IssueDescription: It was found that the fix for CVE-2013-2133 was incomplete: the JAX-WS handlers were being executed for outbound messages even when authorization had failed. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke.
Acknowledgement: This issue was discovered by Tomas Kyjovsky of the Red Hat Quality Engineering Team.
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.3.0 Via RHSA-2014:1021 https://rhn.redhat.com/errata/RHSA-2014-1021.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2014:1020 https://rhn.redhat.com/errata/RHSA-2014-1020.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2014:1019 https://rhn.redhat.com/errata/RHSA-2014-1019.html