss Enterprise Web Server 6 for RHEL 10 SRPM jws6-tomcat-10.1.49-13.redhat_00011.1.el10jws.src.rpm SHA-256: 4ec22be225fa786f181ebe2263888fb444279eeb51d6b0f942a1ea02d397a352 x86_64 jws6-tomcat-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: 4bf6e11bc9ff66e43f8d0e5f5e04bce2368304ea688a2f793bee5c01e2030a1e jws6-tomcat-admin-webapps-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: 8fdc1d01eec9cf93a2d6753ae7889416d0af81bc1a987b2f9239e5c45143a1c7 jws6-tomcat-docs-webapp-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: 8ae8cc132a0767cc3d0d790c61d6f4688d2786e65b45dc48d90fa3f8c059917b jws6-tomcat-el-5.0-api-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: 1895a5757357ac908883446038602600d5f527872e178ff04858e5ab7d5b934f jws6-tomcat-javadoc-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: 7b259d728fa59b15f504dd1658d52a909e47910212b026e6d130cb7289ed9191 jws6-tomcat-jsp-3.1-api-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: 015c9125edacbed856d3487687bb8e378abd9fe45de783360a59d8300a2346fb jws6-tomcat-lib-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: ba46b3caf31bf01750d706ed7459d1e2d014a9ce610469d193cfaad92818b18a jws6-tomcat-selinux-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: defce4bb36f1a089032a08314a305edef1aa387749d5d0616f5721f56df1912f jws6-tomcat-servlet-6.0-api-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: fecd0606f6aae31578541c4b81752c4535e54ff25049946c5041257f1867a2a8 jws6-tomcat-webapps-10.1.49-13.redhat_00011.1.el10jws.noarch.rpm SHA-256: 104503aa61747b8e1be7d37708f59bee7699a23aa3c29b1d0e2a5201c1ca61d2 JBoss Enterprise Web Server 6 for RHEL 9 SRPM jws6-tomcat-10.1.49-13.redhat_00011.1.el9jws.src.rpm SHA-256: 8d6fd5505be3a538afc11099b73758f07aff9b7a7ec067a478aeb8d2580b8674 x86_64 jws6-tomcat-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: f3f607f76fbb860268b9130c39283fdc96b704edaaf0d109841f18c7b5c01153 jws6-tomcat-admin-webapps-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: 531735ea5fce4fe11916db5db1387a9ddae041763034e2041b16e2e13b7245ea jws6-tomcat-docs-webapp-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: 48fea5cf6231f10fb9da13d23f055c638f7b88380910b115e8903d435ec2729b jws6-tomcat-el-5.0-api-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: 114647bd53d82f955da6c540cf87c01d32124dd13cdd1358b431740d66956de2 jws6-tomcat-javadoc-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: afd9dd38d8707ea312c5ea9808c784190b54a0463c3a6446c7653ec224b83997 jws6-tomcat-jsp-3.1-api-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: 1f344177a110f7ce9041be63b71ff2653474884b2907292c45afd3babed571b7 jws6-tomcat-lib-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: d93266ce14fedb570fc1b77e8bcf30d3ecee1b4ed71b7c97c66eac9bbe35731c jws6-tomcat-selinux-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: 5556daad1d1bf587314136e522caddea761336d901e25cfb063b05dd7ba1c0a3 jws6-tomcat-servlet-6.0-api-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: 82307533f5b51dc1b2336efd17da9322a9bee90394e066a08e4d185afe5ca411 jws6-tomcat-webapps-10.1.49-13.redhat_00011.1.el9jws.noarch.rpm SHA-256: 8680cfbb93efc5ef92cef9826624dce1b7a966d21f8f8960f5d3a91cfae2fe27 JBoss Enterprise Web Server 6 for RHEL 8 SRPM jws6-tomcat-10.1.49-13.redhat_00011.1.el8jws.src.rpm SHA-256: b70458d7ee9a5b203a5e3cfc3ea4e38d35b228914523398adf560e39cfaf343f x86_64 jws6-tomcat-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: a2e0f98ce8328853ec603491f16f37d049f4d8dc328f087a440adc7c70ca4dae jws6-tomcat-admin-webapps-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: 3fbcf1b14a2a7d519d5cf41684b18abe8ab0d9b5dbdec40abeb89ea1e7079a5b jws6-tomcat-docs-webapp-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: 0c21ee56b852d0cbbe5e8ba645ed5fe411aaf6f9a8d2f92bb5b8afb2139bfc87 jws6-tomcat-el-5.0-api-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: 414ea0aecf7ce4ce1524aea8c1e64d90a9cc60a488f843bf2f6edf0707b870a5 jws6-tomcat-javadoc-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: a599d62a3ab0e8f9a2f32ff70922960264f6b079c9a28a491601281ee612603d jws6-tomcat-jsp-3.1-api-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: 12c97f104ebcff9cf41b73a936648668a08e5370841cc952d5e00a862b6b013f jws6-tomcat-lib-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: f6ae2825b52b6818c72be2b957f00aed13afa96ef60eb757c3e5e94bb25289e2 jws6-tomcat-selinux-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: 4ea17aee90fd65e6c3e15f9394b6bb40cb61eb871058ed448e0f6563f604cd59 jws6-tomcat-servlet-6.0-api-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: 50d87bd22269a30e893a3ec908fdd521f143d20db78d47b3365ab6b0a17f424a jws6-tomcat-webapps-10.1.49-13.redhat_00011.1.el8jws.noarch.rpm SHA-256: 37ddab78ced118e380ff9846038ab33d2ba366ec83072e5140d1f2e2ef86b005 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .