Statement on Spring Framework RCE Vulnerability( For DPMS)
Security Advisory
Updated 04-26-2023 12:22:14 PM42225
This Article Applies to:
DS-P7001-08 , DS-P7001-16
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device and check either the Datasheet or the firmware section for the latest improvements added to your product.
TP-Link is aware of the RCE vulnerability CVE-2022-22965 in the Spring Framework. According to the official information, the prerequisites for this vulnerability are as follows.
Spring Framework: 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, older, unsupported versions are also affected
JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency
At TP-Link, customer security comes first. TP-Link is closely monitoring and investigating the vulnerability and will keep updating this advisory as more information becomes available.
Potentially Affected TP-Link Products:
DPMS (DeltaStream PON Management System) uses the Spring Framework and supports Java 8 (OpenJDK-8) and above since version 5.0. However, its use of the Spring Framework does not meet the above prerequisites and our attack simulation/vulnerability scan results in a Failure.
Nevertheless, given that the nature of the vulnerability is more general, we recommend that you downgrade to Java 8 (OpenJDK-8) to run DPMS. TP-Link will update the built-in Spring Framework to fix the vulnerability in subsequent updates.
Unaffected TP-Link products:
All Wi-Fi Router
All Mesh Wi-Fi(Deco)
All Range Extender
All Powerline adapter
All Mobile Wi-Fi products
All SMB Routers, Switch, Omada EAP, and Pharos CPE
All VIGI products
All GPON products
APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada
Disclaimer
The vulnerability will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
Dissatisfied with product
Too Complicated
Confusing Title
Does not apply to me
Too Vague
Other
We'd love to get your feedback, please let us know how we can improve this content.
Thank you
We appreciate your feedback. Click here to contact TP-Link technical support.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
Basic Cookies
These cookies are necessary for the website to function and cannot be deactivated in your systems.
Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.
The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.