[
https://issues.apache.org/jira/browse/OFBIZ-6926?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-6926.
----------------------------------
Resolution: Fixed
> Replace the contrast Java agent by the notsoserial Java agent
> -------------------------------------------------------------
>
> Key: OFBIZ-6926
> URL: https://issues.apache.org/jira/browse/OFBIZ-6926
> Project: OFBiz
> Issue Type: Sub-task
> Components: tools/security
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, Upcoming Branch
>
>
> The goal is to replace the contrast Java agent by the notsoserial Java agent
> which can be used to protect OFBiz instances from possible Java serialize
> vulnerabilities.
> For that we need to modifie the *-secure targets (start-secure,
> start-batch-secure, start-pos-secure, start-both-secure) to use the
> notsoserial Java agent with its most secure setting.
> See
> https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialize+vulnerability
> for more information
> The notsoserial Java agent is placed in the tools/security/notsoserial folder
> and a dependency-check folder created under the tools/security folder to move
> there the dependency-check files from the tools/security folder.
> The trunk demo will be using the notsoserial Java agent ASAP. The older ones
> will keep the contrast Java agent which should be enough as soon as we will
> comment out the RMI stuff in OFBiz.
> Users need to care anyway...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
