You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2016/02/16 21:43:14 UTC

svn commit: r1730747 - /ofbiz/trunk/tools/security/notsoserial/README.txt

Author: jleroux
Date: Tue Feb 16 20:43:14 2016
New Revision: 1730747

URL: http://svn.apache.org/viewvc?rev=1730747&view=rev
Log:
No functional change, I forgot to replace the content of this README.txt file, copied from the dependency check folder, by the content for the notsoserial Java agent.

Modified:
    ofbiz/trunk/tools/security/notsoserial/README.txt

Modified: ofbiz/trunk/tools/security/notsoserial/README.txt
URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/notsoserial/README.txt?rev=1730747&r1=1730746&r2=1730747&view=diff
==============================================================================
--- ofbiz/trunk/tools/security/notsoserial/README.txt (original)
+++ ofbiz/trunk/tools/security/notsoserial/README.txt Tue Feb 16 20:43:14 2016
@@ -1,4 +1,7 @@
-This is only given as an example. It uses the https://www.owasp.org/index.php/OWASP_Dependency_Check command line option
-To have it working you must have the dependency-check command line option correctly installed.
+The notsoserial Java agent was introduced to protect your OFBiz instance from the infamous Java serialize vulnerability if you use RMI, JMX or Spring and maybe other Java classes we don't use OOTB in OFBiz.
+We (PMC) decided to comment out RMI OOTB but we also decided to provide a simple way to protect yourself from all possible Java serialize vulnerabilities.
 
-In any cases be sure to check https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
\ No newline at end of file
+While working on the serialize vulnerability, I (Jacques Le Roux) stumbled upon this article https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/ and found notsoserial was a Java agent better than the Contrast one I introduced at r1717058. Because notsoserial easily protects you from all possible serialize vulnerabilities as explained at https://github.com/kantega/notsoserial#rejecting-deserialization-entirely
+So I replaced contrast-rO0.jar by notsoserial-1.0-SNAPSHOT at r1730735 + r1730736. To be safe in case you use RMI for instance, use one of the start*-secure ant targets or use the JVM arguments those targets use.
+
+You might find more information at https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialize+vulnerability
\ No newline at end of file