I see some ransomware among other things get distributed in this manner.
So that got me thinking, What about the library B4XSerializator? is it vulnerable to this attack? Does that library use whitelist/blacklist deserialization and class construction?
Note: Just a guess. No. B4Xserializator only serializes / deserializes a fixed number of objects/primitive types (Lists, Arrays, Maps, Strings, primitive types and user defined types). Any other object will cause an error during deserialization. As of now, it does not generate a generic object for an unknown type.
B4XSerializator is not affected by this as it doesn't execute any code when it creates objects.
RandomAccessFile.ReadObject (unlike ReadB4XObject) is based on Java serialization. Based on the list of known vulnerable classes it is not likely to affect B4J programs. Anyway, if you don't use raf.ReadObject in your code and only use the recommended ReadB4XObject or B4XSerializator then your program will be safe from this exploit.