If a class implements Externalizable, the readExternal and writeExternal methods must be provided. Unfortunately, these methods are public and, thereforeconsequently, can be called by hostile code which can potentially overwrite the internal state of the object at any point during program execution.
...