Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CVE-2022-22965, CVE-2010-1622)?
If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?
Depends a lot on how many Spring apps out there have the prereqs to be vulnerable. The widespread nature of Log4Shell is what made it “worse” than other RCE vulns. I don’t have a sense of how many vulnerable instances of this one might be out there but the number could be enormous.
Whether or not this turns out to have the same blast radius and Log4Shell, it has certainly captured a lot of attention. Lots and lots of folks using Tomcat...
If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?