Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-6926

Replace the contrast Java agent by the notsoserial Java agent

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Trunk
    • 14.12.01, 16.11.01
    • tools/security
    • None
    • Bug Crush Event - 21/2/2015

    Description

      The goal is to replace the contrast Java agent by the notsoserial Java agent which can be used to protect OFBiz instances from possible Java serialize vulnerabilities.

      For that we need to modifie the *-secure targets (start-secure, start-batch-secure, start-pos-secure, start-both-secure) to use the notsoserial Java agent with its most secure setting.
      See https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialize+vulnerability for more information

      The notsoserial Java agent is placed in the tools/security/notsoserial folder and a dependency-check folder created under the tools/security folder to move there the dependency-check files from the tools/security folder.

      The trunk demo will be using the notsoserial Java agent ASAP. The older ones will keep the contrast Java agent which should be enough as soon as we will comment out the RMI stuff in OFBiz.

      Users need to care anyway...

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          Activity

            People

              jleroux Jacques Le Roux
              jleroux Jacques Le Roux
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: