CVE-2024-54676

Name of the Vulnerable Software and Affected Versions Apache OpenMeetings versions 2.1.0 through 8.0.0

Description The default clustering instructions do not specify white/black lists for OpenJPA, leading to possible deserialization of untrusted data. This issue allows attackers to execute arbitrary code in cluster mode. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant openjpa.serialization.class.blacklist and openjpa.serialization.class.whitelist configurations.

Recommendations For Apache OpenMeetings versions 2.1.0 through 8.0.0, upgrade to version 8.0.0 and update the startup scripts to include the openjpa.serialization.class.blacklist and openjpa.serialization.class.whitelist configurations as shown in the documentation. As a temporary workaround, consider restricting access to the clustering feature until the issue is resolved.