Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                             CERT-Renater

                 Note d'Information No. 2025/VULN005

_____________________________________________________________________

DATE                : 04/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache OpenMeetings versions
                                 prior to 8.0.0.

=====================================================================
https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95
_____________________________________________________________________

CVE-2024-54676: Apache OpenMeetings: Deserialisation of untrusted
data in cluster mode

Posted to user@openmeetings.apache.org
Maxim Solodovnik - mercredi 8 janvier 2025 07:20:39 UTC+1

Severity: important

Affected versions:

- Apache OpenMeetings 2.1 before 8.0.0

Description:

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0

Description: Default clustering instructions at
https://openmeetings.apache.org/Clustering.html  doesn't specify
white/black lists for OpenJPA this leads to possible deserialisation
of untrusted data.

Users are recommended to upgrade to version 8.0.0 and update their
startup scripts to include the relevant
'openjpa.serialization.class.blacklist' and
'openjpa.serialization.class.whitelist' configurations as shown in
the documentation.

This issue is being tracked as OPENMEETINGS-2787 


Credit:

m0d9 from Tencent Yunding Lab (reporter)


References:

https://openmeetings.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-54676
https://issues.apache.org/jira/browse/OPENMEETINGS-2787


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================