Statement on Spring Framework RCE Vulnerability

Security Advisory
Updated 04-02-2022 05:05:12 AM 2145
This Article Applies to: 

TP-Link is aware of the RCE vulnerability CVE-2022-22965 in the Spring Framework. According to the official information, the prerequisites for this vulnerability are as follows.

  • Spring Framework: 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, older, unsupported versions are also affected
  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

At TP-Link, customer security comes first. TP-Link is closely monitoring and investigating the vulnerability and will keep updating this advisory as more information becomes available.

Potentially Affected TP-Link Products:

DPMS (DeltaStream PON Management System) uses the Spring Framework and supports Java 8 (OpenJDK-8) and above since version 5.0. However, its use of the Spring Framework does not meet the above prerequisites and our attack simulation/vulnerability scan results in a Failure.

Nevertheless, given that the nature of the vulnerability is more general, we recommend that you downgrade to Java 8 (OpenJDK-8) to run DPMS. TP-Link will update the built-in Spring Framework to fix the vulnerability in subsequent updates.

Unaffected TP-Link products:

All Wi-Fi Router

All Mesh Wi-Fi(Deco)

All Range Extender

All Powerline adapter

All Mobile Wi-Fi products

All SMB Routers, Switch, Omada EAP, and Pharos CPE

All VIGI products

All GPON products

APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada

Disclaimer

The vulnerability will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.

Is this faq useful?

Your feedback helps improve this site.

SubscriptionTP-Link takes your privacy seriously. For further details on TP-Link's privacy practices, see TP-Link's Privacy Policy.

From United States?

Get products, events and services for your region.