Bug 2351678 (CVE-2025-2251)

Summary: CVE-2025-2251 org.jboss.eap:wildfly-ejb3: Improper Deserialization in JBoss Marshalling Allows Remote Code Execution
Product: [Other] Security Response Reporter: Abhishek Raj <abhraj>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, darran.lofthouse, dkreling, dosoudil, fjuma, istudens, ivassile, iweiss, lgao, mosmerov, msochure, msvehla, nwallace, pesilva, pjindal, pmackay, rstancel, security-response-team, smaestri, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-04-07   

Description Abhishek Raj 2025-03-12 14:04:33 UTC 
HASH(0x55eb49c1a420)
Comment 5 errata-xmlrpc 2025-07-07 13:25:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2025:10453 https://access.redhat.com/errata/RHSA-2025:10453
Comment 6 errata-xmlrpc 2025-07-07 13:30:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2025:10452 https://access.redhat.com/errata/RHSA-2025:10452
Comment 7 errata-xmlrpc 2025-07-07 13:35:09 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0.8

Via RHSA-2025:10459 https://access.redhat.com/errata/RHSA-2025:10459
Comment 8 errata-xmlrpc 2025-07-14 15:54:16 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2025:10926 https://access.redhat.com/errata/RHSA-2025:10926
Comment 9 errata-xmlrpc 2025-07-14 15:54:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2025:10925 https://access.redhat.com/errata/RHSA-2025:10925
Comment 10 errata-xmlrpc 2025-07-14 15:55:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2025:10924 https://access.redhat.com/errata/RHSA-2025:10924
Comment 11 errata-xmlrpc 2025-07-14 16:21:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4.23

Via RHSA-2025:10931 https://access.redhat.com/errata/RHSA-2025:10931
Comment 13 errata-xmlrpc 2025-10-23 22:32:14 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7

Via RHSA-2025:10931 https://access.redhat.com/errata/RHSA-2025:10931