Is Wowza Streaming Engine vulnerable to the new Spring4Shell vulnerability that was released this week?
Just saw the alert on the status page: https://wowza-streaming-engine.statuspage.io/
I’ll follow that for updates
Thank you for raising this for those that don’t yet subscribe to the alerts.
Update - Updating the affected component for this status alert. We are still investigating.
Mar 31, 20:34 UTC
Investigating - We are aware of the newly reported Spring CVE-2022-22963. At this time we are assessing to determine if this issue impacts the Wowza Streaming Engine customer deployments. Once we know more, we will provide updates.
Please subscribe now in order to receive updates as we progress.
UPDATE:
Identified - Thank you for your patience as we thoroughly assessed this potential threat. We have tested with the recommended method to determine the vulnerability impact on Wowza Streaming Engine and Streaming Cloud.
At this time, we have determined that neither of the CVEs listed below impacts Wowza Streaming Engine or Streaming Cloud. This is great news!
CVE-2022-22963
CVE-2022-22965
However, as a best practice, we will be updating the vulnerable version of Spring Framework (5.2.7). We are assessing the timeline to make this available to you as we know it is likely that future pen-tests will flag this version of Spring Framework, even though Wowza has determined it is not impacting Wowza Streaming Engine.
At this time we are working on a mitigation option to bridge the time until we can include the updated files in our next scheduled release.
Once we have determined the timeline to deliver this update, we will provide the update to you in this incident alert.
