Spring Framework RCE Vulnerability (CVE-2022-22965) - [Case Closed]

Spring Framework RCE Vulnerability (CVE-2022-22965) - [Case Closed]

Spring Framework RCE Vulnerability (CVE-2022-22965) - [Case Closed]
Spring Framework RCE Vulnerability (CVE-2022-22965) - [Case Closed]
2022-04-01 01:56:48 - last edited 2023-02-02 11:58:25

Update as of May 7, 2022:


Omada Software Controller v5.3.1 has been officially released, which upgraded spring-boot version to 2.6.6 and spring-framework version to 5.3.18 to avoid the potential Spring vulnerability (CVE-2022-22965). 


For more details, please refer to this post.




------------------------History Update-------------------------------


April 2nd, 2022:


TP-Link has released a Beta firmware of Omada Software Controller v5.2.4, which upgraded spring-boot version to 2.6.6 and spring-framework version to 5.3.18 to avoid the potential Spring vulnerability. 


For more details, please click HERE.


------------------------Original Content-------------------------------


Hi All,


TP-Link is aware of a recent remote code execution (RCE) vulnerability discovered in Spring Framework.

Based on the official information currently available, the prerequisites for this vulnerability are as follows.


  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions


Potentially Affected TP-Link Products: 


Omada Software Controller v5.0.x
Omada Software Controller v5.1.x

Note: Other Omada Controller versions and TP-Link products are unaffected.


Available Solutions:

Omada Software Controller v5.0 and v5.1 support Java 8 (OpenJDK-8) and higher version. There is a chance that you install Java 9 (OpenJDK-9) or higher version to run the Omada Software Controller, in that case, we highly recommend that you downgrade to Java 8 (OpenJDK-8) for use.

Note: To check the running Java version, you may run the "java -version" command, or refer to this manual from Java website.


To downgrade Java version, here are some guidance for your reference:

  • For Windows: 

Normally, you will be redirected to the official Java website to download and install Java 8 during the controller installation.

If you installed Java 9 or higher version on your own, please download the Java 8 installer from the Java official website, stop running the controller, uninstall the higher version and run the Java 8 installer then start the controller again.

  • For Ubuntu/Debian:

Run command ”sudo tpeap stop” to stop running the controller.

Run command “sudo dkpg –l | grep openjdk” to check your OpenJDK installations.

To uninstall OpenJDK-11, please run the command “sudo dpkg –r openjdk-11-jre-headless”. If there are some dependency errors, please try with “sudo dpkg --force-depends –r openjdk-11-jre-headless”.

To install OpenJDK-8, you may try with “sudo apt install openjdk-8-jre-headless”; but the official apt sources on some Linux distributions may no longer provide the installation of OpenJDK-8, you may choose to download installers for manual installation according to the installation guides, such as JavaAdoptOpenJDKOpenlogic.


Thank you for your attention!




>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*


Helpful: 3

Views: 1479

Replies: 0