Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-12212

Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]

Attach filesAttach ScreenshotVotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Blocker
    • Resolution: Done
    • Release Branch 17.12, Trunk, 18.12.01
    • 17.12.07, 18.12.01
    • framework/service
    • Bug Crush Event - 21/2/2015

    Description

      The SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past.
      Of cause it must be clearly documented how to use them if needed.

      Here is the email content:

      After the recent fix for the CVE-2021-26295[1] we discussed with the security
      team about the opportunity need to comment out the SOAP and HTTP engines
      like we did in the past for RMI[2], this obviously for security reason.

      I don't think we need a vote for that, but of course all opinions are welcome

      Thanks

      [1] OFBIZ-12167 "Adds a blacklist (to be
      renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
      [2] OFBIZ-6942 "Comment out RMI related
      code because of the Java deserialization issue [CVE-2016-2170] "

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jleroux Jacques Le Roux
            jleroux Jacques Le Roux
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Agile

                Completed Sprint:
                Bug Crush Event - 21/2/2015 ended 26/Feb/15
                View on Board

                Slack

                  Issue deployment