[ https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17311514#comment-17311514 ]
Jacques Le Roux commented on OFBIZ-12212: ----------------------------------------- bq. Documents that the EntitySync feature is no longer available OOTB. You need first to re allow the HTTP engine Here is a patch which re allows the EntitySync feature (disclaimer: not tested yet, but easy stuff anyway): [^OFBIZ-12212-Re allow Entity Sync.patch] > Comment out the SOAP and HTTP engines > ------------------------------------- > > Key: OFBIZ-12212 > URL: https://issues.apache.org/jira/browse/OFBIZ-12212 > Project: OFBiz > Issue Type: Sub-task > Components: framework/service > Affects Versions: 18.12.01, Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Blocker > Fix For: 18.12.01, Release Branch 17.12, Upcoming Branch > > Attachments: OFBIZ-12212-Re allow Entity Sync.patch > > > mThe SOAP and HTTP engines are open doors to security issues. At > https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out > as we did for RMI in the past. > Of cause it must be clearly documented how to use them if needed. > Here is the email content: > {quote} > After the recent fix for the CVE-2021-26295[1] we discussed with the security > team about the opportunity need to comment out the SOAP and HTTP engines > like we did in the past for RMI[2], this obviously for security reason. > I don't think we need a vote for that, but of course all opinions are welcome > Thanks > [1] OFBIZ-12167 "Adds a blacklist (to be > renamed soon to denylist) in Java serialisation (CVE-2021-26295)" > [2] OFBIZ-6942 "Comment out RMI related > code because of the Java deserialization issue [CVE-2016-2170] " > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)