CVE-2024-54676

Apache OpenMeetings: Deserialisation of untrusted data in cluster mode

CVSS 9.8 CRITICALEPSS 65.2%CWE-502

Vexday Risk Score

40Atenção

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 9.8EPSS 65.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

08 jan 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

Apache Software Foundation · Apache OpenMeetings

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95 http://www.openwall.com/lists/oss-security/2025/01/08/1