...
| Info |
|---|
|
This page documents the usage with Gradle, the pre-Gradle documentation is here: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=65865828 |
Sometimes the OFBIz code itself is not the culprit. OFBiz relies on many Java librairies, and if one of them has a flaw we can't always wait it's fixed to warn and protect our users. This is for instance what happened with the 2015 infamous Java serialization vulnerability. OFBiz was affected by 2 librairies: Apache Commons Collections and Apache Groovy . As you can see at
| Jira |
|---|
| server | ASF JIRA |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | OFBIZ-6726 |
|---|
|
, we waited the Commons Collections update to fix the issue, because it was not much disclosed then.
...
It easily protects you from all possible serialization vulnerabilities as explained in the notsoserial project. The idea is simple: initially you don't know what to put in your whitelist because there are some objects in OFBiz you need to put there, plus the ones you add yourself. So you initially use an empty whitelist and with the dryrun option you specify a file where the serialized objects are listed. Then you can continuously fill your whitelist to keep things secure. You can use the trace option to get a better idea of where and why an object is serialized.
ObjectInputStream
Because of
| Jira |
|---|
| server | ASF JIRA |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | OFBIZ-10837 |
|---|
|
, we needed to fix another issue related to ObjectInputStream class. If you
encouter encounter a related issue (
classe object not in the
whitelistallow list), you must provide a complete list of objects
you need to pass to ObjectInputStream
in ListOfSafeObjectsForInputStream through ListOfSafeObjectsForInputStream property
( in SafeObjectInputStream.properties file
). As an example,
it's commented out the a complete list of objects used by OFBiz OOTB is by default
. OFBiz uses it's own whitelist and you there. You will need to add your objects
/classes to this list.
With
| Jira |
|---|
| server | ASF JIRA |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | OFBIZ-12167 |
|---|
|
we have introduced a way to also put objects in a deny list and improved it with | Jira |
|---|
| server | ASF JIRA |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | OFBIZ-12216 |
|---|
|
, | Jira |
|---|
| server | ASF JIRA |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | OFBIZ-12212 |
|---|
|
and | Jira |
|---|
| server | ASF JIRA |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | OFBIZ-12221 |
|---|
|
OWASP article (with good references at bottom)
...