With the recent Log4j vulnerability being exposed, I've been asked to confirm if any of our Meraki stack have been affected? I have no proof of Log4j affecting Meraki other than this simple statement from my manager "Other CISCO products have been affected by Log4J so can you please ensure Meraki isn't affected?"
Has anyone found any official statement from Meraki? Or can shed any light on the matter?
Solved! Go to solution.
Yes indeed. The Cisco Security Advisory (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) confirms that Cisco Meraki is not vulnerable. It is listed under the Products Confirmed Not Vulnerable
Hi,
the only information i was able to find is this link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Br
@Mace : thanks for sharing the link. Much appreciated !
Indeed - as a CVSS 10.0 I was surprised to not see Meraki products listed on the Security Advisory.
Hopefully confirmation will appear very soon as the entire IT world is currently checking their entire stack for exposure so prompt vendor clarifications are worth their weight in gold!
So as far as i understand this part of the cisco document:
"Products Confirmed Not Vulnerable
Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information becomes available.
Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available."
--> Meraki Products should not be affected
Br,
Marco
Yes indeed. The Cisco Security Advisory (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) confirms that Cisco Meraki is not vulnerable. It is listed under the Products Confirmed Not Vulnerable
Thanks @OmarSantos ,
They snuck Meraki onto that page some time after my OP.
It's good to finally have 100% certainty!
Cheers,
Tricky
Hi there, not quite 100% - "Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available."
The page mentioned above clearly states now that Meraki is not affected.