[
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17311419#comment-17311419 ]
ASF subversion and git services commented on OFBIZ-12212:
---------------------------------------------------------
Commit e5809580bb469322ed4f999fa8ee5abc15a06a05 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux
[
https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=e580958 ]
Documented: Comment out the SOAP and HTTP engines (OFBIZ-12212)
Documents that the EntitySync feature is no longer available OOTB.
You need first to re allow the HTTP engine
> Comment out the SOAP and HTTP engines
> -------------------------------------
>
> Key: OFBIZ-12212
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12212> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/service
> Affects Versions: 18.12.01, Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Blocker
> Fix For: 18.12.01, Release Branch 17.12, Upcoming Branch
>
>
> mThe SOAP and HTTP engines are open doors to security issues. At
https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
