[jira] [Commented] (OFBIZ-6942) Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-6942) Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170]

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-6942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17310593#comment-17310593 ]

ASF subversion and git services commented on OFBIZ-6942:
--------------------------------------------------------

Commit 340c98b3b0f23d2a418e4e6eb75d298171118206 in ofbiz-plugins's branch refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=340c98b ]

Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)

The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.

Here is the email content:

    After the recent fix for the CVE-2021-26295[1] we discussed with the security
    team about the opportunity need to comment out the SOAP and HTTP engines
    like we did in the past for RMI[2], this obviously for security reason.

    [1] OFBIZ-12167 "Adds a blacklist (to be
    renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
    [2] OFBIZ-6942 "Comment out RMI related
    code because of the Java deserialization issue [CVE-2016-2170] "

I just put a small comment in webtools and scrumm controllers, it should be
enough.

The tests pass

Conflicts handled by hand
  scrum/servicedef/services.xml


> Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170]
> ---------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-6942
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6942
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>              Labels: CVE
>             Fix For: 14.12.01, 13.07.03, 15.12.01
>
>
> Because of the danger of Java deserialization when using RMI, we (PMC) have decided to comment out RMI related code.
> We decided to comment out as less as possible because when, in the start and both properties, the rmi part is off and the RMI test services are off there is no RMI related danger left (RMI test services are not a danger but would fail during tests run).
> It's then easier for users who need RMI in their projects to have only to uncomment those and not digg everywhere.
> Note that since the naming (JNDI) server relies on the rmi loader it will also fail.
> You can get more information in wiki page linked below in the "Issue Links" section.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)