Business Community > Controllers > Omada Controller for Windows / CVE-2023-44487
< Controllers

Omada Controller for Windows / CVE-2023-44487

Omada Controller for Windows / CVE-2023-44487

Omada Controller for Windows / CVE-2023-44487
Omada Controller for Windows / CVE-2023-44487
2024-08-29 09:28:42
Tags: #Firmware Update #Security
Model: Omada Software Controller (Windows)  
Hardware Version:
Firmware Version: 5.13.30.8

Hi there,

we are running the current Omada Controller for Windows on a Windows Server 2019 which is under protection of Microsoft Defender for servers. Microsoft reports several vulnerabilities that are caused by an outdated tomcat core version used by the current version of the omada controller. Especially the one mentioned above (CVE-2023-44487) hab publicly available exploits available.

 

When will there be an update to remediate this security vulnerability?

 

More details of the Defender findings:

Vulnerabilities caused by:

<Omada Controller Installation folder>\lib\tomcat-embed-core-9.0.76.jar

 

Vulnerabilites found:

CVE-2023-41080

CVE-2023-44487

CVE-2023-45648

CVE-2023-42794

CVE-2023-42795

CVE-2023-46589

CVE-2024-23672

CVE-2024-24549

 

Regards,

Mister-D

  0      
 
  0      
 
#1
Options
2 Reply
Re:Omada Controller for Windows / CVE-2023-44487
2024-08-30 08:20:25

  @Mister-D 

Do you have a report about it? If you have it, could you please download it for me? Additionally, V5.13.30.8 is not the latest firmware. Could you please try running the latest firmware? Firmware Download

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Omada Controller for Windows / CVE-2023-44487
2024-09-03 06:01:03

  @Hank21 

You were absolutely right, I mixed up two Omada installations and this one was out of date. I updated it over the weekend with the current Omada distribution 5.14.26.1 and some of the vulnerabilities are gone. Nevertheless now the tomcat core version installed is tomcat-embed-core-9.0.83.jar, which still has two vulnerabilities.

 

What I can see from the Maven repository, version 9.0.83 is dated back in November 2023 and only versions 9.0.90+ are currently the only 9.x versions without known vulnerabilities.

 

Operating System Path Vendor Product Installed Version PathLastSeenTimestamp PathLastUsedTimestamp PathLastUsedWithOpenPortTimestamp Discovered vulnerabilities
WindowsServer2019 C:\Program Files\Omada Controller\lib\tomcat-embed-core-9.0.76.jar apache tomcat 9.0.76.0 01.09.2024 04:28 01.09.2024 04:28   CVE-2024-24549, CVE-2024-23672, CVE-2023-46589, CVE-2023-45648, CVE-2023-44487, CVE-2023-42795, CVE-2023-42794, CVE-2023-41080
WindowsServer2019 C:\Program Files\Omada Controller\lib\tomcat-embed-core-9.0.83.jar apache tomcat 9.0.83.0 03.09.2024 04:00 03.09.2024 04:00   CVE-2024-24549, CVE-2024-23672

 

The Omada webserver is running as a Windows service, so Windows doesn't recognize it being "used". 

  0  
  0  
#3
Options

Information

Helpful: 0

Views: 358

Replies: 2

Tags

Firmware Update
Security
Related Articles
Unifi Controller + Omada Controller (on the same Windows server)
4063 0
cannot start the Omada Controller in windows system
1363 0
Retrieve login for omada SDN controller (windows)
760 0
Migrate Windows Controller 5.14.20.9 to OC200 5.13.30.20
409 0
After upgrade of Omada Software Controller V5.7 to V5.8.4 Windows no data is shown (using port 443)
1608 0
Omada Software Controller (Windows 11) - missing Wifi and Wired clients on the clients list - 5.9.31
1999 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.