OFBiz OFBiz - Dev

Re: Comment out the SOAP and HTTP engines?

Posted by Jacques Le Roux on
URL: http://ofbiz.116.s1.nabble.com/Comment-out-the-SOAP-and-HTTP-engines-tp4767218p4767315.html

I created https://issues.apache.org/jira/browse/OFBIZ-12212 for that

Le 25/03/2021 à 20:41, Michael Brohl a écrit :

> +1
>
> Michael
>
>> Am 25.03.2021 um 18:35 schrieb Jacques Le Roux <[hidden email]>:
>>
>> Hi,
>>
>> After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines
>> like we did in the past for RMI[2], this obviously for security reason.
>>
>> I don't think we need a vote for that, but of course all opinions are welcome
>>
>> Thanks
>>
>> [1] https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
>> [2] https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] "
>>
>> Jacques
>>
Free forum by Nabble Edit this page