The current version of xerces (xercesImpl-2.9.1-jbossas-1.jar) is vulnerable to CVE-2009-2625

This vulnerability was fixed in xerces versions >= 2.10