Omada Controller for Windows / CVE-2023-44487

Omada Controller for Windows / CVE-2023-44487

Omada Controller for Windows / CVE-2023-44487
Omada Controller for Windows / CVE-2023-44487
2024-08-29 09:28:42
Tags: #Firmware Update #Security
Hardware Version:
Firmware Version: 5.13.30.8

Hi there,

we are running the current Omada Controller for Windows on a Windows Server 2019 which is under protection of Microsoft Defender for servers. Microsoft reports several vulnerabilities that are caused by an outdated tomcat core version used by the current version of the omada controller. Especially the one mentioned above (CVE-2023-44487) hab publicly available exploits available.

 

When will there be an update to remediate this security vulnerability?

 

More details of the Defender findings:

Vulnerabilities caused by:

<Omada Controller Installation folder>\lib\tomcat-embed-core-9.0.76.jar

 

Vulnerabilites found:

CVE-2023-41080

CVE-2023-44487

CVE-2023-45648

CVE-2023-42794

CVE-2023-42795

CVE-2023-46589

CVE-2024-23672

CVE-2024-24549

 

Regards,

Mister-D

  0      
  0      
#1
Options
2 Reply
Re:Omada Controller for Windows / CVE-2023-44487
2024-08-30 08:20:25

  @Mister-D 

Do you have a report about it? If you have it, could you please download it for me? Additionally, V5.13.30.8 is not the latest firmware. Could you please try running the latest firmware? Firmware Download

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Omada Controller for Windows / CVE-2023-44487
2024-09-03 06:01:03

  @Hank21 

You were absolutely right, I mixed up two Omada installations and this one was out of date. I updated it over the weekend with the current Omada distribution 5.14.26.1 and some of the vulnerabilities are gone. Nevertheless now the tomcat core version installed is tomcat-embed-core-9.0.83.jar, which still has two vulnerabilities.

 

What I can see from the Maven repository, version 9.0.83 is dated back in November 2023 and only versions 9.0.90+ are currently the only 9.x versions without known vulnerabilities.

 

Operating System Path Vendor Product Installed Version PathLastSeenTimestamp PathLastUsedTimestamp PathLastUsedWithOpenPortTimestamp Discovered vulnerabilities
WindowsServer2019 C:\Program Files\Omada Controller\lib\tomcat-embed-core-9.0.76.jar apache tomcat 9.0.76.0 01.09.2024 04:28 01.09.2024 04:28   CVE-2024-24549, CVE-2024-23672, CVE-2023-46589, CVE-2023-45648, CVE-2023-44487, CVE-2023-42795, CVE-2023-42794, CVE-2023-41080
WindowsServer2019 C:\Program Files\Omada Controller\lib\tomcat-embed-core-9.0.83.jar apache tomcat 9.0.83.0 03.09.2024 04:00 03.09.2024 04:00   CVE-2024-24549, CVE-2024-23672

 

The Omada webserver is running as a Windows service, so Windows doesn't recognize it being "used". 

  0  
  0  
#3
Options