On December 09, 2021, a vulnerability in Apache Log4j (a logging tool used in many Java-based applications) that could allow remote unauthenticated attackers to execute code on vulnerable systems was disclosed to the public. The vulnerability is tracked as CVE-2021-44228 and is also known as “Log4Shell”. NIST also published a critical Common Vulnerabilities and Exposure alert: CVE-2021-44228.
At NewTek, a part of Vizrt Group, product security remains our top priority as we address the open-source Apache “Log4j"(CVE-2021-44228) critical vulnerability. Vizrt Product security, together with the Product Development engineering team, is currently investigating our environment for any “indicators of compromise” and Products for traces of Log4j 2 vulnerability to determine which products are impacted. Utilizing a risk-based approach, only impacted products under investigation are listed within the context of the report.
Impacted Products and Remediation
Impacted Product: |
||
Product |
Component |
Remediation |
MediaDS(tm) |
Wowza Engine version greater than 4.7.8; |
If you have manually updated your Wowza Engine to a version that is impacted by the Log4j vulnerability, please visit this link from Wowza's website, as it details Wowza's current workaround for the issue: https://www.wowza.com/docs/known-issues-with-wowza-streaming-engine#log4j2-cve |
Though the recent reveal of the Log4j vulnerability is a matter of concern for many people, owners of NewTek products can rest assured that there is nothing for them to worry about.
General security advisory
Good security, defense and hygiene measures can help during adverse situations, keeping your business-critical infrastructure safe from compromise. NewTek Product security strongly recommends that you (a) secure network infrastructure and endpoints from unauthorized access (b) do not expose your assets to the internet without appropriate security controls and (c) employ a defense-in-depth approach by configuring your control and production environment to be aligned with your organizational IT security operational policy.
0 Comments