The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. EAP Controller for Linux lacks user authentication for RMI service commands, as well as utilizes an outdated vulnerable version of Apache commons-collections, which may allow an attacker to implement deserialization attacks and control the EAP Controller server.
CWE-306: Missing Authentication for Critical Function - CVE-2018-5393
A Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode.
The Omada Controller software v3.0.2 and later are not affected by this issue. Software download is available on the TP-Link support website. If older software must be used, users can help mitigate and reduce risk by updating the vulnerable libraries does not necessarily eliminate the vulnerability in all scenarios, as described in As described in VU#576313.
Update Apache commons-collections
Thanks to Liu Zhu, of Huawei Weiran Lab for reporting this vulnerability.
This document was written by Garret Wassermann.