Acknowledgements: Red Hat would like to thank the ObjectWorks+ Development Team at Nomura Research Institute for reporting this issue.
It was found that the fix for CVE-2011-1484 was incomplete: JBoss Seam 2 did not block access to all malicious JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw.
This issue has been addressed in following products: JBEAP 5 for RHEL 6 Via RHSA-2011:0946 https://rhn.redhat.com/errata/RHSA-2011-0946.html
This issue has been addressed in following products: JBEAP 5 for RHEL 5 Via RHSA-2011:0948 https://rhn.redhat.com/errata/RHSA-2011-0948.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 Via RHSA-2011:0947 https://rhn.redhat.com/errata/RHSA-2011-0947.html
This issue has been addressed in following products: JBEAP 4.3.0 Via RHSA-2011:0951 https://rhn.redhat.com/errata/RHSA-2011-0951.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 JBEAP 4.3.0 for RHEL 4 Via RHSA-2011:0950 https://rhn.redhat.com/errata/RHSA-2011-0950.html
This issue has been addressed in following products: JBEAP 5 Via RHSA-2011:0949 https://rhn.redhat.com/errata/RHSA-2011-0949.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0 Via RHSA-2011:0952 https://rhn.redhat.com/errata/RHSA-2011-0952.html
This issue has been addressed in following products: JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 6 Via RHSA-2011:0945 https://rhn.redhat.com/errata/RHSA-2011-0945.html