[OFBIZ-12212] Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128] - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Blocker
Resolution: Done
Affects Version/s: Release Branch 17.12, Trunk, 18.12.01
Fix Version/s: 17.12.07, 18.12.01
Component/s: framework/service
Labels:
- CVE

Sprint:
Bug Crush Event - 21/2/2015

Description

The SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.

Here is the email content:

After the recent fix for the CVE-2021-26295[1] we discussed with the security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.

I don't think we need a vote for that, but of course all opinions are welcome

Thanks

[1] ~~OFBIZ-12167~~ "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] ~~OFBIZ-6942~~ "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "