A remote user may be able to execute arbitrary code in the context of the Access Manager application. The use would need to create an XML signature that would be viewed locally with the Access Manager. The privileges of the Access manager would be the same as web container application that it is run from. This could result in access to the hosting system.
The original advisory is available at: http://sunsolve.sun.com/search/document.do?assetkey=1-66-201538-1