Wowza Community

Wowza and CVE-2014-0160

Hi there,

I would like to ensure that our Wowza installation is not affected by the recent CVE-2014-0160 advisory:

https://www.openssl.org/news/secadv_20140407.txt

Could you please let me know if Wowza uses its own SSL library or that of the underlying OS?

Thanks,

Dennis

Dennis,

We have been looking into it. So far there is no impact to Wowza, from what I gather.

Richard

Yes, that is correct, Wowza uses bouncycastle and JSSE, both of which do not use the OpenSSL library.

We have found no evidence openJDK depends on or uses openSSL. It is not a build dependency and there are no alerts for openJDK.

So while the version of openSSL in an EC2 AMI is vulnerable, unless you configure a product which uses openSSL, Java and Wowza Engine are not affected.

This bug affects TLS connections, so ssh is also unaffected.

Richard

We’ve since updated to: “Wowza Streaming Engine 4 Subscription Edition 4.5.0.03 build19252” however still see the following Vulnerability:

CVE-2014-0224 | OpenSSL Out of Order Change Cipher Spec MiTM Vulnerability (port: 443 score: 3547 - Mitigation planned)

Why does this appear as vulnerable and how can we fix this, our Debian is up to date as well.

Is it a correct assumption that Wowza uses Java’s SSL capabilities (provided by JSSE?) and doesn’t rely on the underlying OS’s OpenSSL package in any way?

Thank you very much for the clarification, Richard.

Hi joffrey,

What version of the Java JRE are you using? I know that there were issues with SSL with earlier releases. You can find the one we are using written to your wowzastreamingengine_access.log when Wowza starts up.

Regards,

Paul

Hi Paul,

We’re using 1.8.0_60 on our production machines, and 1.8.0_112 on our test server. However the vulnerability shows up on both machines. So I’m wondering if it’s a JRE issue or somehow in the Wowza application/components.

Edit: Just wondering which JRE is used in release 4.6.0?

Hello joffrey,

You can check which version of OpenSSL are supported and enabled in Wowza Streaming Engine by adding the following property to the container at the end of [install-path]/conf/Server.xml and restart Wowza.

sslLogProtocolInfo

true

Boolean

Once restarted check the following log file [install-path/logs/wowzastreamingengine_access.log

It should look something like this:

SSLInfo.ProtocolsSupported: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2

SSLInfo.ProtocolsEnabled: SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2

The affected version of OpenSSL are “OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h

Hope this info clears up any concerns you had.

Regards,

Alex

Hi Alex,

So I get the exact same results as your example:

SSLInfo.ProtocolsSupported: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2

SSLInfo.ProtocolsEnabled: SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2

This doesn’t however show which OpenSSL library is used and where this library is loaded from, so it’s not helpful in finding the culprit in the vulnerability chain here.

Our OS & Java version are up-to-date on a test server, but this machine still shows the alert (CVE-2014-0224 - OpenSSL Out of Order Change Cipher Spec MiTM Vulnerability), so this would indicate that Wowza somehow includes an OpenSSL binary?

To see if this issue is related to Wowza you can uninstall Wowza on the test server, and then run the security scan again and see if you get the same report.

If you do, then the issue is not related to Wowza.

Let us know what you find.

Regards,

Alex

How good one Posted on experience I think the performance is good. I suspect it is a problem or somehow Wowza application OpenJDK JRE depends on whether or not it does not use OpenSSL.