JON had resolved struts1 flaw CVE-2014-0114 with https://rhn.redhat.com/errata/RHSA-2014-0511.html, but reverted the fix in a later release.
Statement: While the original flaw, CVE-2014-0114, was resolved as a precaution in JON 3.2.1, later further research revealed that JON did not expose the properties in an exploitable way, and was not vulnerable.