You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/04/21 08:03:00 UTC

[jira] [Commented] (OFBIZ-12592) Prevent possible DOS attack done using Java deserialisation

    [ https://issues.apache.org/jira/browse/OFBIZ-12592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17525498#comment-17525498 ] 

ASF subversion and git services commented on OFBIZ-12592:
---------------------------------------------------------

Commit 957a088f572fb4e58da3357ac8e5e9138f4efde2 in ofbiz-framework's branch refs/heads/release22.01 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=957a088f57 ]

Improved: Prevent possible DOS attack done using Java deserialisation (OFBIZ-12592)

The previous commit was twice wrong:
1. System properties in gradle.properties are not defined using -D but using
systemProp.
2. Anyway systemProp. is defining system properties only available in JVM where
Gradle is running, not the application you run. For that you need to use
applicationDefaultJvmArgs in application in the main build.gradle.

Here is the system property for jdk.serialFilter


> Prevent possible DOS attack done using Java deserialisation
> -----------------------------------------------------------
>
>                 Key: OFBIZ-12592
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12592
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: 18.12.06, 22.01.01
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.06, 22.01.01
>
>
> Qing Xu, a security reporter, alerted us that, despite no current vulnerability, it could be maybe possible to do  DOS attacks using Java deserialisation. That has been fixed with https://openjdk.java.net/jeps/290 and even [implemented in Java 8|https://blogs.oracle.com/java/post/filter-incoming-serialization-data-a-little-of-jdk-9-goodness-available-now-in-current-release-families], but it needs a little effort on our side.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)