THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
From what you can see there you can secure OFBiz using "-javaagent:pathTo/contrast-rO0.jar" in your starting script" . and you will be covered from these vulnerabilities which exist OOTB as long as we don't solve OFBIZ-6568.
- org.codehaus.groovy.runtime.ConvertedClosure
- org.codehaus.groovy.runtime.MethodClosure
...
But if you do you be sure to fix your issue or use "-javaagent:pathTo/contrast-rO0.jar" in your starting script"
| Warning | ||
|---|---|---|
| ||
| If you use RMI or/and JMX you are also at risk! |
I will soon replace contrast-rO0.jar by notsoserial-1.0-SNAPSHOT because it covers one more class (com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl) and I find the explanation there very clear
Another option is to put the xalan class in the contrast-rO0.jar blacklist. You should also add all new vulnerable classes in the blacklist or update the jar.
Another mean is of course to give your own whitelist. Both solutions allow that, but notsoserial provides the "dryrun" option which makes things easier.
Who is concerned?
Roughly there are 3 categories of OFBiz users:
...