JBoss Enterprise Application Platform 8.1 Update 6 Release Notes
Updated
In order to better meet customer expectations, micro releases for JBoss EAP 8 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
This update includes all fixes and changes from JBoss Enterprise Application Platform 8.1 Update 5
Download This content is not included.JBoss Enterprise Application Platform 8.1 Update 6
This update includes fixes for the following security related issues:
| ID | Component | Impact | Summary |
|---|---|---|---|
| CVE-2025-23368 | Security | Important | wildfly-elytron-integration: Wildfly Elytron Brute Force Attack via CLI |
| CVE-2026-27446 | Server | Important | artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication |
| CVE-2026-27830 | Server | Important | c3p0/c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects |
| CVE-2026-26996 | Server | Moderate | io.hawt-project: minimatch: Denial of Service via specially crafted glob patterns |
| CVE-2026-5598 | Server | Important | bcprov-jdk12: private key leakage via non-constant time comparisons |
| CVE-2026-27727 | Server | Important | mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects |
| CVE-2026-27904 | Server | Moderate | io.hawt-project: Minimatch: Denial of Service via catastrophic backtracking in glob expressions |
| CVE-2026-33870 | Server | Important | netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values |
| CVE-2025-14813 | Server | Important | bcprov-ext-jdk15on: GOSTCTR implementation unable to process more than 255 blocks correctly |
| CVE-2026-33871 | Server | Important | netty-codec-http-4.1.100.Final.jar: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood |
| CVE-2026-0636 | Server | Important | bcprov-ext-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java |
| CVE-2026-5588 | Server | Important | bcpkix-fips: PKIX draft CompositeVerifier accepts empty signature sequence as valid |
| CVE-2026-3505 | Server | Important | bcpg-fips: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.JBEAP-32434 | Clustering | This content is not included.WFLY-21650 - Passivation metrics are prohibitively expensive |
| This content is not included.JBEAP-32050 | Concurrency Utilities | This content is not included.WFLY-21469 - Contextual proxy wraps runtime exceptions with UndeclaredThrowableException |
| This content is not included.JBEAP-31467 | EJB | This content is not included.WEJBHTTP-154 - Support TCP_NODELAY in wildfly-config.xml |
| This content is not included.JBEAP-32027 | Hibernate | Content from hibernate.atlassian.net is not included.HHH-20176 - Query cache causing ArrayIndexOutOfBoundsException on Hibernate in EAP 8.1 |
| This content is not included.JBEAP-31319 | IO | This content is not included.WFCORE-7388 - org.wildfly.io.max-threads capability is subject to race conditions |
| This content is not included.JBEAP-32755 | JPA/Hibernate | Content from hibernate.atlassian.net is not included.HHH-20287 DataException ( Parameter is not set) when updating only the version of an Entity with a PartitionKey #12093 |
| This content is not included.JBEAP-29032 | Packaging and Installing | JBoss EAP 8 overrides custom favicon.ico during RPM update |
| This content is not included.JBEAP-32222 | REST | The @JsonbDateFormat("yyyy-MM-dd") does not work with TemporalType.DATE during deserialization. |
| This content is not included.JBEAP-30666 | Security | RHEL10 missing wildfly openssl natives in server |
| This content is not included.JBEAP-30707 | Security | This content is not included.WFCORE-7335 - Block deployments if the security manager subsystem has invalid config and the security manager is enabled. [details] |
| This content is not included.JBEAP-31542 | Server | This content is not included.WFCORE-7428 - Log a WARN if user.name is 'root' (or 'Administrator' on Windows) |
| This content is not included.JBEAP-26634 | Transactions | MsSQL table is locked after transaction recovery with JTS |
| This content is not included.JBEAP-31893 | Web Console | This content is not included.HAL-2049 - Error only logged to browser console when adding replicated-cache to standalone.xml |
Installation
Archive / zip / installer based installations
Note: This update zip should only be applied to installer or zip-based installations.
See the documentation: JBoss EAP 8.1 update methods
RPM installations
See the documentation: Updating an RPM installation
OpenShift Container installations
Update the containers to use the latest tag., to be current on OpenJDK and RHEL fixes.
Notes
- Windows Server 2025 was added as a tested configuration as of JBoss EAP 8.1 Update 4.
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- Red Hat Insights is available for JBoss EAP 8 and accessible on the This content is not included.Red Hat Hybrid Cloud Console, see more details.
- Deprecated in Red Hat Enterprise Application Platform (EAP) 8
Category
Components
Article Type