An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. External references: https://github.com/beanshell/beanshell/releases/tag/2.0b6 Upstream patches: https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49 https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.2.2 Via RHSA-2016:0539 https://rhn.redhat.com/errata/RHSA-2016-0539.html
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.2.2 Via RHSA-2016:0540 https://rhn.redhat.com/errata/RHSA-2016-0540.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization security and bug fix update Via RHSA-2016:1135 https://access.redhat.com/errata/RHSA-2016:1135
This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376
This issue has been addressed in the following products: Red Hat JBoss Fuse 6.3 Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html
This issue has been addressed in the following products: Red Hat Fuse 7.3.1 Via RHSA-2019:1545 https://access.redhat.com/errata/RHSA-2019:1545