CRITICAL🇵🇱 Wersja polska

CVE-2024-54676

CVSS 9.8v3.1pub. 2025-01-08upd. 2025-01-15

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html  doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

🤖 AI Analysis
How it works

The default clustering documentation for Apache OpenMeetings does not specify the configuration of allowed and forbidden class lists (whitelist/blacklist) for the OpenJPA library. As a result, the runtime environment can deserialize data from untrusted sources without proper class type verification. An attacker can send a crafted payload containing a malicious serialized Java object, which will be deserialized by the application, potentially leading to arbitrary code execution.

Impact

An unauthenticated remote attacker can gain full control over the system — achieving confidentiality, integrity, and availability at a critical level, which in practice means the ability to execute arbitrary code (RCE) on the server.

Mitigation & patch

Apache OpenMeetings should be updated to version 8.0.0. Additionally, the application startup scripts must be updated with the parameters 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' according to the updated clustering documentation available at https://openmeetings.apache.org/Clustering.html.

Who is affected

Apache OpenMeetings in versions from 2.1.0 to 7.x (before version 8.0.0), particularly instances running in a cluster configuration consistent with the vendor's default documentation.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Openmeetings

    APP
    Apache
    2.1 – 8.0.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2023-28326CRITICAL9.8ten sam produkt

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Descri...

CVE-2016-8736CRITICAL9.8ten sam produkt

Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.

CVE-2017-7664CRITICAL10.0ten sam produkt

Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0.

CVE-2017-7673CRITICAL9.8ten sam produkt

Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and ...

CVE-2026-33266HIGH7.5ten sam produkt

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption k...