HI Homer,

This issue I beleieve that you are asking about is with the JBoss https invoker is an issue that existed in versions 4 and 5. This security loophole has been closed within versions 6 and 7 so depending on the version you are running it, may not be an issue for you. You can still apply the fix if you are worried about it. I am including the document from HP regarding this issue. It is simply deleting the http-invoker.sar file and then restarting the services. Here are the steps:

Remove the http-invoker.sar component completely
For cluster deployment, do the following steps on each node.
????
Solution
???
Go to /jboss/server/default/deploy
(Where is the path where the ALM is installed)
Delete the http-invoker.sar directory Restart the ALM server.
Secure configuration of http-invoker.sar component

If you choose not to remove the http-invoker.sar component, follow JBoss documentation on configuration
for securing the component.

If you look at the log files it should list the java version within it. IT will be listed as java.version and will be a 1. x.x_x number, such as 1.6.0_17. The first x in this case the 6 is the java version number of the naming convention.

Here is another way to find the version if debug is enabled:
http://eyeontesting.com/questions/5661/how-can-i-tell-which-version-of-java-my-qcalm-vers.html

Hope this helps.