Glassfish is vulnerable to remote code execution. It is because the JMXMPConnectorStarter is not updated to consider Oracle’s fix for CVE-2016-3427 where a remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. Therefore, glassfish installations using this listener remain vulnerable to a similar remote code execution vulnerability.
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.securityfocus.com/bid/101347
www.securitytracker.com/id/1039606
github.com/payara/Payara/commit/1cc2f12678a414286b7f0cc28a2abf32a0c3b6ea
github.com/payara/Payara/pull/1209
www.sourceclear.com/blog/How-we-found-exploitable-zero-days-in-the-open-source-GlassFish-server-with-the-Security-Graph-Language/