Cause: A vulnerability in the Java deserialization used by the Apache Commons Collections (ACC) library could allow an unauthenticated, remote attacker to execute arbitrary code.

Remark: Researchers have found complex object graphs which, when deserialized, can lead to remote code execution in most Java software.

Official announcement:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization