Statement on Spring Framework RCE Vulnerability( For DPMS)

DS-P7001-08 , DS-P7001-16
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device, and check either the Datasheet or the firmware section for the latest improvements added to your product. Please note that product availability varies by region, and certain models may not be available in your region.
TP-Link is aware of the RCE vulnerability CVE-2022-22965 in the Spring Framework. According to the official information, the prerequisites for this vulnerability are as follows.
- Spring Framework: 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, older, unsupported versions are also affected
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
At TP-Link, customer security comes first. TP-Link is closely monitoring and investigating the vulnerability and will keep updating this advisory as more information becomes available.
Potentially Affected TP-Link Products:
DPMS (DeltaStream PON Management System) uses the Spring Framework and supports Java 8 (OpenJDK-8) and above since version 5.0. However, its use of the Spring Framework does not meet the above prerequisites and our attack simulation/vulnerability scan results in a Failure.
Nevertheless, given that the nature of the vulnerability is more general, we recommend that you downgrade to Java 8 (OpenJDK-8) to run DPMS. TP-Link will update the built-in Spring Framework to fix the vulnerability in subsequent updates.
Unaffected TP-Link products:
All Wi-Fi Router
All Mesh Wi-Fi(Deco)
All Range Extender
All Powerline adapter
All Mobile Wi-Fi products
All SMB Routers, Switch, Omada EAP, and Pharos CPE
All VIGI products
All GPON products
APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada
Disclaimer
The vulnerability will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.
Recommend Products
Deze website gebruikt cookies om de gebruikservaring te verbeteren, onlineactiviteiten te analyseren en om gebruikers de best mogelijke ervaring te bieden op onze website. U heeft de mogelijkheid op ieder moment de cookies te weigeren. Bekijk onze privacyverklaring voor meer informatie.
Your Privacy Choices
Deze website gebruikt cookies om de gebruikservaring te verbeteren, onlineactiviteiten te analyseren en om gebruikers de best mogelijke ervaring te bieden op onze website. U heeft de mogelijkheid op ieder moment de cookies te weigeren. Bekijk onze privacyverklaring voor meer informatie.
Deze cookies zijn noodzakelijk voor de werking van de website en kunnen niet worden uitgeschakeld.
TP-Link
accepted_local_switcher, tp_privacy_banner, tp_privacy_base, tp_privacy_marketing, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Cookies voor analyse geven ons de mogelijkheid uw activiteiten op onze website te volgen en zo de functionaliteit van de website aan te passen en te verbeteren.
Marketing cookies kunnen op onze website worden geplaatst door externe adverteerders waar wij mee samenwerken om een profiel te creëren met uw interesses en u zo van relevante advertenties te kunnen voorzien op andere websites.
Google Analytics & Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads & DoubleClick
test_cookie, _gcl_au
Meta Pixel
_fbp
Crazy Egg
cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs
lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or