[jira] [Created] (OFBIZ-12212) Comment out the SOAP and HTTP engines

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (OFBIZ-12212) Comment out the SOAP and HTTP engines

Nicolas Malin (Jira)
Jacques Le Roux created OFBIZ-12212:
---------------------------------------

             Summary: Comment out the SOAP and HTTP engines
                 Key: OFBIZ-12212
                 URL: https://issues.apache.org/jira/browse/OFBIZ-12212
             Project: OFBiz
          Issue Type: Improvement
          Components: framework/service
    Affects Versions: Trunk, 18.12.01
            Reporter: Jacques Le Roux
            Assignee: Jacques Le Roux


The the SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.

Here is the email content:
{quote}
After the recent fix for the CVE-2021-26295[1] we discussed with the security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.

I don't think we need a vote for that, but of course all opinions are welcome

Thanks

[1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
{quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)