[ https://issues.apache.org/jira/browse/OFBIZ-6568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14998306#comment-14998306 ]
Jacques Le Roux commented on OFBIZ-6568: ---------------------------------------- I checked (using 7Zip) this advice from http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thefix {quote} For those faint of heart, you can be a little more surgical about it. If we examine the two exploits provided by the “ysoserial” tool, we can see that they both rely on the “InvokerTransformer” class. If we remove this class file everywhere it exists, any attempted exploits should fail. Feel free to open up your jar files with your expired copy of Winzip and delete the file at “org/apache/commons/collections/functors/InvokerTransformer.class”. {quote} We have no use of InvokerTransformer in our code nor the libs we use rely on it AFAIK > Updates Groovy to 2.4.4 version > -------------------------------- > > Key: OFBIZ-6568 > URL: https://issues.apache.org/jira/browse/OFBIZ-6568 > Project: OFBiz > Issue Type: Task > Components: framework > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Fix For: 14.12.01, 12.04.06, 13.07.03, Upcoming Branch > > > Since it's a security fix we should also update all releases branches. > http://groovy-lang.org/security.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)