...
Vulnerability CVE-2008-5339 concerns a series of vulnerabilities in Java. In one of the vulnerabilities, an applet causes an object is deserialized using ObjectInputStream.readObject(), but the input is controlled by an attacker. The object actually read in is a serializable subclass of ClassLoader, and it has a readObject() method that stashes the object instance into a static variable; consequently the object survives the serialization. As a result, the applet has managed to construct a ClassLoader object, by-passing the restrictions against doing so in an applet, and that ClassLoader allows it to construct classes that are not subject to the security restrictions of an applet. A more complete description of the vulnerability is available at http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.htmlThe vulnerability is described in depth in SER37-J. Do not deserialize from a privileged context.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...