Login  Register

[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options Options
Embed post
Permalink
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines

Nicolas Malin (Jira)
106048 posts

    [ https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17310585#comment-17310585 ]

ASF subversion and git services commented on OFBIZ-12212:
---------------------------------------------------------

Commit 643b9c7ea7dfc3e9df4b80527bf83d162f3bc39f in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=643b9c7 ]

Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)

The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.

Here is the email content:

    After the recent fix for the CVE-2021-26295[1] we discussed with the security
    team about the opportunity need to comment out the SOAP and HTTP engines
    like we did in the past for RMI[2], this obviously for security reason.

    [1] OFBIZ-12167 "Adds a blacklist (to be
    renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
    [2] OFBIZ-6942 "Comment out RMI related
    code because of the Java deserialization issue [CVE-2016-2170] "

I just put a small comment in webtools controller, it should be enough.

The tests pass


> Comment out the SOAP and HTTP engines
> -------------------------------------
>
>                 Key: OFBIZ-12212
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12212
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: framework/service
>    Affects Versions: 18.12.01, Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Blocker
>
> The SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)