It was found that org.jboss.seam.web.AuthenticationFilter class implementation used seam logging in an unsafe manner. A remote attacker could exploit this issue in order to gain arbitrary code execution by providing specifically crafted authentication headers.
Acknowledgements: This issue was discovered by Marek Schmidt of Red Hat.
This issue has been addressed in following products: Red Hat JBoss Web Framework Kit 2.5.0 Via RHSA-2014:0785 https://rhn.redhat.com/errata/RHSA-2014-0785.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2014:0794 https://rhn.redhat.com/errata/RHSA-2014-0794.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2014:0791 https://rhn.redhat.com/errata/RHSA-2014-0791.html
This issue has been addressed in following products: JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 6 Via RHSA-2014:0793 https://rhn.redhat.com/errata/RHSA-2014-0793.html
This issue has been addressed in following products: JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 6 Via RHSA-2014:0792 https://rhn.redhat.com/errata/RHSA-2014-0792.html
This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html