Thanks RT.
I know we discussed Slowloris before I left SolarWinds, I was surprised I couldn't find a blog post or comment. One mitigating factor to many of the tomcat (and related) attacks are that the LEM console is intended to be used on the internal network, so a low severity attack is somewhat lower. Ultimately it'd be nice to come up clean. We talked about limiting the number of connections to some arbitrary high number around the time of LEM 6.2, but I didn't find it in the release notes so I don't think it was changed.
We had also discussed permanently firewalling off port 10009 because it's only used internally, so that change is probably pending as well. Port 10009 is only used for portions of the CMC/appliance management console that need to connect back to perform UI-like operations (kind of like an API), and there is authentication expected on that connection as well (unless it's coming from 127.0.0.1).
There's always the chance some of these could be false positives based on what's publicly accessible that can't actually be compromised (e.g. version info but there's a back ported patch) - do you have any more details on the RMI issue beyond what you posted that might indicate what the scanner was checking for that trigger?
I also didn't see wolram comment on this thread when he investigated the other one, maybe he has additional details.