A critical security vulnerability (CVE-2024-54676, CVSS 9.8) has been discovered in Apache OpenMeetings, a popular open-source platform for video conferencing and online collaboration. The flaw could allow attackers to execute arbitrary code on vulnerable systems, potentially compromising sensitive data and disrupting services.
The vulnerability stems from insecure deserialization of untrusted data in OpenMeetings’ cluster mode. This issue arises due to a lack of proper whitelisting and blacklisting configurations for OpenJPA, a Java persistence framework used by OpenMeetings. By exploiting this flaw, malicious actors could inject malicious code that would be executed by the server.
This vulnerability is particularly concerning because it affects the cluster mode, which is often used in enterprise environments where multiple servers work together to provide high availability and scalability. Exploiting this vulnerability could allow attackers to gain complete control over the entire cluster, significantly amplifying the impact of the attack.
The Apache OpenMeetings project has addressed the CVE-2024-54676 vulnerability in version 8.0.0. Users are strongly urged to upgrade to the latest version and implement the recommended security configurations as outlined in the updated documentation. These configurations involve specifying openjpa.serialization.class.blacklist and openjpa.serialization.class.whitelist in their startup scripts to restrict the types of data that can be deserialized.
This vulnerability was discovered by m0d9 from Tencent Yunding Lab. Their responsible disclosure allowed the Apache OpenMeetings team to develop and release a patch before any malicious exploitation was reported.
