Wowza Community

Is Wowza affected by Shellshock / Does Wowza read/write ENV variables ?

Question says it all. Cannot find anything on google or on forums regarding this or past versions of Wowza.

I highly doubt it is vulnerable (writing malicious ENV based on URL input) but it’s not impossible. Would love to have official feedback on this. Thank you!

Hi,

Wowza does set some environment variables when running under Linux when starting , so

_EXECJAVA=java

WMSAPP_HOME=/usr/local/WowzaStreamingEngine

WMSCONFIG_HOME=/usr/local/WowzaStreamingEngine

WMSCONFIG_URL=

export WMSAPP_HOME WMSCONFIG_HOME JAVA_OPTS _EXECJAVA

but once running it is not possible by default to write system variables by URL input.

Andrew.

I have tested some scenarios however as with all security options testing yourself/within your own security framework should be done to ensure it meets your set level of acceptance. We would of course be keen to hear your results.

It it important to note that the vulnerability is within shell and has been identified as the area which needs resolving.

Andrew

It is not affected.

Hi,

Wowza does set some environment variables when running under Linux when starting , so

_EXECJAVA=java

WMSAPP_HOME=/usr/local/WowzaStreamingEngine

WMSCONFIG_HOME=/usr/local/WowzaStreamingEngine

WMSCONFIG_URL=

export WMSAPP_HOME WMSCONFIG_HOME JAVA_OPTS _EXECJAVA

but once running it is not possible by default to write system variables by URL input.

Andrew.

this answer is rather troubling in my opinion, as it really only addresses half of the issue, but anyone running it on *nix should already know the env vars it sets.

what about tampering with user agents? or through POST requests? the way wowza operates (to my somewhat limited knowledge) would seem to imply a specially crafted POST request could be an issue.

has this been tested at all by the wowza team, or am I better off finding out on my own?