Solution Spring Framework RCE Vulnerability (CVE-2022-22965) - [Case Closed]
Update as of May 7, 2022:
Omada Software Controller v5.3.1 has been officially released, which upgraded spring-boot version to 2.6.6 and spring-framework version to 5.3.18 to avoid the potential Spring vulnerability (CVE-2022-22965).
For more details, please refer to this post.
------------------------History Update-------------------------------
April 2nd, 2022:
TP-Link has released a Beta firmware of Omada Software Controller v5.2.4, which upgraded spring-boot version to 2.6.6 and spring-framework version to 5.3.18 to avoid the potential Spring vulnerability.
For more details, please click HERE.
------------------------Original Content-------------------------------
Hi All,
TP-Link is aware of a recent remote code execution (RCE) vulnerability discovered in Spring Framework.
Based on the official information currently available, the prerequisites for this vulnerability are as follows.
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
spring-webmvc
orspring-webflux
dependency- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
Potentially Affected TP-Link Products:
Omada Software Controller v5.0.x
Omada Software Controller v5.1.x
Note: Other Omada Controller versions and TP-Link products are unaffected.
Available Solutions:
Omada Software Controller v5.0 and v5.1 support Java 8 (OpenJDK-8) and higher version. There is a chance that you install Java 9 (OpenJDK-9) or higher version to run the Omada Software Controller, in that case, we highly recommend that you downgrade to Java 8 (OpenJDK-8) for use.
Note: To check the running Java version, you may run the "java -version" command, or refer to this manual from Java website.
To downgrade Java version, here are some guidance for your reference:
- For Windows:
Normally, you will be redirected to the official Java website to download and install Java 8 during the controller installation.
If you installed Java 9 or higher version on your own, please download the Java 8 installer from the Java official website, stop running the controller, uninstall the higher version and run the Java 8 installer then start the controller again.
- For Ubuntu/Debian:
Run command ”sudo tpeap stop” to stop running the controller.
Run command “sudo dkpg –l | grep openjdk” to check your OpenJDK installations.
To uninstall OpenJDK-11, please run the command “sudo dpkg –r openjdk-11-jre-headless”. If there are some dependency errors, please try with “sudo dpkg --force-depends –r openjdk-11-jre-headless”.
To install OpenJDK-8, you may try with “sudo apt install openjdk-8-jre-headless”; but the official apt sources on some Linux distributions may no longer provide the installation of OpenJDK-8, you may choose to download installers for manual installation according to the installation guides, such as Java, AdoptOpenJDK , Openlogic.
Thank you for your attention!
References: