Is the Log4j vulnerability affecting Meraki ecosystem?

Solved
its_Tricky83
Here to help

Is the Log4j vulnerability affecting Meraki ecosystem?

With the recent Log4j vulnerability being exposed, I've been asked to confirm if any of our Meraki stack have been affected? I have no proof of Log4j affecting Meraki other than this simple statement from my manager "Other CISCO products have been affected by Log4J so can you please ensure Meraki isn't affected?"

 

Has anyone found any official statement from Meraki? Or can shed any light on the matter?

1 Accepted Solution
OmarSantos
New here

Yes indeed. The Cisco Security Advisory (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) confirms that Cisco Meraki is not vulnerable. It is listed under the Products Confirmed Not Vulnerable

View solution in original post

9 Replies 9
Mace
Here to help

Hi,

 

the only information i was able to find is this link:

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

 

 

Br

Inderdeep
Kind of a big deal
Kind of a big deal

@Mace : thanks for sharing the link. Much appreciated !

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
SteveBarnett
Conversationalist

Indeed - as a CVSS 10.0 I was surprised to not see Meraki products listed on the Security Advisory.

 

Hopefully confirmation will appear very soon as the entire IT world is currently checking their entire stack for exposure so prompt vendor clarifications are worth their weight in gold!

Mace
Here to help

So as far as i understand this part of the cisco document:

 

"Products Confirmed Not Vulnerable

Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information becomes available.

Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available."

 

--> Meraki Products should not be affected

 

 

Br,

 

Marco

OmarSantos
New here

Yes indeed. The Cisco Security Advisory (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd) confirms that Cisco Meraki is not vulnerable. It is listed under the Products Confirmed Not Vulnerable

CptnCrnch
Kind of a big deal
Kind of a big deal

Thanks @OmarSantos for confirming!

its_Tricky83
Here to help

Thanks @OmarSantos ,

They snuck Meraki onto that page some time after my OP.

It's good to finally have 100% certainty!

Cheers,

Tricky

 

Marvin42
Comes here often

Hi there, not quite 100% - "Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available."

CptnCrnch
Kind of a big deal
Kind of a big deal

The page mentioned above clearly states now that Meraki is not affected.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.