It was reported [1] that remote attackers can inject EL (Expression Language) via "do" parameter. This leads to remote Java method execution vulnerability. [1]: https://issues.jboss.org/browse/RF-13977
Acknowledgements: Red Hat would like to thank Takeshi Terada of Mitsui Bussan Secure Directions, Inc. for reporting this issue.
Created attachment 1005892 [details] patch commit diffs
Created wildfly tracking bugs for this issue: Affects: fedora-all [bug 1205373]
This issue has been addressed in the following products: Red Hat JBoss Web Framework Kit 2.7.0 Via RHSA-2015:0719 https://rhn.redhat.com/errata/RHSA-2015-0719.html
Upstream commit: https://github.com/richfaces/richfaces/commit/4c5ddae4d6ddcea591fa949762c1c79ac11cac99
Statement: This issue did not affect any version of Red Hat JBoss Enterprise Application Platform 5 as they did not include the vulnerable version of the RichFaces component. JBoss EAP 5.x includes versions 3.3.1.x of RichFaces; this vulnerability was introduced in version 4.x of RichFaces.