Re: Comment out the SOAP and HTTP engines?
Posted by
Nicolas Malin-2 on
URL: http://ofbiz.116.s1.nabble.com/Comment-out-the-SOAP-and-HTTP-engines-tp4767218p4767344.html
+1
let each integrator to enable this with the related security needing for
this
Nicolas
On 25/03/2021 18:35, Jacques Le Roux wrote:
> Hi,
>
> After the recent fix for the CVE-2021-26295[1] we discussed with the
> security team about the opportunity need to comment out the SOAP and
> HTTP engines like we did in the past for RMI[2], this obviously for
> security reason.
>
> I don't think we need a vote for that, but of course all opinions are
> welcome
>
> Thanks
>
> [1]
https://issues.apache.org/jira/browse/OFBIZ-12167 "Adds a
> blacklist (to be renamed soon to denylist) in Java serialisation
> (CVE-2021-26295)"
> [2]
https://issues.apache.org/jira/browse/OFBIZ-6942 "Comment out RMI
> related code because of the Java deserialization issue [CVE-2016-2170] "
>
> Jacques
>
>