Wowza Community

New Apache Log4j 2 Security Vulnerability CVE-2021-44832 | dec 28 2021

A new vulnerability has been found in Log4J, which has been fixed in 2.17.1

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

CVE-2021-44832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832

https://logging.apache.org/log4j/2.x/security.html
Versions Affected All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4

Wowza designed the Log4j updater so users can update manually and don’t have to wait for an official release in case they want to patch ASAP. I have no idea when wowza will release an official patch on this matter.

If you have patched to 2.17.0 already, all you have to do is to remove the old *.jar files from the update directory. Download the apache 2.17.1 fix and upload the log4j-api-2.17.1.jar log4j-core-2.17.1.jar from https://logging.apache.org/log4j/2.x/download.html to the updatelog4j folder you might still have on your wowza server. Then run the updater again.

If you haven’t run the patch yet or need help, just let me/us know in the forum so we can help eachother. I have update scripts and can provide them if needed

@Rose_Power-Wowza_Com can you tell/update the page when the updater has the new 2.17.1 jar files added to the updater on this page? at this moment (dec 28 | 01:34 AM) only the 2.17.0 jar files are present.
https://www.wowza.com/docs/update-for-apache-log4j2-security-vulnerability