Apache OpenMeetings: Deserialisation of untrusted data in cluster mode
Description
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache OpenMeetings clustering instructions lack OpenJPA serialization black/whitelists, allowing untrusted data deserialization.
Vulnerability
Description
The default clustering instructions for Apache OpenMeetings fail to specify white/black lists for OpenJPA serialization, leading to potential deserialization of untrusted data [1]. This affects versions from 2.1.0 before 8.0.0 [1]. The issue was identified as OPENMEETINGS-2787 [2].
Exploitation
In a clustered deployment, an attacker able to send serialized data to the cluster can exploit the missing class filtering to trigger deserialization of malicious objects [3]. The attack does not require authentication if the cluster endpoints are exposed, but typically some network access is needed.
Impact
Successful deserialization can lead to arbitrary code execution on the server running OpenMeetings, potentially compromising the entire application and underlying system [3].
Mitigation
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant openjpa.serialization.class.blacklist and openjpa.serialization.class.whitelist configurations as shown in the documentation [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.openmeetings:openmeetings-parentMaven | >= 2.1.0, < 8.0.0 | 8.0.0 |
Affected products
3- Range: >=2.1.0 <8.0.0
- Apache Software Foundation/Apache OpenMeetingsv5Range: 2.1
Patches
11c3426c6d3ab[OPENMEETINGS-2787] Startup script and clustering instructions are updated
2 files changed · +8 −1
openmeetings-server/src/main/assembly/scripts/openmeetings.service+1 −1 modified@@ -31,7 +31,7 @@ Environment=CATALINA_HOME=/opt/openmeetings Environment=CATALINA_BASE=/opt/openmeetings Environment='JDK_JAVA_OPTIONS=--add-modules java.se --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED -XX:+DisableAttachMechanism' Environment='CATALINA_OPTS=-Xms1G -Xmx4G -server -XX:+UseParallelGC' -Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom' +Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dopenjpa.serialization.class.blacklist=* -Dopenjpa.serialization.class.whitelist=[B,java.util,org.apache.openjpa,org.apache.openmeetings.db.entity' ExecStart=/opt/openmeetings/bin/startup.sh ExecStop=/opt/openmeetings/bin/shutdown.sh
openmeetings-server/src/site/xdoc/Clustering.xml+7 −0 modified@@ -83,6 +83,13 @@ set correct server address, login and password. Also uncomment following line: <source><![CDATA[<property name="openjpa.RemoteCommitProvider" value="tcp(Addresses=127.0.0.1)" />]]></source> </li> + <li> + <div class="bd-callout bd-callout-danger"> + IMPORTANT: Please ensure your startup scripts has OpenJPA black/white list definition + </div> + <p>Here is an example:</p> + <code>JAVA_OPTS="-Dopenjpa.serialization.class.blacklist=* -Dopenjpa.serialization.class.whitelist=[B,java.util,org.apache.openjpa,org.apache.openmeetings.db.entity"</code> + </li> </ul> </subsection> <subsection name="File systems">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mjf9-4pcv-vfg7ghsaADVISORY
- lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-54676ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/01/08/1ghsaWEB
- github.com/apache/openmeetings/commit/1c3426c6d3abbd984a3c01a61decf1242ea38923ghsaWEB
- issues.apache.org/jira/browse/OPENMEETINGS-2787ghsaWEB
News mentions
0No linked articles in our index yet.