The discovery and PoC provided by Tenable were rejected by the Zero Day Initiative, however, before the vulnerability was brought to the attention of the Pivotal Security team. On May 4, 2016, the Spring Framework team responded that this was not unintentional behavior, and provided the following commentary:
“Do not use Java serialization for external endpoints, in particular not for unauthorized ones. HTTP invoker is not a well-kept secret (or an ‘oversight’) but rather the typical case of how a Spring application would expose serialization endpoints to begin with… he has a point that we should make this case all across our documentation, including the javadoc. But I don’t really see a CVE case here, just a documentation improvement.”
While the Pivotal team acknowledged the dangers of untrusted input streams, it left the responsibility for safe configuration and use to developers. Pivotal followed up by including a warning to developers in the subsequent 4.2.6 and 3.2.17 release documentation.