Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Wowza and CVE-2014-0160

  1. #1
    Join Date
    Apr 2013
    Posts
    5

    Default Wowza and CVE-2014-0160

    Hi there,

    I would like to ensure that our Wowza installation is not affected by the recent CVE-2014-0160 advisory:
    https://www.openssl.org/news/secadv_20140407.txt

    Could you please let me know if Wowza uses its own SSL library or that of the underlying OS?

    Thanks,
    Dennis

  2. #2
    Join Date
    Dec 2007
    Posts
    21,962

    Default

    Dennis,

    We have been looking into it. So far there is no impact to Wowza, from what I gather.

    Richard

  3. #3
    Join Date
    Dec 2012
    Posts
    8

    Default

    Is it a correct assumption that Wowza uses Java's SSL capabilities (provided by JSSE?) and doesn't rely on the underlying OS's OpenSSL package in any way?

  4. #4
    Join Date
    Dec 2007
    Posts
    21,962

    Default

    Yes, that is correct, Wowza uses bouncycastle and JSSE, both of which do not use the OpenSSL library.

    We have found no evidence openJDK depends on or uses openSSL. It is not a build dependency and there are no alerts for openJDK.

    So while the version of openSSL in an EC2 AMI is vulnerable, unless you configure a product which uses openSSL, Java and Wowza Engine are not affected.

    This bug affects TLS connections, so ssh is also unaffected.

    Richard

  5. #5
    Join Date
    Dec 2012
    Posts
    8

    Default

    Thank you very much for the clarification, Richard.

  6. #6
    Join Date
    May 2010
    Posts
    15

    Default

    Hi,

    Our security scan does show that our own server with 4.5.0.01 build18956 installed on Debian Jessie has a vulnerable OpenSSL version, however Debian is up to date.
    Will this be addressed in a future Wowza version (as Java comes bundled with the installation)?

    Or can we manually update to a recent OpenSSL version so that a vulnerability scan doesn't show any risks anymore?
    Last edited by joffrey; 09-29-2016 at 12:53 AM.

  7. #7
    Join Date
    May 2010
    Posts
    15

    Default

    We've since updated to: "Wowza Streaming Engine 4 Subscription Edition 4.5.0.03 build19252" however still see the following Vulnerability:
    CVE-2014-0224 | OpenSSL Out of Order Change Cipher Spec MiTM Vulnerability (port: 443 score: 3547 - Mitigation planned)

    Why does this appear as vulnerable and how can we fix this, our Debian is up to date as well.

  8. #8

    Default

    Hi joffrey,

    What version of the Java JRE are you using? I know that there were issues with SSL with earlier releases. You can find the one we are using written to your wowzastreamingengine_access.log when Wowza starts up.


    Regards,

    Paul

  9. #9
    Join Date
    May 2010
    Posts
    15

    Default

    Hi Paul,

    We're using 1.8.0_60 on our production machines, and 1.8.0_112 on our test server. However the vulnerability shows up on both machines. So I'm wondering if it's a JRE issue or somehow in the Wowza application/components.

    Edit: Just wondering which JRE is used in release 4.6.0?
    Last edited by joffrey; 11-28-2016 at 02:06 AM.

  10. #10
    Join Date
    Sep 2016
    Posts
    92

    Default

    Quote Originally Posted by joffrey View Post
    Hi Paul,

    We're using 1.8.0_60 on our production machines, and 1.8.0_112 on our test server. However the vulnerability shows up on both machines. So I'm wondering if it's a JRE issue or somehow in the Wowza application/components.

    Edit: Just wondering which JRE is used in release 4.6.0?
    Hello joffrey,

    You can check which version of OpenSSL are supported and enabled in Wowza Streaming Engine by adding the following property to the <Properties> container at the end of [install-path]/conf/Server.xml and restart Wowza.

    <Property>
    <Name>sslLogProtocolInfo</Name>
    <Value>true</Value>
    <Type>Boolean</Type>
    </Property>
    Once restarted check the following log file [install-path/logs/wowzastreamingengine_access.log

    It should look something like this:

    SSLInfo.ProtocolsSupported: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2
    SSLInfo.ProtocolsEnabled: SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2
    The affected version of OpenSSL are "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h"

    Hope this info clears up any concerns you had.

    Regards,
    Alex

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •