Statement on Spring Framework RCE Vulnerability( For DPMS)

TP-Link is aware of the RCE vulnerability CVE-2022-22965 in the Spring Framework. According to the official information, the prerequisites for this vulnerability are as follows.

• Spring Framework: 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, older, unsupported versions are also affected
• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc or spring-webflux dependency

At TP-Link, customer security comes first. TP-Link is closely monitoring and investigating the vulnerability and will keep updating this advisory as more information becomes available.

Potentially Affected TP-Link Products:

DPMS (DeltaStream PON Management System) uses the Spring Framework and supports Java 8 (OpenJDK-8) and above since version 5.0. However, its use of the Spring Framework does not meet the above prerequisites and our attack simulation/vulnerability scan results in a Failure.

Nevertheless, given that the nature of the vulnerability is more general, we recommend that you downgrade to Java 8 (OpenJDK-8) to run DPMS. TP-Link will update the built-in Spring Framework to fix the vulnerability in subsequent updates.

Unaffected TP-Link products:

All Wi-Fi Router

All Mesh Wi-Fi(Deco)

All Range Extender

All Powerline adapter

All Mobile Wi-Fi products

All SMB Routers, Switch, Omada EAP, and Pharos CPE

All VIGI products

All GPON products

APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada

Disclaimer

The vulnerability will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.