Legion of the Bouncy Castle Java Cryptography APIs is vulnerable to remote code execution via a deserialization bug. This is due to a lack of class checking in the deserialization of XMSS/XMSS^MT private keys with BDS state information.
lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223
github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574
github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6
github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
security.netapp.com/advisory/ntap-20190204-0003/
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpuoct2020.html
www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html