Versions Compared

Old Version 45

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version Current

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Tomcat 9 & AJP update

...

You can trust the Apache OFBiz PMC Members and Committers do their best to keep OFBiz secure. But despite our best efforts we might sometimes overlook a security issue. In such cases, as explained at https://ofbiz.apache.org/downloadsecurity.html, we strongly encourage OFBiz users to report security problems affecting OFBiz to the private security mailing list of the OFBiz project (security AT ofbiz.apache.org), before disclosing them in a public forum. Please see the page of the ASF Security Team for further information and contact details. Also in case of doubt, refer to the current page where quick fixes not already released might be explained.

...

Currently we have no known Java vulnerabilities in OFBiz code. There are some vulnerable third parties libraries. Fortunately it's not high vulnerabilities. As you can see on our README file we use SonarCloud and soon CodeQL to check for our vulnerability during our Continuous Integration process on GitHub. We also use Checkstyle for a better code before pushing changes in Git repo.

JavaScript

For JavaScript : we use Retire.js see this page: About retire.js. As you can see on our README file we also use CodeQL to check for vulnerabilities during our Continuous Integration process on GitHub.  And we use npm audit before pushing changes in Git repo.

HTTP headers

For HTTP headers: https://cyh.herokuapp.com/cyh.This page gives more information: How to Secure HTTP Headers

...

There are web oriented tools like Burp Suite Community Edition, OWASP Zed Attack, Beef or IBM Security AppScan. But most of the time they are too general, and totally parsing OFBiz can take a lot of time or be quite a challenge if done manually. You can find more penetration tools here.In December 2015, I ran a complete (100%) OWASP Zed Attack automated (Quick Start) penetration session against a locale instance of OFBiz backend (trunk head) running on localhost. It started with the same link used for backend demos. No major flaws were discovered.To work on security vulnerability reports I use Burp Suite Community Edition.

Another simpler but not to be negledted tool is the security option of Spotbug. I have used use it as an Eclipse plugin.

Tomcat 9 & AJP

Despite

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-11407
, allowedRequestAttributesPattern is commented out because of
Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-12558

OOTB the Tomcat default values are used as recommended by  https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with  https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and  https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors

But OOTB secretRequired value must be false because secret value is empty.  Else a notifying message appears in log saying that AJP is not available.
Long story short, with OOTB configuration only localhost works. 
So if you want to use AJP you need to set the values depending on your configuration. Using
".*" to allowedRequestAttributesPattern put you at risk.