...
You are though still at risk if you use RMI, JNI, JMX or Spring and maybe other Java classes we don't use OOTB in OFBiz. We So we (PMC) decided to comment out RMI OOTB
Jira | ||||||
---|---|---|---|---|---|---|
|
We OOTB but we also decided to provide a simple way to protect yourself from all possible Java serialize vulnerabilities.
While working on the serialize vulnerability, I stumbled upon this article "Closing the open door of java object serialization" and found notsoserial was a better Java agent than OWASP's I introduced at r1717058. Because it decided notsoserial was the solution we needed. It easily protects you from all possible serialize vulnerabilities as explained here!So I replaced contrast-rO0.jar by notsoserial-1.0-SNAPSHOT (see Jira
). To be safe in case you use RMI for instance, use one of the start*-secure ant targets or use the JVM arguments those targets use.
Jira | ||||||
---|---|---|---|---|---|---|
|
The idea is simple: initially you don't know what to put in your whitelist because there are some objects in OFBiz you need to put there, plus the ones you add yourself. So you use an empty whitelist and with the dryrun option you specify a file where the serialised objects are listed. Then you can continuously fill your whitelist to keep things secure. You can use the trace option to get a better idea of where and why an object is serialised.
whitelist