CVE-2024-54676

Apache OpenMeetings: Deserialisation of untrusted data in cluster mode

CVSS 9.8 CRITICALEPSS 65.2%CWE-502

Vexday Risk Score

40Attention

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.8EPSS 65.2%KEV nãoPoC —Patch referenciado

Lifecycle

08 Jan 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Apache Software Foundation · Apache OpenMeetings

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95 http://www.openwall.com/lists/oss-security/2025/01/08/1