...
Sometimes the OFBIz code itself is not the culprit. OFBiz relies on many Java librairies, and if one of them has a flaw we can't always wait it's fixed to warn and protect our users. This is for instance what happened with the infamous 2015 Java unserialize vulnerability. OFBiz was affected by 2 librairires: Commons Collections
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|
Warning | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
Until we update the Groovy librairy, we recommend you to have a look at http://svn.apache.org/viewvc?view=revision&revision=1717058 and so to use the start-secure ant target rather than the start one, or any other possibilities offered by OFBIZ-6568 (startofbiz.sh/bat, etc). Actually it's just a matter of calling "-javaagent:pathTo/contrast-rO0.jar" in your starting script. Also to have an historical view on the OFBiz security you can refer to
|
From what you can see there you can secure OFBiz using "-javaagent:pathTo/contrast-rO0.jar" in your starting script". and will be covered from these vulnerabilities which exist OOTB as long as we don't solve OFBIZ-6568
- org.codehaus.groovy.runtime.ConvertedClosure
- org.codehaus.groovy.runtime.MethodClosure
Those are already covered by OFBIZ-6726
- org.apache.commons.collections.functors.InvokerTransformer
- org.apache.commons.collections4.functors.InvokerTransformer
- org.apache.commons.collections.functors.InstantiateTransformer
- org.apache.commons.collections4.functors.InstantiateTransformer
We don't use
- org.springframework.beans.factory.ObjectFactory
But if you do you be sure to fix your issue or use "-javaagent:pathTo/contrast-rO0.jar" in your starting script"
Roughly there are 3 categories of OFBiz users:
...