Fedora Account System
Red Hat Associate
Red Hat Customer
The drools serialization format allows to embed class files. Upon deserialization those are loaded by the VM that runs the drools engine. If that (attacker-controlled) class files defines code in a static initializer it is executed during deserialization.
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2010:0937 https://rhn.redhat.com/errata/RHSA-2010-0937.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2010:0938 https://rhn.redhat.com/errata/RHSA-2010-0938.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 4.3.0 Via RHSA-2010:0939 https://rhn.redhat.com/errata/RHSA-2010-0939.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 4.2 JBoss Enterprise SOA Platform 4.3 Via RHSA-2010:0940 https://rhn.redhat.com/errata/RHSA-2010-0940.html