The HA Pooled Invoker allows unauthorised access, and deserializes any payload sent to it.
This is one of the attack vectors for CVE-2015-7501. There are many new gadget chains available in the ysoserial project. For example the Beanshell library could be used to create a malicious serialized object. When deserialized by the HA Pooled Invoker servlet allows remote code execution.
Name: Dennis Reed (Red Hat)
Any KCS already published on the topic: https://access.redhat.com/solutions/45530
Need to update Installation Guides with WARNING about unsecured Invokers, and linked to the KCS Solution 45530
The PooledInvokerServlet is no longer required and can be removed by following the details in this knowledgebase solution: https://access.redhat.com/solutions/178393
A proactive notification was sent to customer on 7th October.