Multiple security flaws were found in the way the Spring Framework and Spring Security tools de-serialized certain Java objects. A remote attacker could use this flaw to execute chosen commands on the server (by serializing a sub-classed DefaultListableBeanFactory instance from the client to the server using the "java.lang.Runtime" class, Spring Framework) or bypass the server-side checking of the submitted authentication token (Spring Security).
Sample PoC (from ):
It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service.
Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to circumvent the server-side checking of the submitted token.
This issue has been addressed in following products:
JBoss Enterprise SOA Platform 5.1.0
Via RHSA-2011:1334 https://rhn.redhat.com/errata/RHSA-2011-1334.html