Sometimes the OFBIz code itself is not the culprit. OFBiz relies on many Java librairies, and if one of them has a flaw we can't always wait it's fixed to warn and protect our users. This is for instance what happened with the 2015 infamous Java serialize serialization vulnerability. OFBiz was affected by 2 librairies: Apache Commons Collections and Apache Groovy . As you can see at
Jira | ||||||
---|---|---|---|---|---|---|
|
But with the article above the buzz began to spread and we could not wait to be able to update Groovy. So a temporary workaround was adopted as explained in
Jira | ||||||
---|---|---|---|---|---|---|
|
RMI and other risks
You were though still at risk if you use RMI, JNDI, JMX or Spring and maybe other Java classes we don't use OOTB in OFBiz. We (PMC) decided to comment out RMI OOTB
Jira | ||||||
---|---|---|---|---|---|---|
|
...
We also decided to provide a simple way to protect yourself from all possible Java serialize serialization vulnerabilities.
While working on the serialize serialization vulnerability, I stumbled upon this article "Closing the open door of java object serialization" and decided notsoserial was the solution we needed. It easily protects you from all possible serialize serialization vulnerabilities as explained here!
...
The idea is simple: initially you don't know what to put in your whitelist because there are some objects in OFBiz you need to put there, plus the ones you add yourself. So you use an empty whitelist and with the dryrun option you specify a file where the serialised serialized objects are listed. Then you can continuously fill your whitelist to keep things secure. You can use the trace option to get a better idea of where and why an object is serialisedserialized.
whitelist