Search icon Choose location
 
Search icon

Statement on Apache Log4j2 Vulnerability

Security Advisory
Updated 07-23-2024 07:08:48 AM FAQ view icon154659

TP-Link is aware of the following vulnerabilities in Apache Log4j2:

  • CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
  • CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j2 2.15.0 was incomplete in certain non-default configurations.
  • CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.

At TP-Link, customer security comes first. TP-Link is investigating and will keep updating this advisory as more information becomes available.

Unaffected TP-Link products:

All Wi-Fi Router

All Mesh Wi-Fi(Deco)

All Range Extender

All Powerline adapter

All Mobile Wi-Fi products

All SMB Routers, Switch, Omada EAP, and Pharos CPE

All VIGI products

APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada

Affected Products/Services:

Omada Controllers

Omada Software Controller and Omada Hardware Controller (OC200, OC300) are affected by vulnerabilities CVE-2021-44228 and CVE-2021-45046, and are not affected by CVE-2021-45105.

We have released official updates below to upgrade the built-in Log4j2 to version 2.16 and will upgrade to version 2.17 in a subsequent update. We recommend you upgrade as soon as possible!

For Windows: Omada_Controller_V5.0.29_Windows

For Linux (tar): Omada_Controller_V4.4.8_Linux_x64.tar

For Linux (deb): Omada_Controller_V4.4.8_Linux_x64.deb

For OC200: OC200(UN)_V1_1.14.2 Build 20211215

For OC300: OC300(UN)_V1_1.7.0 Build 20211215

TP-Link Cloud:

We have updated the Log4j2 version to fix the vulnerabilities in Omada Cloud-Based Controller, Cloud-Access service, and other cloud services impacted by the vulnerability.

Deco4ISP

Versions earlier than 1.5.82 are affected, please upgrade to the version of 1.5.82.

Disclaimer

Apache Log4j2 vulnerabilities will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

From United States?

Get products, events and services for your region.

GO Other Option

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Livechat

__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au

Meta Pixel

_fbp

Crazy Egg

cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs

Hotjar

OptanonConsent, _sctr, _cs_s, _hjFirstSeen, _hjAbsoluteSessionInProgress, _hjSessionUser_14, _fbp, ajs_anonymous_id, _hjSessionUser_<hotjar-id>, _uetsid, _schn, _uetvid, NEXT_LOCALE, _hjSession_14, _hjid, _cs_c, _scid, _hjAbsoluteSessionInProgress, _cs_id, _gcl_au, _ga, _gid, _hjIncludedInPageviewSample, _hjSession_<hotjar-id>, _hjIncludedInSessionSample_<hotjar-id>

Linkedin

lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or