The Java deserialization vulnerability can be exploited to remotely take
control of app servers. It affects all apps that accept serialized Java
objects. The issue has been known for a while, but it has not attracted
much attention because until now, there were no publicly available
exploits for it. The problem is due to apps not validating or checking
untrusted input prior to deserialization.
What makes this flaw so nasty is that it is
not a flaw in Java itself, but instead a flaw in a widely used library.
Inventorying which libraries are used by specific software is
notoriously difficult. Several major enterprise software packages have
been updated as a result. But the real challenge is internally written
software, or custom software procured from third parties.
http://www.darkreading.com/informationweek-home/why-the-java-deserialization-bug-is-a-big-deal/d/d-id/1323237?
