Dear Wowza Team,
Recently, we are checking the security levels of all applications which we are using and we found some security issues on the HTTP Daemon of Wowza System.
When we scan the HTTP Daemon of Wowza server with Openvas greenbone security tool, we got below messages.
Version of Wowza Streaming Engine: Engine Version 4.1.0 (build 12602)
- 80/tcp : HTTP negative Content-Length buffer overflow
Severity : High (10.0)
Summary : We could crash the web server by sending an invalid POST HTTP request with a negative Content-Length field.
A cracker may exploit this flaw to disable your service or even execute arbitrary code on your system.
Vulnerability Detection Result : Vulnerability was detected according to the Vulnerability Detection Method.
Vulnerability Detection Method
-
Details: HTTP negative Content-Length buffer overflow (OID: 1.3.6.1.4.1.25623.1.0.11183)
-
Version used: $Revision: 17 $
- 8086/tcp : Format string on URI
Severity : High (10.0)
Summary : The remote web server seems to be vulnerable to a format string attack on the URI. An attacker might use this flaw to make it crash or even execute arbitrary code on this host.
Vulnerability Detection Result : Vulnerability was detected according to the Vulnerability Detection Method.
Vulnerability Detection Method
-
Details: Format string on URI (OID: 1.3.6.1.4.1.25623.1.0.15640)
-
Version used: $Revision: 998 $
My questions are,
- Do you already recognize this issue and fix it?
1.1 If that, which Wowza Version is including the fix?
- If not, do you have any plan to fix this issue?
Please advise.
CDNetworks Operation Team