[jira] [Commented] (OFBIZ-12212) Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]

Sat, 31 Jan 2026 07:47:35 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18055649#comment-18055649
 ] 

ASF subversion and git services commented on OFBIZ-12212:
---------------------------------------------------------

Commit f40a59db95323742ab4d178a8c517b0ffbd7fb40 in ofbiz-plugins's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=f40a59db9 ]

Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)

The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.


> Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]
> ------------------------------------------------------------
>
>                 Key: OFBIZ-12212
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12212
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework/service
>    Affects Versions: Release Branch 17.12, Trunk, 18.12.01
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Blocker
>              Labels: CVE
>             Fix For: 17.12.07, 18.12.01
>
>         Attachments: OFBIZ-12212-Re allow Entity Sync.patch
>
>
> The SOAP and HTTP engines are open doors to security issues. At 
> [https://markmail.org/message/pgtjyh23bazq4s2w] I proposed to comment them 
> out as we did for RMI in the past.
>  Of cause it must be clearly documented how to use them if needed.
> Here is the email content:
> {quote}After the recent fix for the CVE-2021-26295[1] we discussed with the 
> security
>  team about the opportunity need to comment out the SOAP and HTTP engines 
>  like we did in the past for RMI[2], this obviously for security reason.
> I don't think we need a vote for that, but of course all opinions are welcome
> Thanks
> [1] OFBIZ-12167 "Adds a blacklist (to be
>  renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
>  [2] OFBIZ-6942 "Comment out RMI related
>  code because of the Java deserialization issue [CVE-2016-2170] "
> {quote}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to