You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2021/06/05 14:46:00 UTC
[jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP
engines - Fix [CVE-2021-30128]
[ https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-12212:
------------------------------------
Description:
The SOAP and HTTP engines are open doors to security issues. At [https://markmail.org/message/pgtjyh23bazq4s2w] I proposed to comment them out as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.
Here is the email content:
{quote}After the recent fix for the CVE-2021-26295[1] we discussed with the security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
I don't think we need a vote for that, but of course all opinions are welcome
Thanks
[1] OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
{quote}
was:
mThe SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.
Here is the email content:
{quote}
After the recent fix for the CVE-2021-26295[1] we discussed with the security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
I don't think we need a vote for that, but of course all opinions are welcome
Thanks
[1] OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
{quote}
> Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]
> ------------------------------------------------------------
>
> Key: OFBIZ-12212
> URL: https://issues.apache.org/jira/browse/OFBIZ-12212
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/service
> Affects Versions: 18.12.01, Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Blocker
> Fix For: 18.12.01, 17.12.07
>
> Attachments: OFBIZ-12212-Re allow Entity Sync.patch
>
>
> The SOAP and HTTP engines are open doors to security issues. At [https://markmail.org/message/pgtjyh23bazq4s2w] I proposed to comment them out as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)