If multiple applications use the same custom authorization module class name, and provide their own implementations of it, the first application to be loaded will have its implementation used for all applications using the same custom authorization module class name. A local attacker could use this flaw to deploy a malicious application that provides implementations of custom authorization modules that permit or deny user access according to rules supplied by the attacker.
Acknowledgements: This issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team.
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.1.0 Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html
This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html