...
You can trust the Apache OFBiz PMC Members and Committers, we do our best to keep OFBiz secure. But despite our best efforts we migth sometimes overlook a security issue. In such cases, as explained at https://ofbiz.apache.org/download.html, we strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing list of the ASF Security Team, before disclosing them in a public forum. Please see the page of the ASF Security Team for further information and contact information. Also in case of doubt, refer to the current page where quick fixes not already released might be explained.
...
Sometimes the OFBIz code itself is not the culprit. OFBiz relies on many Java librairies, and if one of them has a flaw we can't always wait it's fixed to warn and protect our users. This is for instance what happened with the infamous 2015 Java unserialize vulnerability. OFBiz was affected by 2 librairires: Commons Collections
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|
...
But if you do you be sure to fix your issue or use "-javaagent:pathTo/contrast-rO0.jar" in your starting script"
...
Roughly there are 3 categories of OFBiz users:
...