The remote web server is running Apache TomEE 1.x prior to 1.7.4 or 7.x prior to 7.0.0-M3 and is affected by two RCE vulnerabilities :
- A flaw exists in ‘EjbObjectInputStream’ that is triggered during the deserialization of Java serialized input in the binary stream. This may allow a remote attacker to execute arbitrary code. (CVE-2015-8581)
- A flaw in the EJBd protocol that is triggered during the deserialization of crafted Java Objects. This may allow a remote attacker to execute arbitrary code. Exploitation requires that EJBd is enabled on an instance (the default setting) (CVE-2016-0779)