svn commit: r1732865 - in /ofbiz/branches/release15.12: ./ tools/security/notsoserial/README.txt

[jl...@apache.org]

Author: jleroux
Date: Mon Feb 29 11:30:40 2016
New Revision: 1732865

URL: http://svn.apache.org/viewvc?rev=1732865&view=rev
Log:
"Applied fix from trunk for revision: 1730747" 
------------------------------------------------------------------------
r1730747 | jleroux | 2016-02-16 21:43:14 +0100 (mar. 16 févr. 2016) | 1 ligne

No functional change, I forgot to replace the content of this README.txt file, copied from the dependency check folder, by the content for the notsoserial Java agent.
------------------------------------------------------------------------


Modified:
    ofbiz/branches/release15.12/   (props changed)
    ofbiz/branches/release15.12/tools/security/notsoserial/README.txt

Propchange: ofbiz/branches/release15.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Feb 29 11:30:40 2016
@@ -9,4 +9,4 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/trunk:1722712,1723007,1723248,1724402,1724411,1724566,1724689,1724763,1724916,1724918,1724925,1724930,1724940,1724943,1724946,1724951,1724957,1724975,1724978,1725006,1725217,1725257,1725561,1725574,1726388,1726486,1726493,1726828,1728398,1728411,1729005,1729078,1729609,1729809,1730035,1730456,1730735-1730736,1730882,1730889,1731382,1731396,1732454,1732570,1732721
+/ofbiz/trunk:1722712,1723007,1723248,1724402,1724411,1724566,1724689,1724763,1724916,1724918,1724925,1724930,1724940,1724943,1724946,1724951,1724957,1724975,1724978,1725006,1725217,1725257,1725561,1725574,1726388,1726486,1726493,1726828,1728398,1728411,1729005,1729078,1729609,1729809,1730035,1730456,1730735-1730736,1730747,1730882,1730889,1731382,1731396,1732454,1732570,1732721

Modified: ofbiz/branches/release15.12/tools/security/notsoserial/README.txt
URL: http://svn.apache.org/viewvc/ofbiz/branches/release15.12/tools/security/notsoserial/README.txt?rev=1732865&r1=1732864&r2=1732865&view=diff
==============================================================================
--- ofbiz/branches/release15.12/tools/security/notsoserial/README.txt (original)
+++ ofbiz/branches/release15.12/tools/security/notsoserial/README.txt Mon Feb 29 11:30:40 2016
@@ -1,4 +1,7 @@
-This is only given as an example. It uses the https://www.owasp.org/index.php/OWASP_Dependency_Check command line option
-To have it working you must have the dependency-check command line option correctly installed.
+The notsoserial Java agent was introduced to protect your OFBiz instance from the infamous Java serialize vulnerability if you use RMI, JMX or Spring and maybe other Java classes we don't use OOTB in OFBiz.
+We (PMC) decided to comment out RMI OOTB but we also decided to provide a simple way to protect yourself from all possible Java serialize vulnerabilities.
 
-In any cases be sure to check https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
\ No newline at end of file
+While working on the serialize vulnerability, I (Jacques Le Roux) stumbled upon this article https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/ and found notsoserial was a Java agent better than the Contrast one I introduced at r1717058. Because notsoserial easily protects you from all possible serialize vulnerabilities as explained at https://github.com/kantega/notsoserial#rejecting-deserialization-entirely
+So I replaced contrast-rO0.jar by notsoserial-1.0-SNAPSHOT at r1730735 + r1730736. To be safe in case you use RMI for instance, use one of the start*-secure ant targets or use the JVM arguments those targets use.
+
+You might find more information at https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialize+vulnerability
\ No newline at end of file