UPDATE: This is the OFFICIAL WOWZA UPDATED THREAD for both Streaming Engine and Streaming Engine Manager. Please read this Post only for newest information.
There is an update for you regarding CVE-2021-44228 and CVE-2021-45046. Both CVEs are related to the 3rd party software Apache log4j version 2.0.x -2.15.x included in the Wowza Streaming Engine installer and updater beginning with version 4.8.8.01.
Note: Prior versions (4.8.5.05 and below) of Wowza Streaming Engine are not related to the CVEs reported above.
To help mitigate this issue we are providing you an updater and instructions in the “Known Issues” page link below:
We take the security of our customers and our products as a top priority. If you have any questions on how to implement these mitigation steps please do not hesitate to reply to this message.
Q: I’ve applied the mitigation fix. How do I know if it works?
A: Wowza has verified after running the updater that there are no current issues when scanning the server. Replacing the files meet the required mitigation action needed according to Apache.
Q: I am running a version prior to 4.8.8.01. Do I need to do anything?
A: Prior versions of Wowza Streaming Engine (before 4.8.8.01) do not run Apache log4j version 2.x.x and are therefore not considered an issue with regard to CVE-2021-44228 or CVE-2021-45046
Q: I see Apache has released log4j version 2.16. Can I update to that version instead?
A: The provided updater we have linked to above includes the latest Apache log4j v2.16 version. We encourage you to use the updater as the files are located in more than one Wowza Streaming Engine directory.
Q: Do I have to update my Wowza Streaming Engine deployment?
A: No. This mitigation does not require you to update to a later version of Wowza Streaming Engine. The action required is to update the Apache log4j core and log4j api files via the provided updater.
Thank you for your patience as we addressed this serious matter and thank you for choosing Wowza!
ANOTHER UPDATE 12/16/21: ZIP COMMAND
For those of you asking about the zip command issue:
We’ve updated the scripts to fall back to the java version if zip isn’t installed, and we’ve also changed it to expect to be run from the [install-dir]/updates/log4juapdater folder if WSE isn’t in the default location or the WMSAPP_HOME env var isn’t set (this is the same as how our normal updaters work so it should be familiar).
You can can see the steps for this here:
And it should look like this:
Extract the .zip file contents of the updater to a subdirectory in the [install-dir ]/updates directory, where [install-dir] is the install directory of Wowza Streaming Engine.
NEW UPDATE: 12/20/21
ATTN : The Streaming Engine updater uses the latest Apache Log4j v2.17 files. Wowza has verified after running the updater that there are no current issues when scanning the server and that it meets the required mitigation action according to Apache.
A new version of Engine is coming soon, but this situation keeps changing so please use the updater for now. I’ll keep you posted on the new Engine release and the latest info from Apache.