JBoss is vulnerable to remote code execution (RCE). The vulnerablitiy exists because it allows the embedding of class files, allowing remote attackers to execute arbitrary code via a crafted static initializer.
docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3/html-single/Release_Notes_CP09/index.html
securitytracker.com/id?1024813
www.redhat.com/security/updates/classification/#important
www.redhat.com/support/errata/RHSA-2010-0937.html
www.redhat.com/support/errata/RHSA-2010-0938.html
www.redhat.com/support/errata/RHSA-2010-0939.html
www.redhat.com/support/errata/RHSA-2010-0940.html
access.redhat.com/errata/RHSA-2010:0937
bugzilla.redhat.com/show_bug.cgi?id=633859
issues.jboss.org/browse/SOA-2319