In regards to CVE-2022-42889, initial investigation shows that Wowza is not impacted, although we’re still reviewing the NIST CVE as they continue their investigation.

Wowza Streaming Engine only uses the escapeHtml4 method from the StringEscapeUtils class, so as the CVE is currently written Wowza Streaming Engine is not impacted. We continue to monitor the CVE as it is currently “UNDERGOING REANALYSIS”. We will review further once they post updates on their findings.To proactively mitigate any concerns ensure each “live application” has source authentication enabled ( it is configured this way by default ). We outline the process here: https://www.wowza.com/docs/how-to-enable-username-password-authentication-for-rtmp-and-rtsp-publishing#configure-source-authentication-for-the-server0

Moving forward, Wowza plans to integrate the updated Apache Commons Text component to 1.10 or later in the next Wowza Streaming Engine release in early 2023.

Is that another apache java library issue ?

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

UPDATE:

(As of November 14, 2022 via the Wowza Streaming Engine Product Owner) After extensive investigation of the CVE as currently written, we have found that CVE-2022-42889 does not impact Wowza Streaming Engine. We are continuing to monitor the CVE as it is currently “UNDERGOING REANALYSIS”. We will review further once they’ve posted updates on their findings. To proactively mitigate any concerns ensure each “live application” has source authentication enabled (it is configured this way by default). We outline the process here:https://www.wowza.com/docs/how-to-enable-username-password-authentication-for-rtmp-and-rtsp-publishing#configure-source-authentication-for-the-server0Moving forward, to mitigate security scans reporting this Wowza plans to integrate the updated Apache Commons Text component 1.10 in the next Wowza Streaming Engine release in early 2023.