Hi, Following the "recent" "news" about Java deserialization security issues, I decided to create:
https://github.com/kantega/invoker-defender/ This is a Java Agent which removes java.io.Serializable from classes known to be vulnerable to deserialization attacks. (Including InvokerTransformer) I do not in any way consider this a complete solution to the problem since it only "fixes" a few well known classes. But it might be something people could consider as a mitigation effort while vendors/projects work on more long-term fixes. Feedback is welcome. Cheers, Eirik.
