Red Hat Product Errata RHSA-2026:12194 - Security Advisory Issued: 2026-04-30 Updated: 2026-04-30 RHSA-2026:12194 - Security Advisory Overview Updated Packages Synopsis Moderate: Red Hat JBoss Web Server 6.2.2 release and security update Type/Severity Security Advisory: Moderate Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic Red Hat JBoss Web Server 6.2.2 is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 6.2.2 serves as a replacement for Red Hat JBoss Web Server 6.2.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes that are linked to in the References section. Security Fix(es): tomcat: security constraint bypass with HTTP/0.9 (CVE-2026-24733) tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614) tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix (CVE-2026-32990) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 Affected Products JBoss Enterprise Web Server 6 for RHEL 10 x86_64 JBoss Enterprise Web Server 6 for RHEL 9 x86_64 JBoss Enterprise Web Server 6 for RHEL 8 x86_64 Fixes BZ - 2440430 - CVE-2025-66614 tomcat: Client certificate verification bypass due to virtual host mapping BZ - 2440437 - CVE-2026-24733 tomcat: security constraint bypass with HTTP/0.9 BZ - 2457025 - CVE-2026-32990 Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix CVEs CVE-2025-66614 CVE-2026-24733 CVE-2026-32990 References https://access.redhat.com/security/updates/classification/#moderate https://docs.redhat.com/en/documentation/red_hat_jboss_web_server/6.2/html/red_hat_jboss_web_server_6.2_service_pack_2_release_notes/index Note: More recent versions of these packages may be available. Click a package name for more details. JBoss Enterprise Web Server 6 for RHEL 10 SRPM jws6-tomcat-10.1.49-10.redhat_00008.1.el10jws.src.rpm SHA-256: be6bc339d3729151e7786f6fb5b7ebe6e4459fbc8358c311d3be4a8d9c02be72 x86_64 jws6-tomcat-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: 0d3b5eac77ad122b701bd42ad4a7950a146c5492655debd08e8b19a489b62c14 jws6-tomcat-admin-webapps-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: 6796a6d45b42a67aa9c94c3594c4d8590413a6f43c1cfe53cdebb90b85bc06ca jws6-tomcat-docs-webapp-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: d0a9172329d5f53e4dca7d5b4e8c522466d51aacad22a2b8c99a9acdcee4f99f jws6-tomcat-el-5.0-api-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: 5e6fabf6ac2052dc3603dd32b02cad05c1f9fd8ebe69d3a3a4630d3f46407ef4 jws6-tomcat-javadoc-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: 6ade6053293de7d7c02f26a3db71866b3a86faab7400ed9072621623f70c88b4 jws6-tomcat-jsp-3.1-api-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: 0a91d9d285fb9434bb701b4aa0bab3ecf13afdd2621b27f85cf12492716bb10c jws6-tomcat-lib-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: 03ab4f2e67b9fdd050e4b33ea87988ed0bd63f4ae59731f6d0d966b30245db84 jws6-tomcat-selinux-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: 0b1a8645e8c5d4547af5a56bb9e23e6ec0bde2e468cfe9ac55dd68575bd149f5 jws6-tomcat-servlet-6.0-api-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: 1f908398df98f40d999e1a345fa5c4236e5746df3aa9ee92009e17869e0088af jws6-tomcat-webapps-10.1.49-10.redhat_00008.1.el10jws.noarch.rpm SHA-256: 9f5102f459af443d075683d21bcb9278d6ad7b187e4fa1f247551328afb5a83d JBoss Enterprise Web Server 6 for RHEL 9 SRPM jws6-tomcat-10.1.49-10.redhat_00008.1.el9jws.src.rpm SHA-256: 4a1649dce3c0e5c9646b3463c6ab2252a973241ffc8927db63dca3991fa51c48 x86_64 jws6-tomcat-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: b75953289c1bff80fdc92c2dacb33f8af027fc9a95c0079aeff07c7b0d479d9f jws6-tomcat-admin-webapps-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: 71b8cbb2a1d113aff5e95a8a30223bca2c2c9ee35831d6f8ac454359567ee1a7 jws6-tomcat-docs-webapp-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: ca4eb112f78c4c6f535123d3b870f583d5720a30c7b05e944b599f86a850063d jws6-tomcat-el-5.0-api-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: c2bb0454d354d0c6ff9d55d080c2c34d24bfc39a0a47e98143d64858aaf37945 jws6-tomcat-javadoc-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: 216e6913b4f682935b193239e549e9cbe24e9870a3f87f00b9b25db079c95ff2 jws6-tomcat-jsp-3.1-api-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: d9b57be912711e7d285f56e7207208645bc47df342828e1a5fcdc1ce95d98280 jws6-tomcat-lib-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: 5ecb388f0521b876a3a6c71d8c63c0ec540fe5a24e224d503dc3dad978c4b72b jws6-tomcat-selinux-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: 9e34a45a1596358b438f7b999dd7c79d147d2682c9a37379fb5d3ad524c09f54 jws6-tomcat-servlet-6.0-api-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: dda093ac3f0c59d1449c5cb16d6d2559a7684ec7c8854abb6209bdb0dd4bacb5 jws6-tomcat-webapps-10.1.49-10.redhat_00008.1.el9jws.noarch.rpm SHA-256: ad996ff795f94390176a25372b9535bd966765a6e306bfc07bbd3043d3f031b1 JBoss Enterprise Web Server 6 for RHEL 8 SRPM jws6-tomcat-10.1.49-10.redhat_00008.1.el8jws.src.rpm SHA-256: 98f06670bd6f273f411a2e46b94e17869f67410601441eefbfaa162155aa6677 x86_64 jws6-tomcat-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: 22678bbd4a97b5469133cff7f5b287c15198097ce6359b774aa8f6b989d7ba00 jws6-tomcat-admin-webapps-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: 225b6e66a0d3925dbc4a1a4166b4c20611ba1a642c63b2b93b0812d9115a1957 jws6-tomcat-docs-webapp-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: fcdd1ff17022abeb438c03a98fcbc38c45cbbbc2a2ac676d26de6f5a696a038c jws6-tomcat-el-5.0-api-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: fa7d6faa2f1e1670c1d58a358c8149a1bf0f55908cce2dd1d26699fda8745f36 jws6-tomcat-javadoc-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: bfd870b42f784d6b303f89d2a7a0cb39e1b1f471be5f9982eeb6a32f59739b27 jws6-tomcat-jsp-3.1-api-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: 2a0a8f2aaa6aaa22c5ccc18c8bd6fee7d5f3ec8769aee8f762b89c0279c60067 jws6-tomcat-lib-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: 72284ea37e17c09c25929daa6931c3e4625627705f1a08af0e1423bebf40bb2f jws6-tomcat-selinux-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: 05f13eecc60948e583500bd031694dd2b9f20492210d7a753d5a97fb11c44ea6 jws6-tomcat-servlet-6.0-api-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: e7885d60fd60420361868afbc5d57808e1990c82ee532120e7a368cd54de0810 jws6-tomcat-webapps-10.1.49-10.redhat_00008.1.el8jws.noarch.rpm SHA-256: 06189a30ac5370bb2bb3a97ef5a310d76bc4c2c139b4751d38fbea9a23bf94cb The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .