2023-12-22 13:06:00
In this Wowza release, we would like to highlight two points that address issues of security and efficiency of using the media server.
The Eclipse Jetty library, one of the third-party components included in the Wowza Streaming Engine, has been updated to address a vulnerability discovered in it. The vendor does not disclose details, but most likely we are talking about CVE-2023-26048 and CVE-2023-26049, about which Oracle writes the following in one of its reports: “Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP. Successful attacks of this vulnerability can result in unauthorized read access to a subset of accessible data”. How easily these vulnerabilities can be exploited in the context of Wowza Streaming Engine remains a question. But at a minimum, the entry point for the Wowza REST API is served by the Jetty library. The update looks highly desirable.
The second interesting point is the correction of an error in processing the ETag tag for VOD content. Changing this tag periodically can reduce the effectiveness of content caching on the CDN. Due to a bug, caching servers tracking ETag changes may request Wowza server, which is the content source, more often than they should. This makes the update extremely important when using a CDN service to distribute VOD content.
In addition to the above items, the update includes several fixes for the U30 transcoder, support of RTSPS protocol for re-streaming, and simplified CMAF packetization settings (they are now available in the web interface, and not just by editing XML files).