Описание
Apache OpenMeetings vulnerable to Deserialization of Untrusted Data
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-54676
- https://github.com/apache/openmeetings/commit/1c3426c6d3abbd984a3c01a61decf1242ea38923
- https://issues.apache.org/jira/browse/OPENMEETINGS-2787
- https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95
- http://www.openwall.com/lists/oss-security/2025/01/08/1
Пакеты
org.apache.openmeetings:openmeetings-parent
>= 2.1.0, < 8.0.0
8.0.0
Связанные уязвимости
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
Уязвимость программного обеспечения видеоконференцсвязи Apache OpenMeetings, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации