Versions Compared

Old Version 11

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version 12

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: In 12.04.06 RMI is not deactivated, so use notsoserial

...

You were though still at risk if you use RMI, JNDI, JMX or Spring and maybe other Java classes we don't use OOTB in OFBiz. We (PMC) decided to comment out RMI OOTB 

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-6942
but we can nothing to prevent the other possiblities (not concerned OOTB). Note also that in the last release of the R12.04 branch (12.04.06) RMI is not deactivated so you should use the recommened remediation below.

 

We also decided to provide a simple way to protect yourself from all possible Java serialize vulnerabilities.

...