Mojarra 2 will re-evaluate param/model values as EL expressions when includeViewParameters is set to true. This flaw allows an attacker to inject EL expressions. External References: http://java.net/jira/browse/JAVASERVERFACES-2247 http://www.jakobk.com/2011/11/jsf-value-expression-injection-vulnerability/
Statement: Not vulnerable. This issue affects the Mojarra 2 package, which is not shipped with any Red Hat products.
I tested Wildfly Swarm (7.0.0.redhat-8) using the testcase from upstream and found it's not affected. https://github.com/jboss/mojarra/tree/svn/tags/2.1.5/jsf-test/JAVASERVERFACES-2247