It was found that Karaf deserializes objects passed to certain MBeans via the JMX endpoint. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine.
Acknowledgments: Name: Jason Shepherd (Red Hat)
Mitigation: In order to exploit this issue you need to have credentials of a user with the 'admin' role. Therefore a good mitigation against this attack is to set a strong password for any user with the 'admin' role in the 'etc/users.properties' file of the Red Hat JBoss Fuse 6, or Red Hat JBoss AM-Q 6.
Updated it to amq-6. However seems amq-6.3.0 was valid to me. Maybe you didn't have the latest product.ini?
Which MBeans are affected?
*** Bug 1395074 has been marked as a duplicate of this bug. ***