Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: Trunk
    • Fix Version/s: None
    • Component/s: ALL COMPONENTS
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      The goal of this virtual issue is only to group together all OFBiz security issues (pending or closed).

      This issue should never be closed

        Issue Links

        1.
        Remaining XSRF issues Sub-task Closed Jacques Le Roux
         
        2. Passwords are not salted Sub-task Open Adam Heath
         
        3.
        Secure URLs exceptions Sub-task Closed Jacques Le Roux
         
        4.
        Secure targets in widget forms Sub-task Closed Jacques Le Roux
         
        5. special security should be required for setting passwords Sub-task Open Unassigned
         
        6.
        entity encrypt columns not using encryption salt value? Sub-task Closed Adam Heath
         
        7.
        Additional Validation for Password : Make password pattern driven Sub-task Closed Jacques Le Roux
         
        8.
        Analysis of code vulnerabilities Sub-task Closed Unassigned
         
        9.
        Update commons collections to 3.2.2 because of known possible exploit [CVE-2016-2170] Sub-task Closed Jacques Le Roux
         
        10.
        Update Groovy to 2.4.5 version [CVE-2016-2170] Sub-task Closed Jacopo Cappellato
         
        11.
        Add session tracking mode and make cookie secure Sub-task Closed Deepak Dixit
         
        12.
        Set widget default url encode value to true Sub-task Closed Jacques Le Roux
         
        13.
        XSS vulnerability in OFBiz forms and screens especially in display-entity component Sub-task Closed Jacques Le Roux
         
        14.
        Security concern in the way to populate parameters map in the context Sub-task Closed David E. Jones
         
        15.
        Security : The remote web server is prone to cross-site scripting attacks. Sub-task Closed Scott Gray
         
        16.
        Secure URLs Sub-task Closed Jacques Le Roux
         
        17.
        Cross site scripting vulnerability in Forum Sub-task Closed David E. Jones
         
        18.
        html code is not sanitized in all the text input field Sub-task Closed David E. Jones
         
        19.
        Passwords in POS are shown in clear text Sub-task Closed Jacques Le Roux
         
        20.
        Cross Site Scripting Vulnerability (XSS) Sub-task Closed David E. Jones
         
        21.
        Poodle-disable sslv3 Sub-task Closed Jacques Le Roux
         
        22.
        Update embedded Tomcat to 7.0.57 Sub-task Closed Jacques Le Roux
         
        23.
        POI security fix Sub-task Closed Jacques Le Roux
         
        24.
        Upgrade Tomcat version to 6.0.24 Sub-task Closed Erwan de FERRIERES
         
        25.
        Updates Tomcat to 7.0.65 Sub-task Closed Jacques Le Roux
         
        26.
        Upgrade Axis2 to 1.6.3 Sub-task Closed Jacques Le Roux
         
        27.
        Update Spring Framework Sub-task Closed Jacques Le Roux
         
        28.
        Update the passport component to use httpclient/core-4.4.1 instead of commons-httpclient-3.1 Sub-task Closed Shi Jinghai
         
        29.
        Remove useless and vulnerable hadoop-hdfs-2.2.0.jar Sub-task Closed Jacques Le Roux
         
        30. Secure HTTP headers Sub-task In Progress Jacques Le Roux
         
        31.
        The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties Sub-task Closed Jacques Le Roux
         
        32. Use only HTTPS in OFBiz Sub-task In Progress Jacques Le Roux
         
        33.
        Remove forceManualJsessionid feature Sub-task Closed Jacques Le Roux
         
        34.
        Get rid of the session-cookie-accepted feature Sub-task Closed Jacques Le Roux
         
        35.
        Remove all sessionsIds put in URLs Sub-task Closed Jacques Le Roux
         
        36.
        Remove forceHttpSession feature Sub-task Closed Jacques Le Roux
         
        37.
        Hide sessionId in logs by default, show them using a properties Sub-task Closed Jacques Le Roux
         
        38.
        Update Xalan libs to version 2.7.2 because of CVE-2014-0107 Sub-task Closed Jacques Le Roux
         
        39.
        Update Tomcat to 7.0.68 Sub-task Closed Jacques Le Roux
         
        40.
        Upgrade Tomcat to 8.0.33 Sub-task Closed Jacques Le Roux
         
        41.
        Upgrade Axis2 to 1.7.1 Sub-task Closed Jacques Le Roux
         
        42.
        Replace the contrast Java agent by the notsoserial Java agent Sub-task Closed Jacques Le Roux
         
        43.
        Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] Sub-task Closed Jacques Le Roux
         
        44.
        Update XStream lib to prevent XML External Entity (XXE) Processing Sub-task Closed Jacques Le Roux
         
        45.
        Use SecureRandom instead of Random where appropriate, and randomUUID for externalKey Sub-task Closed Jacques Le Roux
         
        46.
        Remove duplicated jars under solr component Sub-task Closed Shi Jinghai
         

          Activity

          Hide
          Jacques Le Roux added a comment -

          Marco,

          I voluntarily put "unknown" as component as this is a cover (or hat if you prefer) issue which goal is to group together potential security issue. In other words this issue should never be closed as we don't know in advance which components might be affected by a security issue.

