Secure vulnerable HTTP providers
for Wowza Media Server 3 software

This package includes a fix to address two potentially vulnerable HTTP providers in Wowza Media Server™ 3 software. Follow the installation instructions below to install the fix in order to prevent a third-party from exploiting the vulnerabilities to negatively affect your streaming applications and more—in the worst case, taking control of your media server.

Note: Your Wowza Media Server 3 software may have additional security vulnerabilities that won't be addressed by installing this fix for HTTP providers. For details on how to address all potential vulnerabilities in Wowza Media Server software, see our Wowza Server Software Critical Update Webpage.

Affected HTTP providers:

Installation

  1. Extract wms-plugin-securehttpproviders.jar from the compressed (zipped) folder and copy the JAR file to your Wowza Media Server installation lib folder ([install-dir]/lib).

  2. Open [install-dir]/conf/VHost.xml in a text editor, and then edit the BaseClass values for the affected HTTP provider entries for the default streaming host port. The edited values should look like the following: 
    <HTTPProvider>
	<BaseClass>com.wowza.wms.plugin.secureproviders.HTTPProviderCaptionFile2</BaseClass>
	<RequestFilters>*.ttml|*.srt|*.scc|*.vtt</RequestFilters>
	<AuthenticationMethod>none</AuthenticationMethod>
</HTTPProvider>
<HTTPProvider>
	<BaseClass>com.wowza.wms.plugin.secureproviders.HTTPProviderMediaList2</BaseClass>
	<RequestFilters>*jwplayer.rss|*jwplayer.smil|*medialist.smil|*manifest-rtmp.f4m</RequestFilters>
	<AuthenticationMethod>none</AuthenticationMethod>
</HTTPProvider>
    Note: In a default VHost.xml file, the default streaming host port is the first host port settings section. It has the Name property value of Default Streaming and a Port property value of 1935.
  3. Restart the media server to apply the changes.

More information

 © 2006-2017 Wowza Media Systems, LLC. All rights reserved.