On Friday, December 10, a third-party component of Wowza Streaming Engine was identified on the Common Vulnerability and Exposure (CVE) list, rendering systems with the Apache Log4j2 v2.0-2.15 subject to a remote code execution vulnerability. We take all security threats seriously and are writing to provide additional information as well as the recommended step to take.
Summary of threat: As a result of the Log4j vulnerability, systems using the software tool are at risk of being exploited over a network without login credentials. Specifically, the JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. Attackers with control of log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Over the course of the past 72 hours, multiple iterations of this threat have been identified. What you need to do:
Customers on Wowza Streaming Engine 4.8.5.05 and below are not impacted by this vulnerability.
For all customers on Wowza Streaming Engine 4.8.8.01 and above, please take the steps outlined in this article to apply a fix.