This FAQ (in the form of a living document, being updated once in a while) covers some questions I've been asked after talking about Java deserialization vulnerabilities at conferences during the last months.
After the major rise in awareness in 2015, the well-known topic of remote code execution (RCE) during deserialization of untrusted (Java) data has received many new aspects and facets, as new research was performed. Consequently this deepened research led to new findings (gadgets, endpoints, protection attempts, bypass techniques, etc.).
As this fast-paced development in the last months might have left some peoples' questions unanswered, I try to shed some more light on this by providing some sort of FAQ - mainly focussed at developers.