httpha-invoker is vulnerable to arbitrary code execution. The vulnerability exists as it was found that the invoker servlets, deployed by default via httpha-invoker, only performed access control on the HTTP GET and POST methods, allowing remote attackers to make unauthenticated requests by using different HTTP methods. Due to the second layer of authentication provided by a security interceptor, this issue is not exploitable on default installations unless an administrator has misconfigured the security interceptor or disabled it.
rhn.redhat.com/errata/RHSA-2011-1456.html
rhn.redhat.com/errata/RHSA-2011-1798.html
rhn.redhat.com/errata/RHSA-2011-1799.html
rhn.redhat.com/errata/RHSA-2011-1800.html
rhn.redhat.com/errata/RHSA-2011-1805.html
rhn.redhat.com/errata/RHSA-2011-1822.html
rhn.redhat.com/errata/RHSA-2012-0091.html
rhn.redhat.com/errata/RHSA-2012-1028.html
secunia.com/advisories/47169
secunia.com/advisories/47866
access.redhat.com/errata/RHSA-2011:1800
access.redhat.com/security/updates/classification/#low
access.redhat.com/support/offerings/techpreview/
bugzilla.redhat.com/show_bug.cgi?id=750422
docs.redhat.com/docs/en-US/index.html