Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VMX100 lighttpd 1.4.55 vulnerability CVE-2022-22707 CVE-2022-41556 CVE-2022-37797

Andrew3
Conversationalist
‎Nov 22 2022 12:33 AM
‎Nov 22 2022 12:33 AM

VMX100 lighttpd 1.4.55 vulnerability CVE-2022-22707 CVE-2022-41556 CVE-2022-37797

Hello

We've noticed that even latest 16.16.7 has problematic version of lighttpd. Because of that we're failing compilance. 

How can this be resolved?

CVE-2022-22707

CVE-2022-41556

CVE-2022-37797

Issue is only with Azure vMX100

Thanks

0 Kudos
Subscribe
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 22 2022 12:22 PM
‎Nov 22 2022 12:22 PM

For all my VMX installations, I turned off the local status page.  I do this because if you have it open to the Internet then anyone on the Internet can access it by default, and I feel it exposes too much information.

 

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Me... 

0 Kudos
Subscribe
In response to PhilipDAth
Andrew3
Conversationalist
‎Nov 23 2022 12:10 AM
‎Nov 23 2022 12:10 AM

I've done that long time ago and it still recognizes lighttpd as active

that's response from support
All the CVEs you listed require the use of specific plugins within lighttpd that Meraki does not rely on, nor implement: therefore, (v)MX devices are not vulnerable to this exploit. It is common for vulnerability scanners to simply check the running version of a given application and flag alerts based solely on that information, which is likely why you received this alert, but it can be safely ignored.

0 Kudos
Subscribe
Chad_Yates
Meraki Employee
Meraki Employee
‎Jan 10 2023 11:08 AM
‎Jan 10 2023 11:08 AM

 

The MX is not running the modules listed in these CVE’s:

 

CVE-2022-22707 - Impacted module: mod_extforward // Impacted Versions:1.4.46 through 1.4.63

CVE-2022-37797 - Impacted module: mod_wstunnel // Impacted Version: 1.4.65

CVE-2022-41556 - Impacted module: mod_fastcgi  // Impacted Versions: 1.4.56 and newer

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.