Not to get too pedantic, but Java need not be involved, though it will certainly be the most common language involved. Anything running on a JVM (including Clojure, Scala, JRuby, etc.) could have the vulnerability if it uses the Apache Commons Collections library, or some other library that does (which is probably a lengthy list).

The straightforward headline would be "Security flaw in commons-collection deserialization". The anti-java snark really isn't welcome.

Its not really a problem with commons-collections and unfair to color it as their issue. Its like blaming the library that is part of a ROP chain for the exploit. The issue is what gets you in first, which is instantiating objects without any thought as to what they are from un-trusted sources.

Something that is called out in the Java secure coding guidelines:

http://www.oracle.com/technetwork/java/seccodeguide-139067.h...

and is something that goes way back in many languages. It seems to be a vuln pattern that keeps getting repeated sadly.

It's also not specific to Commons Collections - the same escape is available through Spring and Groovy as well.

http://www.infoq.com/news/2015/11/commons-exploit

That wasn't anti-Java snark. I was complaining that the headline format suggests some unusual thing in common for those projects. But it would immediately occur to you that they are all Java-based.