[jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP engines

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP engines

ASF subversion and git services (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-12212:
    Fix Version/s:     (was: Release Branch 17.12)
                       (was: Upcoming Branch)

> Comment out the SOAP and HTTP engines
> -------------------------------------
>                 Key: OFBIZ-12212
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12212
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework/service
>    Affects Versions: 18.12.01, Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Blocker
>             Fix For: 18.12.01, 17.12.07
>         Attachments: OFBIZ-12212-Re allow Entity Sync.patch
> mThe SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past.
> Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}
> After the recent fix for the CVE-2021-26295[1] we discussed with the security
> team about the opportunity need to comment out the SOAP and HTTP engines
> like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
> renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
> [2] OFBIZ-6942 "Comment out RMI related
> code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}

This message was sent by Atlassian Jira