Under certain conditions it's possible for an attacker to force the use of a SerializableProvider to parse a request in RESTEasy. An attacker can use this flaw to lauch a remote code execution attack.
Acknowledgments: Name: Mikhail Egorov (Odin)
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1378616]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2604 https://rhn.redhat.com/errata/RHSA-2016-2604.html
Our initial analysis of JBoss Fuse 6 showed that it was using a vulnerable version of resteasy. However after further analysis we discovered that it's being used by the Fabic8, Support Webapp feature, which a Restful webservice client, so is not affected by this issue.