Log4J and Bash Injection attempts from Unifi Devices against the Controller

Here to help

Log4J and Bash Injection attempts from Unifi Devices against the Controller

In the last week I have had Log4J and Bash Injection attempts being reported by my Meraki MX100 from my Unifi Devices (AP's and 8 Port Switches) against the Unifi Controller.

Log4J and Bash Injection.png

The notices are coming from several sites (all traffic is private over VPN, No part of the system is exposed publicly to the internet) I suspect these are false alerts by Meraki but how can I determine that 100%? Has anyone else noticed similar events?


The Controller is a windows VM running version which is the latest version that is patched against Log4J


Getting noticed

You need to contact the vender to give you the patch for this variability 

Do you have advance security licenses in your MX ? as IPS can block this variability


Here to help

I have the Advanced Security License


As noted above my equipment is patched against this vulnerability.   


I suspect these to be false detections but am not sure how to confirm that.

Do you open port 80 for the Unifi Devices (AP's and 8 Port Switches) ?

No,  I stated in the original question this is all internal traffic over VPN connections. there is no External Public WAN traffic allowed to the Unifi server

Kind of a big deal

The source devices - are they something you could scan with an anti-malware scanner?


I think you have done as much as you reasonably can, and it is likely to be a false positive.

The source devices are Access Points and Switches under the management of the Controller (Destination Device).  Not something I can scan 😞

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.