Mitigation Steps for Apache Log4j2 RCE

Wowza Streaming Engine Versions 4.8.8.01 and Later

Apache Log4j2 security vulnerability (CVE-2021-44228 & CVE-2021-45046)

Logging in Wowza Streaming Engine 4.8.8.01 and later uses a version of Apache Log4j2 with a security vulnerability (CVE-2021-44228) involving JNDI functionality that is not protected against attacker-controlled LDAP and other JNDI-related endpoints.

In addition, steps to mitigate CVE-2021-44228 in Apache Log4j 2.15.0 did not address some non-default configurations. This issue is captured in CVE-2021-45046.

To mitigate this issue, please review the following adjustments in this article: https://www.wowza.com/docs/known-issues-with-wowza-streaming-engine#log4j2-cve

Wowza Streaming Engine Versions Prior to 4.8.8.01

CVE-2021-4104, regarding the JMS Appender with log4j-1.2.  Wowza has never used the JMS Appender in its default logging configurations and as such does not affect Wowza Engine deployments before version 4.8.8.01.  Any customer that may have enabled the JMS Appender in their own logging configurations should disable it immediately.

Vulnerability Scanner Results

Some customers have reported the following concerns based on their vulnerability scan results. 

Scanner picks up log4j version 2.13.3 in the [install-dir]/updates folder

These files are not loaded/actively in use. It is safe to remove these files to meet your environment requirements.

Scanner identifies a log4j-api-2.11.2.jar In Wowza Engine version 4.7.8 \lib-tomcat\ directory  

This file is included in the Tomcat package within Wowza Streaming Engine, but is not used in our software logic. The file exists but is not utilized in any way. If you need full mitigation of removing all log4j2 files versions 2.0.x - 2.15.x, we suggest you update your Wowza Streaming Engine to a build equal to or later than 4.8.8.01.

 

We take the security of our customers and our products as a top priority. If you have any questions on how to implement these mitigation steps please do not hesitate to reach out to our Technical Support Team who are standing by to assist with any technical questions you may have.