Example from Springsource, as explained by Wouter Coekaerts, showing why clients should not be trusted.
Affected: Applications that have Spring AOP on the classpath and deserialize a stream from an untrusted source
Result: Arbitrary code execution
Short version: The problem is that the JdkDynamicAopProxy, DefaultListableBeanFactory and some other Spring classes are Serializable and can be configured to execute arbitrary code when the application uses these deserialized objects.
The vulnerability has been fixed in Spring by making it impossible to deserialize a DefaultListableBeanFactory except through the SerializedBeanFactoryReference. And the id used by the SerializedBeanFactoryReference has been made easier to configure because it should not be predictable by a client.
ERROR, “CVE-2011-2894” is valid CVE format, but CVE was not found.