Wowza Community

Open SSL 3.0 buffer overflow

Is this a problem in wowza needing an update ?

A buffer overflow vulnerability (CVE-2022-3786) and a buffer overrun vulnerability (CVE-2022-3602) has been identified in OpenSSL versions above 3.x.

I don’t know if this could be related to something happening to my servers.
In the last weeks, we have WSE that stops serving ssl streams, while it work with http streams.
It seems to be a random issue and there are no evidence of any issues on the log files.
Is someone experiencing the same issue?

Its a bug with OpenSSL 3.0. im not sure if wowza uses that just letting them know. the startup log should show its binding to port 443.

Yes, servers are binding port 443 for https streams.

Just back from PTO all last week - checking for you now and will be back shortly with some info.

  • The issue affects Ubuntu linux, but only 22.04 and higher (we are not on that version yet)
  • We don’t expose SSH to the world, so exploiting the vulnerability is not possible to someone without access to VPN or jumphosts.

There was an OpenSSL patch released on 11/1 (see more details here if you’re interested).

Does wowza use OpenSSL for the https provider ? I cant see libssl native dll so maybe not an issue. I mean for the SSL provider in wowza. We use that for webrtc and HLS.

Hey Everyone,
I have a desire to little bit contribution in this forum.

The OpenSSL library is embedded in a large number of apps and operating systems, including many Linux distributions, as well as in mail servers, VPNs, and other systems. This vulnerability only affects version 3.0.x of OpenSSL, and not the older 1.1.1 branch, so the effects may be limited by that factor. Version 3.0.x has only been out since September 2021, so it is not as widely deployed as some of the older versions. Among the Linux distributions known to be vulnerable are some versions of Ubuntu, Fedora, Kali, OpenMandriva, OpenSUSE, and Red Hat Enterprise Linux.

The challenge now for enterprise security teams is identifying systems that are running vulnerable versions of OpenSSL. One way of doing this for web servers is to check the HTTP header that a server returns, which will often include version information for OpenSSL. Researchers at Censys, which compiles data on attack surfaces across the Internet, found about 7,000 web servers running vulnerable versions of the library as of Oct. 30.