April 7th 2017
A deserialization vulnerability has been found in the socket appender and socket receiver in Logback, which is used by Play. This affects all versions of Play from 2.0.0 through 2.5.13.
Play includes integration with Logback through SLF4J. Logback has functionality that enables logging events to be sent over a network, using Java Serialization.
Using Logback in Play itself does not result in vulnerability as per the default Play configuration, but if Logback has been specifically configured to use SocketAppender or ServerSocketReceiver, then Play is vulnerable.