(Author of the OG Log4Shell post here)<p>I'm poking around at the Spring code and posting some notes about what I find on Twitter[0].<p>I'm not a Java expert so if anybody feels like chiming in to help connect the dots for others, please feel free. It's late over here so I'm just doing my best to help determine if this is a real problem or just fear mongering.<p>0: <a href="https://twitter.com/LunaSecIO/status/1509084844042510336" rel="nofollow">https://twitter.com/LunaSecIO/status/1509084844042510336</a><p>EDIT:<p>I wrote a basic vulnerable app on GitHub[1] that is helpful for finding the most "simple" payload that could trigger this RCE. If anybody with better Java skills than myself would be willing to poke at this for a sec, that'd be super appreciated.<p>I was using this guide[2] with the ysoserial section to generate a deserialzation payload for this. I still don't have enough Java-fu to understand how to get that to fire though, and it's 3am so my brain is shot. Perhaps with these pointers somebody else can figure out that part to help sort out the impact around this possible RCE.<p>1: <a href="https://github.com/lunasec-io/spring-rce-vulnerable-app" rel="nofollow">https://github.com/lunasec-io/spring-rce-vulnerable-app</a><p>2: <a href="https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/" rel="nofollow">https://foxglovesecurity.com/2015/11/06/what-do-weblogic-web...</a>