It was found that some utility classes in Drools core did not use proper safeguards when deserializing data. An authed attacker could construct malicious serialized objects (usually called gadgets) and use this flaw to achieve code execution on the server.