FYI: уязвимость в Spring Framework, позволяющая удалённо запускать произвольный код:
http://www.networkworld.com/news/2013/011713-java-spring-framework-265923.html
https://bugzilla.redhat.com/show_bug.cgi?id=737608
«software developers whose applications build on Spring could be at risk and are advised to turn off the expression-language feature. ...
Spring will likely disable the expression-language feature by default in the next version»