Meraki

Community

Is the Log4j vulnerability affecting Meraki ecosystem?

Solved
its_Tricky83
Here to help
‎Dec 12 2021 3:39 PM
‎Dec 12 2021 3:39 PM

Is the Log4j vulnerability affecting Meraki ecosystem?

With the recent Log4j vulnerability being exposed, I've been asked to confirm if any of our Meraki stack have been affected? I have no proof of Log4j affecting Meraki other than this simple statement from my manager "Other CISCO products have been affected by Log4J so can you please ensure Meraki isn't affected?"

 

Has anyone found any official statement from Meraki? Or can shed any light on the matter?

Labels:
1 Accepted Solution
OmarSantos
New here
‎Dec 13 2021 8:04 AM
‎Dec 13 2021 8:04 AM

Yes indeed. The Cisco Security Advisory (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) confirms that Cisco Meraki is not vulnerable. It is listed under the Products Confirmed Not Vulnerable

View solution in original post

9 Replies 9
Mace
Here to help
‎Dec 13 2021 2:19 AM
‎Dec 13 2021 2:19 AM

Hi,

 

the only information i was able to find is this link:

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

 

 

Br

In response to Mace
Inderdeep
Kind of a big deal
Kind of a big deal
‎Dec 13 2021 9:45 AM
‎Dec 13 2021 9:45 AM

@Mace : thanks for sharing the link. Much appreciated !

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
SteveBarnett
Conversationalist
‎Dec 13 2021 2:28 AM
‎Dec 13 2021 2:28 AM

Indeed - as a CVSS 10.0 I was surprised to not see Meraki products listed on the Security Advisory.

 

Hopefully confirmation will appear very soon as the entire IT world is currently checking their entire stack for exposure so prompt vendor clarifications are worth their weight in gold!

Mace
Here to help
‎Dec 13 2021 3:47 AM
‎Dec 13 2021 3:47 AM

So as far as i understand this part of the cisco document:

 

"Products Confirmed Not Vulnerable

Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information becomes available.

Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available."

 

--> Meraki Products should not be affected

 

 

Br,

 

Marco

OmarSantos
New here
‎Dec 13 2021 8:04 AM
‎Dec 13 2021 8:04 AM

Yes indeed. The Cisco Security Advisory (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) confirms that Cisco Meraki is not vulnerable. It is listed under the Products Confirmed Not Vulnerable

In response to OmarSantos
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Dec 13 2021 8:24 AM
‎Dec 13 2021 8:24 AM

Thanks @OmarSantos for confirming!

0 Kudos
In response to OmarSantos
its_Tricky83
Here to help
‎Dec 13 2021 4:26 PM
‎Dec 13 2021 4:26 PM

Thanks @OmarSantos ,

They snuck Meraki onto that page some time after my OP.

It's good to finally have 100% certainty!

Cheers,

Tricky

 

0 Kudos
In response to its_Tricky83
Marvin42
Comes here often
‎Dec 14 2021 5:30 AM
‎Dec 14 2021 5:30 AM

Hi there, not quite 100% - "Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available."

0 Kudos
In response to Marvin42
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Dec 14 2021 8:38 AM
‎Dec 14 2021 8:38 AM

The page mentioned above clearly states now that Meraki is not affected.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.