CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-54676: Apache OpenMeetings: Deserialisation of untrusted data in cluster mode

Description

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0

Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

Classification

CVE ID: CVE-2024-54676

Affected Products

Vendor: Apache Software Foundation

Product: Apache OpenMeetings

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.18% (probability of being exploited)

EPSS Percentile: 55.53% (scored less or equal to compared to others)

EPSS Date: 2025-02-06 (when was this score calculated)

References

https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95

Timeline

2025-01-08 17:15:19 UTC
Github Advisory Database (Maven)

[org.apache.openmeetings:openmeetings-parent] Apache OpenMeetings vulnerable to Deserialization of Untrusted Data
2025-01-09 00:30:21 UTC
CVE

Apache OpenMeetings: Deserialisation of untrusted data in cluster mode