It was discovered that Spring Framework contained an undisclosed directory traversal vulnerability. A remote attacker could use this flaw to access arbitrary files on a server bypassing security restrictions that are otherwise in place. References: http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html
This is now public. According to the upstream report, this is fixed in 3.2.0 and does not seem to affect 4.x. External References: http://www.pivotal.io/security/cve-2014-3578 https://jvn.jp/en/jp/JVN49154900/
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1138950]
Red Hat JBoss BRMS 5 and Red Hat JBoss Enterprise Portal Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
Red Hat JBoss Portal is now in Maintenance Support phase, receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the JBoss Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/