THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
You are though still at risk if you use RMI, JMX or Spring and maybe other Java classes we don't use OOTB in OFBiz. We (PMC) decided to comment out RMI OOTB but we also decided to provide a simple way to cover protect yourself from all possible Java serialize vulnerabilities.
While working on the serialize vulnerability, I (Jacques Le Roux) stumbled upon this article "Closing the open door of java object serialization" and found notsoserial was a better Java agent than the one I introduced at r1717058. Because it easily protects you from all possible serialize vulnerabilities as explained here! So I replaced contrast-rO0.jar by notsoserial-1.0-SNAPSHOT at r1730735. To be safe in case you use RMI for instance, use one of the start*-secure ant targets or use the JVM arguments those targets use.