In regards to CVE-2022-42889, initial investigation shows that Wowza is not impacted, although we’re still reviewing the NIST CVE as they continue their investigation.
Wowza Streaming Engine only uses the escapeHtml4 method from the StringEscapeUtils class, so as the CVE is currently written Wowza Streaming Engine is not impacted. We continue to monitor the CVE as it is currently “UNDERGOING REANALYSIS”. We will review further once they post updates on their findings.To proactively mitigate any concerns ensure each “live application” has source authentication enabled ( it is configured this way by default ). We outline the process here: https://www.wowza.com/docs/how-to-enable-username-password-authentication-for-rtmp-and-rtsp-publishing#configure-source-authentication-for-the-server0
Moving forward, Wowza plans to integrate the updated Apache Commons Text component to 1.10 or later in the next Wowza Streaming Engine release in early 2023.