CVE-2011-2196

Name of the Vulnerable Software and Affected Versions JBoss Seam 2 framework versions 2.2.x and earlier Red Hat JBoss Enterprise SOA Platform versions 4.3.0.CP05 and 5.1.0 JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) versions 4.3.0, 4.3.0.CP09, and 5.1.1 JBoss Enterprise Web Platform version 5.1.1

Description The issue arises from the improper restriction of Expression Language (EL) statements in FacesMessages during page exception handling in the JBoss Seam 2 framework. This allows remote attackers to execute arbitrary Java code via a crafted URL to an application.

Recommendations For JBoss Seam 2 framework versions 2.2.x and earlier, consider restricting the use of Expression Language statements in FacesMessages during page exception handling until a proper fix is applied. For Red Hat JBoss Enterprise SOA Platform versions 4.3.0.CP05 and 5.1.0, update to a version that includes the complete fix for the issue. For JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) versions 4.3.0, 4.3.0.CP09, and 5.1.1, update to a version that includes the complete fix for the issue. For JBoss Enterprise Web Platform version 5.1.1, update to a version that includes the complete fix for the issue. As a temporary workaround, consider disabling the use of Expression Language statements in FacesMessages during page exception handling to minimize the risk of exploitation.