Update as of May 7, 2022:

 

Omada Software Controller v5.3.1 has been officially released, which upgraded spring-boot version to 2.6.6 and spring-framework version to 5.3.18 to avoid the potential Spring vulnerability (CVE-2022-22965). 

 

For more details, please refer to this post.

 

 

 

------------------------History Update-------------------------------

 

April 2nd, 2022:

 

TP-Link has released a Beta firmware of Omada Software Controller v5.2.4, which upgraded spring-boot version to 2.6.6 and spring-framework version to 5.3.18 to avoid the potential Spring vulnerability. 

 

For more details, please click HERE.

 

------------------------Original Content-------------------------------

 

Hi All,

 

TP-Link is aware of a recent remote code execution (RCE) vulnerability discovered in Spring Framework.

Based on the official information currently available, the prerequisites for this vulnerability are as follows.

 

• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
• spring-webmvc or spring-webflux dependency
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

 

Potentially Affected TP-Link Products: 

 

Omada Software Controller v5.0.x
Omada Software Controller v5.1.x

Note: Other Omada Controller versions and TP-Link products are unaffected.

 

Available Solutions:

Omada Software Controller v5.0 and v5.1 support Java 8 (OpenJDK-8) and higher version. There is a chance that you install Java 9 (OpenJDK-9) or higher version to run the Omada Software Controller, in that case, we highly recommend that you downgrade to Java 8 (OpenJDK-8) for use.

Note: To check the running Java version, you may run the "java -version" command, or refer to this manual from Java website.

 

To downgrade Java version, here are some guidance for your reference:

• For Windows: 

Normally, you will be redirected to the official Java website to download and install Java 8 during the controller installation.

If you installed Java 9 or higher version on your own, please download the Java 8 installer from the Java official website, stop running the controller, uninstall the higher version and run the Java 8 installer then start the controller again.

• For Ubuntu/Debian:

Run command ”sudo tpeap stop” to stop running the controller.

Run command “sudo dkpg –l | grep openjdk” to check your OpenJDK installations.

To uninstall OpenJDK-11, please run the command “sudo dpkg –r openjdk-11-jre-headless”. If there are some dependency errors, please try with “sudo dpkg --force-depends –r openjdk-11-jre-headless”.

To install OpenJDK-8, you may try with “sudo apt install openjdk-8-jre-headless”; but the official apt sources on some Linux distributions may no longer provide the installation of OpenJDK-8, you may choose to download installers for manual installation according to the installation guides, such as Java, AdoptOpenJDK , Openlogic.

 

Thank you for your attention!

 

References:

• Spring Framework RCE, Early Announcement
• CVE-2022-22965