CVE-2019-7656

Name of the Vulnerable Software and Affected Versions Wowza Streaming Engine versions 4.8.0 and earlier Wowza Streaming Engine versions 4.7.7 and 4.7.8

Description A privilege escalation issue allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse.

Recommendations For Wowza Streaming Engine versions 4.8.0 and earlier, update to version 4.8.5 or later to resolve the issue. For Wowza Streaming Engine versions 4.7.7 and 4.7.8, update to version 4.8.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the /usr/local/WowzaStreamingEngine/bin/ directory to prevent exploitation.