...
You can trust the Apache OFBiz PMC Members and Committers do their best to keep OFBiz secure. But despite our best efforts we might sometimes overlook a security issue. In such cases, as explained at https://ofbiz.apache.org/downloadsecurity.html, we strongly encourage OFBiz users to report security problems affecting OFBiz to the private security mailing list of the OFBiz project (security AT ofbiz.apache.org), before disclosing them in a public forum. Please see the page of the ASF Security Team for further information and contact details. Also in case of doubt, refer to the current page where quick fixes not already released might be explained.
...
There are web oriented tools like Burp Suite Community Edition, OWASP Zed Attack, Beef or IBM Security AppScan. But most of the time they are too general, and totally parsing OFBiz can take a lot of time or be quite a challenge if done manually. You can find more penetration tools here.In December 2015, I ran a complete (100%) OWASP Zed Attack automated (Quick Start) penetration session against a locale instance of OFBiz backend (trunk head) running on localhost. It started with the same link used for backend demos. No major flaws were discovered.To work on security vulnerability reports I use Burp Suite Community Edition.
Another simpler but not to be negledted tool is the security option of Spotbug. I use it as an Eclipse plugin.
Tomcat 9 & AJP
Despite
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|
OOTB the Tomcat default values are used as recommended by https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
But OOTB secretRequired value must be false because secret value is empty. Else a notifying message appears in log saying that AJP is not available.
Long story short, with OOTB configuration only localhost works.
So if you want to use AJP you need to set the values depending on your configuration. Using
".*" to allowedRequestAttributesPattern put you at risk.