[OFBIZ-6942] Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Trunk
Fix Version/s: 14.12.01, 13.07.03, 15.12.01
Component/s: framework
Labels:
- CVE

Sprint:
Bug Crush Event - 21/2/2015

Description

Because of the danger of Java deserialization when using RMI, we (PMC) have decided to comment out RMI related code.

We decided to comment out as less as possible because when, in the start and both properties, the rmi part is off and the RMI test services are off there is no RMI related danger left (RMI test services are not a danger but would fail during tests run).

It's then easier for users who need RMI in their projects to have only to uncomment those and not digg everywhere.

Note that since the naming (JNDI) server relies on the rmi loader it will also fail.

You can get more information in wiki page linked below in the "Issue Links" section.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 18/Mar/16 10:25

Updated:: 29/Mar/21 11:30

Resolved:: 21/Mar/16 20:45