This is still a WIP page but be sure to read at least the "Be safe" Warning
Info | ||
---|---|---|
| ||
This page is about security as in "external security". In other words it's not about authentication nor authorisation, for that refer to OFBiz Security Permissions. But about about keeping your OFBis instance secure from external exploits, and prevent vulnerabilities as soon as they are known. |
...
You can trust the Apache OFBiz PMC Members and Committers, we do our best to keep OFBiz secure. But despite our best efforts we migth sometimes overlook a security issue. In such cases, as explained at https://ofbiz.apache.org/download.html, we strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing list of the ASF Security Team, before disclosing them in a public forum. Please see the page of the ASF Security Team for further information and contact information. Also in case of doubt, refer to the current page where quick fixes not already released might be explained.
Though it's maybe not totally complete, you You might refer to
Jira | ||||||
---|---|---|---|---|---|---|
|
The 2015 infamous Java unserialize vulnerability
Sometimes the OFBIz code itself is not the culprit. OFBiz relies on many Java librairies, and if one of them has a flaw we can't always wait it's fixed to warn and protect our users. This is for instance what happened with the 2015 infamous Java unserialize vulnerability. OFBiz was affected by 2 librairires: Commons Collections
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|
Warning | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
Until we update the Groovy librairy, we recommend you to have a look at http://svn.apache.org/viewvc?view=revision&revision=1717058 and so to use the start-secure ant target rather than the start one, or any other possibilities offered by OFBIZ-6568 (startofbiz.sh/bat, etc). Actually it's just a matter of calling "-javaagent:pathTo/contrast-rO0.jar" in your starting script. Also to have an historical view on the OFBiz security you can refer to
|
From what you can see there you can secure OFBiz using "-javaagent:pathTo/contrast-rO0.jar" in your starting script" and you will be covered from these vulnerabilities which exist OOTB as long as we don't solve OFBIZ-6568.
- org.codehaus.groovy.runtime.ConvertedClosure
- org.codehaus.groovy.runtime.MethodClosure
Those are already covered by OFBIZ-6726
- org.apache.commons.collections.functors.InvokerTransformer
- org.apache.commons.collections4.functors.InvokerTransformer
- org.apache.commons.collections.functors.InstantiateTransformer
- org.apache.commons.collections4.functors.InstantiateTransformer
We don't use
- org.springframework.beans.factory.ObjectFactory
But if you do you be sure to fix your issue or use "-javaagent:pathTo/contrast-rO0.jar" in your starting script"
Warning | ||
---|---|---|
| ||
If you use RMI or/and JMX you are also at risk! |
I will soon replace contrast-rO0.jar by notsoserial-1.0-SNAPSHOT because it covers one more class (com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl) and I find the explanation there very clear
...
Be sure to read The infamous Java serialize vulnerability page if you use RMI, JMX or/and Spring with your OFBiz instance |
Who is concerned?
Roughly there are 3 categories of OFBiz users:
...