Statement on Apache Log4j2 Vulnerability
TP-Link is aware of the following vulnerabilities in Apache Log4j2:
- CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
- CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j2 2.15.0 was incomplete in certain non-default configurations.
- CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.
At TP-Link, customer security comes first. TP-Link is investigating and will keep updating this advisory as more information becomes available.
Unaffected TP-Link products:
All Wi-Fi Router
All Mesh Wi-Fi(Deco)
All Range Extender
All Powerline adapter
All Mobile Wi-Fi products
All SMB Routers, Switch, Omada EAP, and Pharos CPE
All VIGI products
APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada
Affected Products/Services:
Omada Controllers
Omada Software Controller and Omada Hardware Controller (OC200, OC300) are affected by vulnerabilities CVE-2021-44228 and CVE-2021-45046, and are not affected by CVE-2021-45105.
We have released official updates below to upgrade the built-in Log4j2 to version 2.16 and will upgrade to version 2.17 in a subsequent update. We recommend you upgrade as soon as possible!
For Windows: Omada_Controller_V5.0.29_Windows
For Linux (tar): Omada_Controller_V4.4.8_Linux_x64.tar
For Linux (deb): Omada_Controller_V4.4.8_Linux_x64.deb
For OC200: OC200(UN)_V1_1.14.2 Build 20211215
For OC300: OC300(UN)_V1_1.7.0 Build 20211215
TP-Link Cloud:
We have updated the Log4j2 version to fix the vulnerabilities in Omada Cloud-Based Controller, Cloud-Access service, and other cloud services impacted by the vulnerability.
Deco4ISP
Versions earlier than 1.5.82 are affected, please upgrade to the version of 1.5.82.
Disclaimer
Apache Log4j2 vulnerabilities will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.