Meraki

Andrew3 · ‎Nov 22 2022

Hello

We've noticed that even latest 16.16.7 has problematic version of lighttpd. Because of that we're failing compilance.

How can this be resolved?

CVE-2022-22707

CVE-2022-41556

CVE-2022-37797

Issue is only with Azure vMX100

Thanks

PhilipDAth · ‎Nov 22 2022

For all my VMX installations, I turned off the local status page. I do this because if you have it open to the Internet then anyone on the Internet can access it by default, and I feel it exposes too much information.

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Me...

Andrew3 · ‎Nov 23 2022

I've done that long time ago and it still recognizes lighttpd as active

that's response from support
All the CVEs you listed require the use of specific plugins within lighttpd that Meraki does not rely on, nor implement: therefore, (v)MX devices are not vulnerable to this exploit. It is common for vulnerability scanners to simply check the running version of a given application and flag alerts based solely on that information, which is likely why you received this alert, but it can be safely ignored.

Chad_Yates · ‎Jan 10 2023

The MX is not running the modules listed in these CVE’s:

CVE-2022-22707 - Impacted module: mod_extforward // Impacted Versions:1.4.46 through 1.4.63

CVE-2022-37797 - Impacted module: mod_wstunnel // Impacted Version: 1.4.65

CVE-2022-41556 - Impacted module: mod_fastcgi // Impacted Versions: 1.4.56 and newer

Meraki

Community

VMX100 lighttpd 1.4.55 vulnerability CVE-2022-22707 CVE-2022-41556 CVE-2022-37797

VMX100 lighttpd 1.4.55 vulnerability CVE-2022-22707 CVE-2022-41556 CVE-2022-37797