Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
The default clustering documentation for Apache OpenMeetings does not specify the configuration of allowed and forbidden class lists (whitelist/blacklist) for the OpenJPA library. As a result, the runtime environment can deserialize data from untrusted sources without proper class type verification. An attacker can send a crafted payload containing a malicious serialized Java object, which will be deserialized by the application, potentially leading to arbitrary code execution.
An unauthenticated remote attacker can gain full control over the system — achieving confidentiality, integrity, and availability at a critical level, which in practice means the ability to execute arbitrary code (RCE) on the server.
Apache OpenMeetings should be updated to version 8.0.0. Additionally, the application startup scripts must be updated with the parameters 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' according to the updated clustering documentation available at https://openmeetings.apache.org/Clustering.html.
Apache OpenMeetings in versions from 2.1.0 to 7.x (before version 8.0.0), particularly instances running in a cluster configuration consistent with the vendor's default documentation.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Openmeetings
APPApache2.1 – 8.0.0 (bez)
Related vulnerabilities
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Descri...
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0.
Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and ...
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption k...