AXON SECURITY ADVISORY:
Security Advisory Release Date: May 28, 2020 | Vulnerability Identifier: AXON-2001
Axon Interview uses Wowza for streaming services and on May 18, 2020 two security vulnerabilities were disclosed regarding the Wowza Streaming Engine (see Applicable CVEs below). By default, Axon Interview does not use the Wowza Engine Manager Service component impacted by these vulnerabilities. However, Axon Interview will be including updated Wowza components in Version 3.7, the June 2020 release, of Axon Interview to mitigate the disclosed vulnerabilities.
The advisory applies to all Axon Interview versions prior to version 3.7.
Wowza has confirmed with Axon that the disclosed vulnerability impact is limited to Wowza Engine Manager Service. An Axon Interview installation does not start this service by default and the service should not be enabled on customer hosts running Axon Interview.
Axon recommends that customers with Axon Interview ensure the Wowza Engine Manager Service is not running on their hosts. Axon Interview does not require the Wowza Engine Manager Service and will not be impacted by this service being disabled.
Axon recommends installing Axon Interview in protected network locations to ensure proper network isolation and segmentation to meet operational and security needs.
Axon Interview version 3.7 (June 2020 Release) and subsequent versions will provide updated Wowza components to mitigate the vulnerabilities.
Customers should keep their Axon Interview instances up to date with new releases as provided by Axon.
Applicable CVEs (Common Vulnerabilities and Exposures) & Other Resources
https://nvd.nist.gov/vuln/detail/CVE-2019-19454
https://nvd.nist.gov/vuln/detail/CVE-2019-19456