I wish to inquire if there is any concern from UiPath in regards to the threat posed by the Apache Log4j vulnerability (https://amp.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell). I know UiPath orchestrator runs on MS IIS and wanted to know what logging framework is used.
regarding this post in the UiPath forum Robots and Orchstrator are using NLog, which is a different framework.
Also it is mentioned that UiPath Insight is using Log4j. They are currently evaluating the impact. See here
Related
We are using Drools for our business rules. Is Drools impacted/expose to the CVE-2021-44228 (Log4Shell or Log4J/Apache/Java vulnerability
The whole KIE ecosystem (Kogito, Drools, OptaPlanner and jBPM) moved to SLF4J, a different logging facade with Logback as default implementation, a few years ago and it is therefore not vulnerable by CVE-2021-44228. Accordingly, our recommendation is to ensure your applications are updated to the latest community versions (at the time of writing, Drools, jBPM, KIE Workbench/Business Central and KIE Server 7.62.0.Final, Kogito 1.14.1.Final, Optaplanner 8.14.0.Final).
from this blog post.
We invite you to keep monitoring the blog post, in the case there might be in the future any further findings.
Looks like its not the case.
In this thread you can find all apps impacted : https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
We are looking into options to monitor our Acumatica instance to identify performance issues on the application level as well as the SQL server level. We have experience with newrelic and a few others, but also read about Retrace (https://stackify.com/retrace/) which looks worth trying.
I'm curious to know if it's possible/recommended to install such tools within Acumatica?
Does anyone have any experience or feedback on the topic?
Acumatica includes a built-in request profiler that can be used to monitor requests, performance and SQL. Probably not as sophisticated as New Relic, but powerful enough when you have performance issues to resolve. Read more here: https://help-2017r2.acumatica.com/(W(2))/Wiki/ShowWiki.aspx?wikiname=HelpRoot_User&PageID=e7612f3f-fc6f-494d-8532-cc2ceef7147b
I am evaluating Broadleaf Commerce.
Currently I am having one concern. If I install Out-Of-Box Broadleaf Commerce how secure is it? What are existing vulnerabilities that I need to see while using out of box?
I went though documentation. It was mentioned that, SQL Injection and XSS has been taken care.But not sure as to what extent that has been taken care of.
I am new to eCommerce and security so am unable to evaluate this parameter.
From the offical Broadleaf forum:
Broadleaf Commerce uses an extendible ORM strategy based on JPA (and specifically Hibernate behind the scenes). If you drill down even further, we are entirely using prepared statements and we do not dynamically build queries at all using user input. This deals with the SQL injection issue.
As for XSS, we utilize Spring MVC as our de-facto engine for the presentation layer and even provide some out-of-the-box controllers to speed development in this area. Spring MVC has great support for protection against XSS through html escape sequences via simple configuration. This blog talks about it a bit more: http://sanjaysinghloha.blogspot.com/200 ... ng_05.html. Having said that, as an e-commerce framework, Broadleaf Commerce does not force you to use Spring MVC to create a site. Any modern Java-based MVC framework should work fine with Broadleaf Commerce, but care should be taken with any MVC framework choice to account for XSS protection.
One of our partners has built their entire e-commerce site on Broadleaf Commerce using Spring MVC and Spring Security and has utilized S3 Security (http://www.s3security.com) to perform their extensive penetration testing as part of their successful PCI certification. S3 uses several tools, one of which is Retina Scanner.
No vulnerabilities have been discovered so far.
IMHO as a penetration tester view, it seems pretty safe and developed with security in mind but still this doesn't mean it's invulnerable. By implementing a WAF such as mod_security and being aware of the updates you will be good to go.
Apache ODE documentation seems to support this i.e. invoking/orchestrating RESTFul APIs.
No examples sources available on their site and even after trying hard on Google couldn't find anything useful.
Can someone help me to find a direction?
I'm using latest Apache ODE distribution with Eclipse BPEL designer.
We have a large SET of RESTFul APIs that provides the core interface to our business processes entirely. BPEL seems to be good Orchestration/Workflow programming solution but without the RESTFul API support out of the box I'm almost giving up on it.
I must be missing something here. Please suggest.
This sample is compliant with ws-BPEL 2.0 standard, we have tested only on wso2 bps, you'll be able to run it on ODE with minimal changes to the process. https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.0.0/products/bps/3.0.0/modules/samples/product/src/main/resources/bpel/2.0/TestRESTProcess
I'm currently in the process of migrating an application from Spring 2.5.6 to Spring 3.0.4 and Spring Security 3.0.2 and I was wondering if there was some kind of execution flow for both of these framework so that developpers could know what is being called before what.
For those of you who are doing this kind of migration, I can tell you that it's not a simple task that's why I was wondering if some experts, out there, in the wild, would have some references about these flow.
Thanks
You should start here:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html
This is a detailed overview of how spring works and will get you up to speed on the changes. Additionally I highly recommend the book by Peter Mularien - Spring Security 3.
With these two references you'll be on your way in no time.
Grant