It was discovered that the LegacyInvokerServlet is exposed on all network interfaces and deserializes objects sent to it. An attacker could use this flaw to cause remote code execution in the JVM running it.
The PooledInvokerServlet is no longer required and can be removed by following the details in this knowledgebase solution: <https://access.redhat.com/solutions/178393>