[
https://issues.apache.org/jira/browse/OFBIZ-12167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17310592#comment-17310592 ]
ASF subversion and git services commented on OFBIZ-12167:
---------------------------------------------------------
Commit 340c98b3b0f23d2a418e4e6eb75d298171118206 in ofbiz-plugins's branch refs/heads/release18.12 from Jacques Le Roux
[
https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=340c98b ]
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues.
At
https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.
Here is the email content:
After the recent fix for the CVE-2021-26295[1] we discussed with the security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
[1] OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
I just put a small comment in webtools and scrumm controllers, it should be
enough.
The tests pass
Conflicts handled by hand
scrum/servicedef/services.xml
> Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)
> ----------------------------------------------------------------------------------------
>
> Key: OFBIZ-12167
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12167> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/base
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 17.12.06
>
>
> Adds an example based on RMI which is known to be a problem
> This fixes CVE-2021-26295 and is available in last 17.12.06 package
--
This message was sent by Atlassian Jira
(v8.3.4#803005)