...
CVE-2008-5353 describes a Java vulnerability discovered in August 2008 by Sami Koivu [CVE 2008]. Julien Tinnes subsequently wrote an exploit that allowed arbitrary code execution on multiple platforms running vulnerable versions of Java. The problem resulted from deserializing untrusted input from within a privileged context. The vulnerability involves the sun.util.Calendar.ZoneInfo class, which, being serializable is deserialized by the readObject() method of the ObjectInputStream class.
...
Bibliography
...