Access to add and change pages is restricted. See: https://cwiki.apache.org/confluence/display/OFBIZ/Wiki+access

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

What is this page about?

This page is about security as in "external security". In other words it's not about authentication or authorisation, for that refer to OFBiz Security Permissions.

But about about keeping your OFBis instance secure from external exploits, and prevent vulnerabilities as soon as they are known.

 

You can trust the Apache OFBiz PMC Members and Committers, we do our best to keep OFBiz secure. But despite our best efforts we migth sometimes overlook a security issue. In such cases, as explained at https://ofbiz.apache.org/download.html, we strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing list of the ASF Security Team, before disclosing them in a public forum. Please see the page of the ASF Security Team for further information and contact information.

Sometimes the OFBIz code itself is not the culprit. OFBiz relies on many Java librairies, and if one of them has a flaw we can't always wait it's fixed to warn and protect our users. This is for instance what happened with the infamous 2015 Java unserialize vulnerability. OFBiz was concerned by 2 librairires: Commons Collections Unable to render Jira issues macro, execution error. and Groovy Unable to render Jira issues macro, execution error. . As you can see we waited the Commons Collections update to fix the issue, because it was not much disclosed then. But with the article above the buzz began to spread and we could not wait to be able to update Groovy. So a temporary workaround was adopted as explained in OFBIZ-6568.

 

I (Jacques Le Roux) personaly believe there are 3 categories of OFBiz users:

  1. Those who use OFBiz only in an internal manner, without any connections with the Internet, most of the time only the OFBiz backend is then used. They should be the less concerned.
    But this category tends to be less and less represented. Nowaydays most of the organisations need somehow to be connected.
  2. Users working in a secured environment, notably through firewalls and proxies. They should less fear security vulnerabilities. But you can't never be sure, black hackers are always trying...
  3. Users working in a less secure environment. For instance using the Out Of The Box (OOTB) OFBiz ecommerce/ecomseo solutions with a direct access from the Internet to it.

 Now you might wonder how to keep your own OFBiz instance safe from vulnerabilites and maybe how to contribute your exeperience with other OFBiz users.

Step-by-step guide

  1. Check that your version is up to date, see the "Security Vulnerabilities" section at https://ofbiz.apache.org/download.html. If you use the trunk be sure to closely follow JIRA issues and revisions commits regarding security. Then apply patches as soon as possible.
  2. To be continued...soon...

 

 

  • No labels