JBoss Enterprise Application Platform 8.1 Update 3 Release Notes
In order to better meet customer expectations, micro releases for JBoss EAP 8 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
This update includes all fixes and changes from JBoss Enterprise Application Platform 8.1 Update 2
Download This content is not included.JBoss Enterprise Application Platform 8.1 Update 3
This update includes fixes for the following security related issues:
| ID | Component | Impact | Summary |
|---|---|---|---|
| CVE-2024-3884 | Undertow | Moderate | undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded |
| CVE-2025-9784 | Undertow | Important | undertow-core: Undertow MadeYouReset HTTP/2 DDoS Vulnerability |
| CVE-2025-12543 | Undertow | Important | undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.JBEAP-31473 | Clustering | Incompatible versions of Infinispan and JBoss Threads in EAP 8.1.1 |
| This content is not included.JBEAP-31328 | Clustering | Runtime attributes of JGroups channel are undefined |
| This content is not included.JBEAP-31262 | Clustering | This content is not included.WFLY-20647 - IllegalStateException at org.wildfly.clustering.session.cache validate |
| This content is not included.JBEAP-31563 | Hibernate | Content from hibernate.atlassian.net is not included.HHH-19240 - Significant increase in heap allocation for queries after migrating Hibernate ORM 6.5 to 6.6 |
| This content is not included.JBEAP-30790 | Hibernate | Content from hibernate.atlassian.net is not included.HHH-19739 - Exceptions during load of entity with different persistent fields with same name |
| This content is not included.JBEAP-31316 | Hibernate | Content from hibernate.atlassian.net is not included.HHH-19887 - ServiceConfigurationError caused by Hibernate with Jackson dependencies |
| This content is not included.JBEAP-31324 | Security | Provider URL of OIDC client does not work with relative URL nor with forwarded headers |
| This content is not included.JBEAP-31587 | Undertow | Regression in undertow-core-2.3.20.SP2-redhat-00001 |
| This content is not included.JBEAP-30598 | Undertow | This content is not included.UNDERTOW-2547 Perform gathering write in HttpRequestConduit to decrease latency |
| This content is not included.JBEAP-31619 | Undertow | Wrong codes sent on WebSocket connection close |
| This content is not included.JBEAP-30723 | Undertow | This content is not included.UNDERTOW-2555 - AJP Redirect with unescaped characters in URL is not encoded |
| This content is not included.JBEAP-30317 | Undertow | This content is not included.UNDERTOW-2555 - AJP Redirect with unescaped characters in URL is not encoded |
| This content is not included.JBEAP-30660 | Undertow | This content is not included.UNDERTOW-2556 - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server |
| This content is not included.JBEAP-30527 | Undertow | This content is not included.UNDERTOW-2556 - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server |
| This content is not included.JBEAP-30724 | Undertow | This content is not included.UNDERTOW-2576 - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address |
| This content is not included.JBEAP-30536 | Undertow | This content is not included.UNDERTOW-2576 - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address |
| This content is not included.JBEAP-31372 | Undertow | This content is not included.WFLY-18587 - ImportELResolver performance improvement |
| This content is not included.JBEAP-31344 | Web Services | CXF-9171 - DelayedCachedOutputStreamCleaner thread accumulation after CVE-2025-23184 fix |
Installation
Archive / zip / installer based installations
Note: This update zip should only be applied to installer or zip-based installations.
See the documentation: JBoss EAP 8.1 update methods
RPM installations
See the documentation: Updating an RPM installation
OpenShift Container installations
Update the containers to use the latest tag., to be current on OpenJDK and RHEL fixes.
Notes
- The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- Some JBoss EAP image templates depend on other products that may not have a s390x build, see here for more details
- Red Hat Insights is available for JBoss EAP 8 and accessible on the This content is not included.Red Hat Hybrid Cloud Console, see more details.
- Deprecated in Red Hat Enterprise Application Platform (EAP) 8