JBoss Seam2 does not properly block access to EL constructs in page exception handling. This allowed arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a URL, containing appended, specially-crafted expression language parameters, provided to certain applications based on the JBoss Seam framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw.
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 JBEAP 4.3.0 for RHEL 4 Via RHSA-2011:0460 https://rhn.redhat.com/errata/RHSA-2011-0460.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 Via RHSA-2011:0461 https://rhn.redhat.com/errata/RHSA-2011-0461.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 Via RHSA-2011:0463 https://rhn.redhat.com/errata/RHSA-2011-0463.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 4.3.0.CP09 and 5.1.0 Via RHSA-2011:0462 https://rhn.redhat.com/errata/RHSA-2011-0462.html
Acknowledgements: Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting this issue.
This issue has been addressed in following products: JBoss Communications Platform 5.1.1 Via RHSA-2011:1148 https://rhn.redhat.com/errata/RHSA-2011-1148.html
This issue has been addressed in following products: JBoss Enterprise Portal Platform 4.3 CP07 Via RHSA-2012:0091 https://rhn.redhat.com/errata/RHSA-2012-0091.html