A default cipher key is used for the "remember me" feature when not explicitly configured. A request that included a specially crafted request parameter could be used to execute arbitrary code or access content that would otherwise be protected by a security constraint. References: http://seclists.org/oss-sec/2016/q2/466
This issue has been addressed in the following products: Red Hat JBoss A-MQ 6.3 Via RHSA-2016:2036 https://rhn.redhat.com/errata/RHSA-2016-2036.html
This issue has been addressed in the following products: Red Hat JBoss Fuse 6.3 Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html