Please Rate this Document

Statement on Apache Log4j2 Vulnerability

Knowledgebase
FAQ
2024-07-23

TP-Link is aware of the following vulnerabilities in Apache Log4j2:

  • CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
  • CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j2 2.15.0 was incomplete in certain non-default configurations.
  • CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.

At TP-Link, customer security comes first. TP-Link is investigating and will keep updating this advisory as more information becomes available.

Unaffected TP-Link products:

All Wi-Fi Router

All Mesh Wi-Fi(Deco)

All Range Extender

All Powerline adapter

All Mobile Wi-Fi products

All SMB Routers, Switch, Omada EAP, and Pharos CPE

All VIGI products

APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada

Affected Products/Services:

Omada Controllers

Omada Software Controller and Omada Hardware Controller (OC200, OC300) are affected by vulnerabilities CVE-2021-44228 and CVE-2021-45046, and are not affected by CVE-2021-45105.

We have released official updates below to upgrade the built-in Log4j2 to version 2.16 and will upgrade to version 2.17 in a subsequent update. We recommend you upgrade as soon as possible!

For Windows: Omada_Controller_V5.0.29_Windows

For Linux (tar): Omada_Controller_V4.4.8_Linux_x64.tar

For Linux (deb): Omada_Controller_V4.4.8_Linux_x64.deb

For OC200: OC200(UN)_V1_1.14.2 Build 20211215

For OC300: OC300(UN)_V1_1.7.0 Build 20211215

TP-Link Cloud:

We have updated the Log4j2 version to fix the vulnerabilities in Omada Cloud-Based Controller, Cloud-Access service, and other cloud services impacted by the vulnerability.

Deco4ISP

Versions earlier than 1.5.82 are affected, please upgrade to the version of 1.5.82.

Disclaimer

Apache Log4j2 vulnerabilities will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.