CVE-2024-54676
Published: 08 January 2025
Description
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
Security Summary
CVE-2024-54676 is a deserialization vulnerability in Apache OpenMeetings, stemming from default clustering instructions that fail to specify white or black lists for OpenJPA, enabling the deserialization of untrusted data. This issue affects versions of Apache OpenMeetings from 2.1.0 up to but not including 8.0.0. Classified under CWE-502 (Deserialization of Untrusted Data), it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low attack complexity, and lack of prerequisites.
The vulnerability can be exploited by any unauthenticated attacker with network access to the affected OpenMeetings instance, requiring no user interaction or privileges. Successful exploitation allows remote attackers to execute arbitrary code, potentially leading to high-impact compromise of confidentiality, integrity, and availability, such as full system takeover.
Apache advisories recommend upgrading to version 8.0.0, which addresses the issue, and updating startup scripts to include the 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as detailed in the documentation at https://openmeetings.apache.org/Clustering.html. Additional details are available in the Apache mailing list announcement and oss-security posting.
Details
- CWE(s)