Some neat #javadeser exploit research here https://twitter.com/_tint0/status/1202565357417967616

This is cool: #javadeser exploitation guide by @_surefire_ and @jhartftw and ysoserial payload generation support in @metasploit twitter.com/metasploit/status/110799...

Some awesome exploit chaining here, including discovering a new #javadeser gadget https://twitter.com/_tint0/status/1105829944200974336

CVE-2019-0192 #javadeser RCE vuln in Apache Solr <7.0 via JMX

https://issues.apache.org/jira/browse/SOLR-13301

Looks like another unsafe java deserialization RCE vuln in Adobe ColdFusion
helpx.adobe.com/security/products/coldfu... #javadeser

Pre-auth root RCE #javadeser vuln in Cisco Unity Express.

"A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user."

https://t.co/VymaSYdZjj

Write-ups on three recent WebLogic #javadeser RCEs (translated from chinese):

https://t.co/bj9sMw8Iyc

https://t.co/EDYpZh09sm

Who could have possibly guessed that #javadeser gadget blacklisting would be such an ineffective strategy... https://twitter.com/pyn3rd/status/1052486677493624832

This sounds like a pretty awesome upcoming #javadeser talk by @ianhaken twitter.com/BlackHatEvents/status/10...

Good news: Oracle apparently planning to drop the current native serialization API from Java sometime in the future because of recent security trouble. #javadeser

www.infoworld.com/article/3275924/java/ora...

Java: Exploiting your Up to the April 2018 CPU (6u191, 7u181, 8u171) Java’s RMI endpoints allowed HTTP tunneling of requests. Failing to implement further restrictions on these requests it was possible to perform them as cross-origin requests from third-party websites. This makes it possible to exploit otherwise unreachable RMI endpoints.

Nice. CSRF to shell. Exploiting JRMP/RMI/JMX #javadeser vulns on priv networks from javascript running in web browsers. https://t.co/I9PEZPn0W9

"an attacker on the internet gaining code execution on one of your local systems by tricking you into visiting some malicious website"

I see the game of #javadeser gadget whack-a-mole is going well. twitter.com/GossiTheDog/status/99062...

Some cool #javadeser gadget construction techniques using manually crafted/tampered serialization streams twitter.com/kaidentity/status/954012...

Cool write-up on a bypass for the gadget-side patch for the original Groovy #javadeser RCE gadget chain.

Please don't rely on gadget whack-a-mole and heed the ZDI advice: "When accepting data … from an untrusted source, … avoid general-purpose deserialization …" https://t.co/tSh1o6GsXP

Sweet, WebLogic #javadeser exploits made an appearance in most recent Mr. Robot episode (#BewareSpoilers)

Cool piece on blindly bruteforcing the right ysoserial #javadeser RCE gadget chain

I'd suggest a first pass with @gebl's simple URLDNS gadget to confirm unsafe deserialization before proceeding with stuff like this https://twitter.com/ptrsec/status/930413608433078272

Some good #javadeser slides and exercises here twitter.com/joaomatosf/status/923528...

Please don't play #javadeser gadget whack-a-mole, and, to beat a dead horse: don't deserialize untrusted data. https://twitter.com/nickstadb/status/922949100634382336

Cool research and tools for enumerating, abusing, and exploiting Java RMI services via #javadeser payloads https://twitter.com/nickstadb/status/908351765254479872

ColdFusion #javadeser vuln: "unsafe Java deserialization that could result in remote code execution (CVE-2017-11283, CVE-2017-11284)" https://twitter.com/nickstadb/status/907673124686229505

Detailed post on some of the nuts and bolts of #javadeser format and exploits twitter.com/FSDominguez/status/90661...

This is like the greatest hits of Java RCE vulns: both Struts2 and XML deserialization #struts2 #javadeser https://twitter.com/kennwhite/status/905123013938388992

Worth noting that clojure is the 6th most popular mvn dep per https://mvnrepository.com/popular Please don't deserialize untrusted data #javadeser https://twitter.com/ianhaken/status/887729361205448704

And the #javadeser saga continues twitter.com/brainsmoke/status/879757...

Some more upcoming stuff on security of alternative #javadeser formats/impls to watch for https://twitter.com/pwntester/status/866687430665142273

An epic survey of #javadeser RCE vulns/exploits across 13 different Java serialization technologies by Moritz Bechler. Pretty epic work. twitter.com/oss_security/status/8666...

the *real* #javadeser vuln is that ObjectInputStream and Serializable javadocs *still* say nothing of risks in deserializing untrusted data

kudos @matthias_kaiser, you've been immortalized in a poetic Russian #javadeser hacking folk tale in a metasploit pull-request https://twitter.com/hdmoore/status/819407501015871492

Pure JRE 8u20 #javadeser RCE gadget. Nice work @pwntester! https://twitter.com/pwntester/status/748658544598212608

Great to see @OpenJDK folks making #javadeser security improvements, hopefully including some warnings in the docs twitter.com/jodastephen/status/74859...