HP Business Service Management (BSM) 9.12 does not properly restrict the uploading of .war files, which allows remote attackers to execute arbitrary JSP code within the JBOSS Application Server component via a crafted request to TCP port 1098, 1099, or 4444.
http://www.securitytracker.com/id?1027075
http://www.securityfocus.com/bid/53556
http://www.kb.cert.org/vuls/id/859230