The JBoss Seam 2 framework is an application framework for building web applications in Java.
It was found that the fix for CVE-2011-1484 was incomplete: JBoss Seam 2 did not block access to all malicious JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-2196)
Red Hat would like to thank the ObjectWorks+ Development Team at Nomura Research Institute for reporting this issue.
All users of JBoss Enterprise Application Platform 4.3.0.CP09 as provided from the Red Hat Customer Portal are advised to install this update. Refer to the Solution section for information about installing the update.