THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
You would though still at risk if you use RMI, JNDI, JMX or Spring and maybe other Java classes OFBiz does not use Out Of The Box (OOTB). So the PMC decided to comment out RMI OOTB
| Jira | ||||||
|---|---|---|---|---|---|---|
|
We also decided to provide a simple way to protect OFBiz instances from all possible Java serialization vulnerabilities. While working on the serialization vulnerability, I stumbled upon this article "Closing the open door of java object serialization" and decided notsoserial was the solution we needed. It 's now was embedded in OFBiz and called by all running Gradle tasks until it was put in OFBiz Attic#notsoserial.So if you need a such protection you are still able to grab it from Attic and use it.
It easily protects you from all possible serialization vulnerabilities as explained in the notsoserial project. The idea is simple: initially you don't know what to put in your whitelist because there are some objects in OFBiz you need to put there, plus the ones you add yourself. So you initially use an empty whitelist and with the dryrun option you specify a file where the serialized objects are listed. Then you can continuously fill your whitelist to keep things secure. You can use the trace option to get a better idea of where and why an object is serialized.
...