Statement on Spring Framework RCE Vulnerability

Security Advisory
Aktualisiert 04-02-2022 05:05:12 AM 4274
Dieser Artikel gilt für: 

TP-Link is aware of the RCE vulnerability CVE-2022-22965 in the Spring Framework. According to the official information, the prerequisites for this vulnerability are as follows.

  • Spring Framework: 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, older, unsupported versions are also affected
  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

At TP-Link, customer security comes first. TP-Link is closely monitoring and investigating the vulnerability and will keep updating this advisory as more information becomes available.

Potentially Affected TP-Link Products:

DPMS (DeltaStream PON Management System) uses the Spring Framework and supports Java 8 (OpenJDK-8) and above since version 5.0. However, its use of the Spring Framework does not meet the above prerequisites and our attack simulation/vulnerability scan results in a Failure.

Nevertheless, given that the nature of the vulnerability is more general, we recommend that you downgrade to Java 8 (OpenJDK-8) to run DPMS. TP-Link will update the built-in Spring Framework to fix the vulnerability in subsequent updates.

Unaffected TP-Link products:

All Wi-Fi Router

All Mesh Wi-Fi(Deco)

All Range Extender

All Powerline adapter

All Mobile Wi-Fi products

All SMB Routers, Switch, Omada EAP, and Pharos CPE

All VIGI products

All GPON products

APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada

Disclaimer

The vulnerability will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.

Finden Sie diese FAQ hilfreich?

Mit Ihrer Rückmeldung tragen Sie dazu bei, dass wir unsere Webpräsenz verbessern.

Subscription Für TP-Link ist Datenschutz sehr wichtig. Weitere Informationen zu unseren Datenschutzbedingungen finden Sie in der Datenschutzerklärung von TP-Link.

Von United States?

Erhalten Sie Produkte, Events und Leistungen speziell für Ihre Region