          Morevover ecommerce is already concerned by some potential security issues ;o)

          Show
          Jacques Le Roux added a comment - Marco, I voluntarily put "unknown" as component as this is a cover (or hat if you prefer) issue which goal is to group together potential security issue. In other words this issue should never be closed as we don't know in advance which components might be affected by a security issue. Morevover ecommerce is already concerned by some potential security issues ;o)
          Hide
          Marco Risaliti added a comment -

          Sorry Jacques, I have not seen that it was a grouped bugs.
          In this case I have used to set in the grouped bugs the sum of the components used by detailed issues.
          I didn't like unknow components.
          Otherwise we can add a new fictitious component - GROUPED ISSUES - and assign this component to this type of issue.

          Thanks
          Marco

          Show
          Marco Risaliti added a comment - Sorry Jacques, I have not seen that it was a grouped bugs. In this case I have used to set in the grouped bugs the sum of the components used by detailed issues. I didn't like unknow components. Otherwise we can add a new fictitious component - GROUPED ISSUES - and assign this component to this type of issue. Thanks Marco
          Hide
          Jonathon Wong added a comment -

          > Note that there are no proved security issue currently, just possible breaches.

          Perhaps no one has taken the time to breach the security related to these issues. However, it doesn't take much time to do so! Certain "patterns" of security mechanisms are quite textbook; the violation of these "patterns" invariably means a security hole. Proving these textbook cases is easy via maths or logic. Proving via experimentation isn't much more difficult.

          Is it a policy to wait for an actual reported breach before a textbook case is resolved? In some of my projects, I was subject to a "security audit" (like an "interview" for OFBiz) before I could even qualify for tender. None of my projects could use OFBiz security "as is"; they all needed a replacement security module.

          Show
          Jonathon Wong added a comment - > Note that there are no proved security issue currently, just possible breaches. Perhaps no one has taken the time to breach the security related to these issues. However, it doesn't take much time to do so! Certain "patterns" of security mechanisms are quite textbook; the violation of these "patterns" invariably means a security hole. Proving these textbook cases is easy via maths or logic. Proving via experimentation isn't much more difficult. Is it a policy to wait for an actual reported breach before a textbook case is resolved? In some of my projects, I was subject to a "security audit" (like an "interview" for OFBiz) before I could even qualify for tender. None of my projects could use OFBiz security "as is"; they all needed a replacement security module.
          Hide
          David E. Jones added a comment -

          Not sure what Jacques was going for with the whole proving thing... but I agree that this is no reason to not work on things.

          Your comments (Jonathon) seem to forget the driving force behind OFBiz. There is no policy per-se on this because the only policies that exist are there to coordinate contributions. For these particular problems the basic fact is that if no one contributes a fix, there will be no fix in the project. That is the definition of "community driven".

          Show
          David E. Jones added a comment - Not sure what Jacques was going for with the whole proving thing... but I agree that this is no reason to not work on things. Your comments (Jonathon) seem to forget the driving force behind OFBiz. There is no policy per-se on this because the only policies that exist are there to coordinate contributions. For these particular problems the basic fact is that if no one contributes a fix, there will be no fix in the project. That is the definition of "community driven".
          Hide
          Scott Gray added a comment -

          I think the "policy" is a bit more like this:
          If you want it, either do it or pay someone else to do it.

          Show
          Scott Gray added a comment - I think the "policy" is a bit more like this: If you want it, either do it or pay someone else to do it.
          Hide
          Sumit Pandit added a comment -

          OFBIZ-4958 is looking for member's attention. Please have a look.

          Thanks
          Sumit Pandit

          Show
          Sumit Pandit added a comment - OFBIZ-4958 is looking for member's attention. Please have a look. Thanks Sumit Pandit
          Hide
          Jacques Le Roux added a comment -

          Yes don't worry Sumit, I did not forget it...

          Show
          Jacques Le Roux added a comment - Yes don't worry Sumit, I did not forget it...
          Hide
          Sumit Pandit added a comment -

          Thanks Jacques .

          Show
          Sumit Pandit added a comment - Thanks Jacques .

            People

            • Assignee:
              Unassigned
              Reporter:
              Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:

                Development

                  Agile