We have identified multiple remote code execution vulnerabilities in the most popular Java serialization libraries. These libraries are used in popular frameworks like Struts 2, Spring, and Groovy, as well as popular apps like Bamboo, Jenkins, and more.
A language-neutral framework for analyzing serializers will be discussed along with a deep-dive into the most interesting individual CVEs.