Versions Compared

Old Version 6

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version 7

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

While working on the serialize vulnerability, I stumbled upon this article "Closing the open door of java object serialization" and found notsoserial was a better Java agent than OWASP's I introduced at r1717058. Because it easily protects you from all possible serialize vulnerabilities as explained here! So I replaced contrast-rO0.jar by notsoserial-1.0-SNAPSHOT (see

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-6926
). To be safe in case you use RMI for instance, use one of the start*-secure ant targets or use the JVM arguments those targets use.

 

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-6942