TP-Link is aware of the RCE vulnerability CVE-2022-22965 in the Spring Framework. According to the official information, the prerequisites for this vulnerability are as follows.
- Spring Framework: 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, older, unsupported versions are also affected
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
At TP-Link, customer security comes first. TP-Link is closely monitoring and investigating the vulnerability and will keep updating this advisory as more information becomes available.
Potentially Affected TP-Link Products:
Omada Software Controller uses the Spring Framework and supports Java 8 (OpenJDK-8) and above since version 5.0. However, its use of the Spring Framework does not meet the above prerequisites and our attack simulation/vulnerability scan results in a Failure.
Nevertheless, given that the nature of the vulnerability is more general, we recommend that you downgrade to Java 8 (OpenJDK-8) to run the controller. For more detailed guides, please refer to our community.
Both Omada Hardware Controller (OC200 v1/v2, OC300) and Omada Cloud-Based Controller use OpenJDK-8 and are therefore not affected by this vulnerability. TP-Link will update the built-in Spring Framework to fix the vulnerability in subsequent updates.
Unaffected TP-Link products:
All Wi-Fi Router
All Mesh Wi-Fi(Deco)
All Range Extender
All Powerline adapter
All Mobile Wi-Fi products
All SMB Routers, Switch, Omada EAP, and Pharos CPE
All VIGI products
APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada
Disclaimer
The vulnerability will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.