VMX100 lighttpd 1.4.55 vulnerability CVE-2022-22707 CVE-2022-41556 CVE-2022-37797


VMX100 lighttpd 1.4.55 vulnerability CVE-2022-22707 CVE-2022-41556 CVE-2022-37797


We've noticed that even latest 16.16.7 has problematic version of lighttpd. Because of that we're failing compilance. 

How can this be resolved?




Issue is only with Azure vMX100


3 Replies 3
Kind of a big deal
Kind of a big deal

For all my VMX installations, I turned off the local status page.  I do this because if you have it open to the Internet then anyone on the Internet can access it by default, and I feel it exposes too much information.



I've done that long time ago and it still recognizes lighttpd as active

that's response from support
All the CVEs you listed require the use of specific plugins within lighttpd that Meraki does not rely on, nor implement: therefore, (v)MX devices are not vulnerable to this exploit. It is common for vulnerability scanners to simply check the running version of a given application and flag alerts based solely on that information, which is likely why you received this alert, but it can be safely ignored.

Meraki Employee
Meraki Employee


The MX is not running the modules listed in these CVE’s:


CVE-2022-22707 - Impacted module: mod_extforward // Impacted Versions:1.4.46 through 1.4.63

CVE-2022-37797 - Impacted module: mod_wstunnel // Impacted Version: 1.4.65

CVE-2022-41556 - Impacted module: mod_fastcgi  // Impacted Versions: 1.4.56 and newer

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.