Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-6942

Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170]

    Details

    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Because of the danger of Java deserialization when using RMI, we (PMC) have decided to comment out RMI related code.

      We decided to comment out as less as possible because when, in the start and both properties, the rmi part is off and the RMI test services are off there is no RMI related danger left (RMI test services are not a danger but would fail during tests run).

      It's then easier for users who need RMI in their projects to have only to uncomment those and not digg everywhere.

      Note that since the naming (JNDI) server relies on the rmi loader it will also fail.

      You can get more information in wiki page linked below in the "Issue Links" section.

        Issue Links

          Activity

          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Done in
          trunk r1735569
          R15.12 r1735570
          R14.12 r1735571

          There are conflicts in older releases, looking at it...

          Show
          jacques.le.roux Jacques Le Roux added a comment - Done in trunk r1735569 R15.12 r1735570 R14.12 r1735571 There are conflicts in older releases, looking at it...
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Done in
          R13.07 r1735585
          Too much work in R12.04

          Show
          jacques.le.roux Jacques Le Roux added a comment - Done in R13.07 r1735585 Too much work in R12.04
          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          This can be simpler as Jacopo explained on dev ML: http://markmail.org/message/dukv5glk3elilo5z

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited This can be simpler as Jacopo explained on dev ML: http://markmail.org/message/dukv5glk3elilo5z
          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          Done in
          trunk r1736083+r1736087
          R15.12 r1736084+r1736088
          R14.12 r1736085+r1736089
          R13.07 r1736092+1736154

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited Done in trunk r1736083+r1736087 R15.12 r1736084+r1736088 R14.12 r1736085+r1736089 R13.07 r1736092+1736154
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Note: you don't need to revert the 1st set of commits

          Show
          jacques.le.roux Jacques Le Roux added a comment - Note: you don't need to revert the 1st set of commits
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          But you need to do an "ant clean build" to have the change applied in an already compiled working copy

          Show
          jacques.le.roux Jacques Le Roux added a comment - But you need to do an "ant clean build" to have the change applied in an already compiled working copy

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              jacques.le.roux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Agile