We have identified multiple remote code execution vulnerabilities in the most popular Java serialization libraries. These libraries are used in popular frameworks like Struts 2, Spring, and Groovy, as well as popular apps like Bamboo, Jenkins, and more.
A language-neutral framework for analyzing serializers will be discussed along with a deep-dive into the most interesting individual CVEs.
Arshan is an accomplished security researcher, having presented original offensive and defensive research at BlackHat, OWASP, and others. He is a co-founder of Contrast Security, a company using binary instrumentation to provide real-time application security analytics.