Hi,
SAP has provided the following reply:
"SAP has received information about security deficiencies in some java
classes used in deserialization, used in a number of software products
of different vendors. These deficiencies are referred to under the
name of "java deserialization vulnerability#. Currently, this
vulnerability has been identified in some of the commonly used open
source libraries (Apache Groovy [CVE-2015-3253] and Apache Commons
Collections). SAP security teams are in the process of investigating
if SAP products are affected by the reported vulnerability.
SAP takes any security-related report very seriously. We will notify
our customers appropriately as relevant new information on this topic
becomes available.
We take the opportunity to remind you to increase the security of
your SAP systems by installing the available security patches.
For information on SAP's security notes and patches, please refer to -
https://support.sap.com/securitynotes "
Best regards,
Aleksi