You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/11/27 13:15:43 UTC
[ofbiz-framework] branch release18.12 updated: Fixed: Manufacturing - MRP Run Failure (OFBIZ-12716)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 76976bf9f0 Fixed: Manufacturing - MRP Run Failure (OFBIZ-12716)
76976bf9f0 is described below
commit 76976bf9f03537b450af531638ac8031571ba154
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sun Nov 27 12:49:49 2022 +0100
Fixed: Manufacturing - MRP Run Failure (OFBIZ-12716)
This was broken by
"Preventing possible DOS attack done using Java deserialisation" done with
OFBIZ-12592
The exact solution was not an easy find. Because, despite knowing that it was
related to serialization filtering (ie using
'-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000'
in build.gradle) and suspecting that it was not related to a class because
adding an all classes allowed filter (ie *) to -Djdk.serialFilter, ie
'-Djdk.serialFilter=*;maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000'
that did not fix the problem.
So it was, at least, one of values of the 4 other parameters initially chosen
based on default values often suggested.
With trial and error tactic, I finally found I needed only to increase maxrefs*.
I picked 1000. It should allow bigger MRP needs and should not be an issue for
DOS attacks.
* The maximum number of internal references
Note that I could have used the "Logging Filter Actions" suggestion at bottom of
https://docs.oracle.com/javase/10/core/serialization-filtering1.htm
but trial and error tactic turned to be faster.
I guess, if I refer to https://access.redhat.com/discussions/5577051, that it
could be due to using Tomcat or to OFBiz log4j2.xml setting.
Anyway Java 17 seems to have a better solution for that** and we need to turn to
it in 2023 (EOL of Java 11)
** https://inside.java/2021/03/02/monitoring-deserialization-activity-in-the-jdk
thanks: Yannong Huang for report
---
build.gradle | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/build.gradle b/build.gradle
index 41aec101f6..1618180e1a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -54,7 +54,7 @@ ext.pluginsDir = "${rootDir}/plugins"
ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start'
// java settings
-List jvmArguments = ['-Xms128M', '-Xmx1024M', '-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000']
+List jvmArguments = ['-Xms128M', '-Xmx1024M', '-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=1000;maxbytes=500000']
if (project.hasProperty('jvmArgs')) {
jvmArguments = jvmArgs.tokenize()
}