CVE-2016-3690

The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Name	Vendor	Start Version	End Version
Jboss_enterprise_application_platform	Redhat	4.2.0 (including)	4.2.0 (including)
Jboss_enterprise_application_platform	Redhat	4.3.0 (including)	4.3.0 (including)
Jboss_enterprise_application_platform	Redhat	5.0.0 (including)	5.0.0 (including)
Jboss_enterprise_application_platform	Redhat	5.1.0 (including)	5.1.0 (including)
Jboss_enterprise_application_platform	Redhat	5.1.1 (including)	5.1.1 (including)
Jboss_enterprise_application_platform	Redhat	5.1.2 (including)	5.1.2 (including)
Jboss_enterprise_application_platform	Redhat	5.2.0 (including)	5.2.0 (including)

Make fields transient to protect them from deserialization.
An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-3690
CWE	https://cwe.mitre.org/data/definitions/502.html

Deserialization of Untrusted Data