Secure vulnerable JMX access configuration for Wowza Server software

This document provides instructions to help you prevent third parties from exploiting your Wowza™ media server software through Java Management Extensions (JMX) access. Follow the instructions below to prevent a third-party from exploiting this vulnerability to negatively affect your streaming applications and more—in the worst case, taking control of your media server.

About JMX

The Java Management Extensions (JMX) interface in Wowza media server software exposes Java application components through a unified object interface. This interface can then be consumed by open source and commercial monitoring tools such as HP OpenView, OpenNMS, JConsole, and VisualVM.

Affected Wowza server software versions

• Wowza Steaming Engine™ 4.0.0 to 4.7.0


• Wowza Media Server™ (all versions)

If you are using the JMX interface for remote monitoring and management

Review the instructions in How to use JConsole with Wowza media server software to verify that your JMX configuration is configured correctly.

If you are NOT using the JMX interface for remote monitoring and management

Do ONE of the following:

• Open the [install-dir]/conf/jmxremote.access file in a text editor and change the access levels for all roles to readonly. For example:

  admin readonly
  monitorRole readonly
  controlRole readonly

• Open the [install-dir]/conf/jmxremote.access file in a text editor and delete the contents from the file (leave blank).


• Delete the [install-dir]/conf/jmxremote.access file from the media server.

Restart your media server software to apply the change. For more information, see How to start and stop Wowza Streaming Engine software.

More information

Wowza Media Server Software Critical Update Webpage