Statement on Apache Log4j2 Vulnerability

Security Advisory
Updated 12-28-2021 09:48:28 AM 153577

TP-Link is aware of the following vulnerabilities in Apache Log4j2:

  • CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
  • CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j2 2.15.0 was incomplete in certain non-default configurations.
  • CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.

At TP-Link, customer security comes first. TP-Link is investigating and will keep updating this advisory as more information becomes available.

Unaffected TP-Link products:

All Wi-Fi Router

All Mesh Wi-Fi(Deco)

All Range Extender

All Powerline adapter

All Mobile Wi-Fi products

All SMB Routers, Switch, Omada EAP, and Pharos CPE

All VIGI products

APP: Tether, Deco, Tapo, Kasa, tpMiFi, Omada

Affected Products/Services:

Omada Controllers

Omada Software Controller and Omada Hardware Controller (OC200, OC300) are affected by vulnerabilities CVE-2021-44228 and CVE-2021-45046, and are not affected by CVE-2021-45105.

We have released official updates below to upgrade the built-in Log4j2 to version 2.16 and will upgrade to version 2.17 in a subsequent update. We recommend you upgrade as soon as possible!

For Windows: Omada_Controller_V5.0.29_Windows  

For Linux (tar): Omada_Controller_V4.4.8_Linux_x64.tar  

For Linux (deb): Omada_Controller_V4.4.8_Linux_x64.deb  

For OC200: OC200(UN)_V1_1.14.2 Build 20211215 

For OC300: OC300(UN)_V1_1.7.0 Build 20211215  

TP-Link Cloud:

We have updated the Log4j2 version to fix the vulnerabilities in Omada Cloud-Based Controller, Cloud-Access service, and other cloud services impacted by the vulnerability.

Deco4ISP

Versions earlier than 1.5.82 are affected, please upgrade to the version of 1.5.82.

Disclaimer

Apache Log4j2 vulnerabilities will remain if you do not take all recommended actions. TP-Link cannot bear any responsibility for consequences that could have been avoided by following the recommendations in this statement.

Is this faq useful?

Your feedback helps improve this site.