Meraki

molan · ‎Feb 22 2022

In the last week I have had Log4J and Bash Injection attempts being reported by my Meraki MX100 from my Unifi Devices (AP's and 8 Port Switches) against the Unifi Controller.

The notices are coming from several sites (all traffic is private over VPN, No part of the system is exposed publicly to the internet) I suspect these are false alerts by Meraki but how can I determine that 100%? Has anyone else noticed similar events?

The Controller is a windows VM running version 6.5.55.0 which is the latest version that is patched against Log4J

HaniAbuelkhair4 · ‎Feb 22 2022

You need to contact the vender to give you the patch for this variability

Do you have advance security licenses in your MX ? as IPS can block this variability

B

molan · ‎Feb 22 2022

I have the Advanced Security License

As noted above my equipment is patched against this vulnerability.

I suspect these to be false detections but am not sure how to confirm that.

HaniAbuelkhair4 · ‎Feb 22 2022

Do you open port 80 for the Unifi Devices (AP's and 8 Port Switches) ?

molan · ‎Feb 22 2022

No, I stated in the original question this is all internal traffic over VPN connections. there is no External Public WAN traffic allowed to the Unifi server

PhilipDAth · ‎Feb 22 2022

The source devices - are they something you could scan with an anti-malware scanner?

I think you have done as much as you reasonably can, and it is likely to be a false positive.

molan · ‎Feb 22 2022

The source devices are Access Points and Switches under the management of the Controller (Destination Device). Not something I can scan 😞

Meraki

Community

Log4J and Bash Injection attempts from Unifi Devices against the Controller

Log4J and Bash Injection attempts from Unifi Devices against the Controller