CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832
Update your Wowza Streaming Engine instance to fix security vulnerabilities with Apache Log4j2 versions earlier than 2.17.1 (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832). The updater uses the latest Apache Log4j version 2.17.1 files. Wowza has verified after running the updater that there are no current issues when scanning the server and that it meets the required mitigation action according to Apache.
Note: The updater applies the fix to Wowza Streaming Engine versions with Log4j2 (4.8.8.01 and later). It does not update earlier versions of Wowza Streaming Engine to Log4j2. Earlier versions of Wowza Streaming Engine do not use Apache Log4j2 and are not affected by CVE-2021-44228.
Update on Linux and macOS
- Stop Wowza Streaming Engine services. See Start and stop Wowza Streaming Engine for more information.
- Download the updater: Log4j2 Updater
- Extract the .zip file contents of the updater and move the updatelog4j folder to within the [install-dir]/updates directory, where [install-dir] is the directory where your Wowza Streaming Engine instance is installed.
- Open a Terminal window and execute the following command to change the active directory to the location of updatelog4j.sh. For example:
cd [install-dir]/updates/updatelog4j
Note: Instead of typing out the file path, you can drag and drop the folder from Finder into the Terminal window to automatically enter the folder location.
- Change to root or use the sudo command if you have sudo privileges to execute the following command:
sudo ./updatelog4j.sh
Follow the prompts on the command line. You'll see something similar to the following:
updating /Library/WowzaStreamingEngine/lib deleteing /Library/WowzaStreamingEngine/lib/log4j-api-2.13.3.jar copying ./log4j-api-2.17.1.jar to /Library/WowzaStreamingEngine/lib/ deleteing /Library/WowzaStreamingEngine/lib/log4j-core-2.13.3.jar copying ./log4j-core-2.17.1.jar to /Library/WowzaStreamingEngine/lib/ updating /Library/WowzaStreamingEngine/manager/lib/WMSManager.war deleting: WEB-INF/lib/log4j-api-2.13.3.jar adding: WEB-INF/lib/log4j-api-2.17.1.jar (deflated 10%) deleting: WEB-INF/lib/log4j-core-2.13.3.jar adding: WEB-INF/lib/log4j-core-2.17.1.jar (deflated 11%) Update Complete. Please restart services
- Start Wowza Streaming Engine services.
Update on Windows
- Stop Wowza Streaming Engine services. See Start and stop Wowza Streaming Engine for more information.
- Download the updater: Log4j2 Updater
- Extract the .zip file contents of the updater and copy them to your preferred location (for example, your [install-dir ]/updates directory, where [install-dir] is the install directory of Wowza Streaming Engine).
- Open an elevated command prompt:
- Click Start, and then in the Search programs and files box type Command Prompt.
- In the search results, right click on the Command Line program, and then click Run as administrator.
- Execute the following command to change the active directory to the location of updatelog4j.bat. For example:
cd [install-dir]/updates/updatelog4j
Note: Instead of typing out the file path, you can copy the directory from the Finder window and right-click in the Command Prompt window to paste the selection.
- Execute the following command to apply the update:
updatelog4j.bat
Follow the prompts on the command line. You'll see something similar to the following:
Verifying running as administrative user found [C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.8.1+9\lib\log4j-api-2.15.0.jar, C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.8.14+9\lib\log4j-core-2.15.0.jar] updating [log4j-api-2.17.1.jar, log4j-core-2.17.1.jar] found [/WEB-INF/lib/log4j-core-2.15.0.jar, /WEB-INF/lib/log4j-api-2.15.0.jar] updating [log4j-api-2.17.1.jar, log4j-core-2.17.1.jar]
- Start Wowza Streaming Engine services.
