[ https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17311420#comment-17311420 ]
ASF subversion and git services commented on OFBIZ-12212: --------------------------------------------------------- Commit 62e657f3a718c654a6c18e448662069e1de46fb0 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=62e657f ] Documented: Comment out the SOAP and HTTP engines (OFBIZ-12212) Documents that the EntitySync feature is no longer available OOTB. You need first to re allow the HTTP engine > Comment out the SOAP and HTTP engines > ------------------------------------- > > Key: OFBIZ-12212 > URL: https://issues.apache.org/jira/browse/OFBIZ-12212 > Project: OFBiz > Issue Type: Sub-task > Components: framework/service > Affects Versions: 18.12.01, Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Blocker > Fix For: 18.12.01, Release Branch 17.12, Upcoming Branch > > > mThe SOAP and HTTP engines are open doors to security issues. At > https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out > as we did for RMI in the past. > Of cause it must be clearly documented how to use them if needed. > Here is the email content: > {quote} > After the recent fix for the CVE-2021-26295[1] we discussed with the security > team about the opportunity need to comment out the SOAP and HTTP engines > like we did in the past for RMI[2], this obviously for security reason. > I don't think we need a vote for that, but of course all opinions are welcome > Thanks > [1] OFBIZ-12167 "Adds a blacklist (to be > renamed soon to denylist) in Java serialisation (CVE-2021-26295)" > [2] OFBIZ-6942 "Comment out RMI related > code because of the Java deserialization issue [CVE-2016-2170] " > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)