CVE-2024-54676

Apache OpenMeetings: Deserialisation of untrusted data in cluster mode

CVSS 9.8 CRITICALEPSS 65.2%CWE-502

Vexday Risk Score

40Atención

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 9.8EPSS 65.2%KEV nãoPoC —Patch referenciado

Ciclo de vida

08 ene 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Productos afectados

Apache Software Foundation · Apache OpenMeetings

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95 http://www.openwall.com/lists/oss-security/2025/01/08/1