CVE-2024-54676
Published: 08 January 2025
Summary
CVE-2024-54676 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Openmeetings. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-54676 affects Apache OpenMeetings versions 2.1.0 through 7.x. The vulnerability stems from incomplete default clustering guidance that omits OpenJPA serialization class blacklists and whitelists, enabling deserialization of untrusted data (CWE-502). The issue carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can supply a crafted serialized object over the network to the OpenMeetings clustering interface. Successful exploitation grants arbitrary code execution, allowing full compromise of confidentiality, integrity, and availability without requiring user interaction or credentials.
Apache recommends upgrading to version 8.0.0 and modifying startup scripts to set the openjpa.serialization.class.blacklist and openjpa.serialization.class.whitelist properties as documented in the updated clustering instructions. The referenced advisories from the Apache Security Team and oss-security list detail these configuration changes.
EPSS scores have remained low and essentially flat near 0.06, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0037
Vulnerability details
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version…
more
8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization flaw in public-facing OpenMeetings server enables unauthenticated remote code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely patching and remediation of the OpenJPA deserialization flaw via vendor upgrade to version 8.0.0.
Enforces secure configuration settings for OpenJPA serialization blacklists and whitelists in startup scripts to block untrusted data deserialization.
Requires validation of untrusted input data prior to deserialization processing to prevent arbitrary code execution.