Rule Definition
When Entity bean instance is to be passed by value as a detached object (e.g., through a remote interface), the entity class must implement the Serializable interface. Also, In some cases an OptimisticLockException will be thrown and wrapped by another exception, such as a RemoteException, when VM boundaries are crossed. Entities that may be referenced in wrapped exceptions should be Serializable so that marshalling will not fail. This issue can prevent the software from running reliably, e.g. by triggering an exeption. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability.

Remediation
Implement Serializable and verify that each its instance variables implement serializable unless they inherit from a class that is serializable, is a transient field or a Java primitives..

Violation Code Sample

@Entity
public class ABean  { // VIOLATION
    private String str;
    private aClass field;
}

--------------------------------------
@Entity
public class ABean extends Bbean { 
    private String str;
    private aClass field;
    // violation as this class extends a class which doesnt implement serializable 

}

public class Bbean {
 
}

Fixed Code Sample

@Entity
public class ABean implements Serializable { // FIXED
    private String str;
    private aClass field;

}

--------------------------------------
@Entity
public class ABean extends Bbean { 
    private String str;
    private aClass field; // FIXED

}

public class Bbean implements serializable {
 
}

JSR 220: Enterprise JavaBeansTM,Version 3.0 - Java Persistence API : Requirements on the Entity Class page 17.