This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new cf77291 Improved: Prevent possible DOS attack done using Java
deserialisation (OFBIZ-12592)
cf77291 is described below
commit cf7729157aace5c69a05eebc949aa8018ca2879b
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Mar 28 12:32:40 2022 +0200
Improved: Prevent possible DOS attack done using Java deserialisation
(OFBIZ-12592)
Qing Xu, a security reporter, alerted us that, despite no current
vulnerability,
it could be maybe possible to do DOS attacks using Java deserialisation.
That has been fixed with https://openjdk.java.net/jeps/290 and even
implemented
in Java 8, but it needs a little effort on our side, here it is.
There is no real bug, to this is an improvement but a security improvement
so it
will be backported
Thanks: Qing Xu for report
---
gradle.properties | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gradle.properties b/gradle.properties
index aa75f91..39ea90a 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -18,6 +18,8 @@
###############################################################################
org.gradle.console=plain
-# If you experience heap memory problems during the Gradle build, for example
+# If you experience heap memory problems during the Gradle build, for example
# building with integrated plugins, the following setting might help
#org.gradle.jvmargs=-Xms128m -Xmx1024m -XX:+CMSClassUnloadingEnabled
+# This is for "Prevent possible DOS attack done using Java deserialisation"
(OFBIZ-12592)
+-Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=500;maxbytes=500000
