JBoss EAP 4 and 5 JMX servlet is exposed on port 8080/TCP with authentication by default. The communication employs serialized Java objects, encapsulated in HTTP requests and responses. The server deserializes these objects. This behavior can be exploited to cause a denial of service and potentially execute arbitrary code.
Acknowledgments: Name: Federico Dotta (Mediaservice.net), Maurizio Agazzini (Mediaservice.net)