M0D9

**Name of the Vulnerable Software and Affected Versions** Apache OpenMeetings versions 2.1.0 through 8.0.0 **Description** The default clustering instructions do not specify white/black lists for OpenJPA, leading to possible deserialization of untrusted data. This issue allows attackers to execute arbitrary code in cluster mode. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant `openjpa.serialization.class.blacklist` and `openjpa.serialization.class.whitelist` configurations. **Recommendations** For Apache OpenMeetings versions 2.1.0 through 8.0.0, upgrade to version 8.0.0 and update the startup scripts to include the `openjpa.serialization.class.blacklist` and `openjpa.serialization.class.whitelist` configurations as shown in the documentation. As a temporary workaround, consider restricting access to the clustering feature until the issue is resolved.