Statement on Spring Framework RCE Vulnerability(For Omada Software Controller)

TP-Link is aware of the RCE vulnerability CVE-2022-22965 in the Spring Framework. According to the official information, the prerequisites for this vulnerability are as follows.

• Spring Framework: 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, older, unsupported versions are also affected
• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc or spring-webflux dependency

At TP-Link, customer security comes first. TP-Link is closely monitoring and investigating the vulnerability and will keep updating this advisory as more information becomes available.

Potentially Affected TP-Link Products:

Omada Software Controller uses the Spring Framework and supports Java 8 (OpenJDK-8) and above since version 5.0. However, its use of the Spring Framework does not meet the above prerequisites and our attack simulation/vulnerability scan results in a Failure.

Nevertheless, given that the nature of the vulnerability is more general, we recommend that you downgrade to Java 8 (OpenJDK-8) to run the controller. For more detailed guides, please refer to our community.

Both Omada Hardware Controller (OC200 v1/v2, OC300) and Omada Cloud-Based Controller use OpenJDK-8 and are therefore not affected by this vulnerability. TP-Link will update the built-in Spring Framework to fix the vulnerability in subsequent updates.

Unaffected TP-Link products:

All Wi-Fi Router

All Mesh Wi-Fi(Deco)

All Range Extender

All Powerline adapter

All Mobile Wi-Fi products

All SMB Routers, Switch, Omada EAP, and Pharos CPE

All VIGI products

APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada

Disclaimer

The vulnerability will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.