Do you have a subscription and use a EAP version? In that case you should open a support case via the Red Hat portal or check the downloads for your version.
A security patch should be provided there.
I don't have subscription
Unfortunately you won't get a fix for this, even if you use EAP bits.
So maybe you can have a look to Apache Commons statement to widespread Java object de-serialisation vulnerability : The Apache Software Foundation Blog
for hints and a solution. But I'm not sure whether that works with such an old JBoss version.