The AEM team at Adobe has been working closely with the open source project NotSoSerial to assist in mitigating the vulnerabilities described in CVE-2015-7501. NotSoSerial is licensed under the Apache 2 license and includes ASM code licensed under its own BSD-like license.
The agent jar included with this package is Adobe's modified distribution of NotSoSerial. For more information, see the Revision History section below.
NotSoSerial is a Java level solution to a Java level problem and is not AEM specific. It adds a preflight check to an attempt to deserialize an object. This check will test a class name against a firewall-style whitelist and/or blacklist. Due to the limited number of classes in the default blacklist, this is unlikely to have an impact on your systems or code.
By default, the agent will perform a blacklist check against current known vulnerable classes. This blacklist is intended to protect you from the current list of exploits that use this type of vulnerability.
The blacklist and whitelist can be configured by following the instructions in the Configuring the Agent section of this article.
The agent is intended to help mitigate the latest known vulnerable classes. If your project is deserializing untrusted data, it may still be vulnerable to denial of service attacks, out of memory attacks, and unknown future deserialization exploits.
Adobe officially supports Java 6, 7, and 8, however our understanding is that NotSoSerial supports Java 5 as well.