CVE-2023-22628

This vulnerability, if exploited, could potentially allow unauthorized access to files stored on the Red5 Server. Additionally, it can be used for SSRF attacks into the network that the Red5 Server runs within.

Our team addressed this issue and have implemented a fix and have mitigation steps available if you are unable to upgrade. If you are running Red5 Open Source before version 1.2.29 or Red5 Pro before version 10.6.0 then you will need to upgrade. If you are unable to upgrade, you can mitigate the issue by removing the AMF Gateway plugin and/or disabling public access to the server webapps.

Details on how to disabling public access to the server webapps are detailed here.

If you are running an older version of Red5 Pro or Red5 and need to mitigate without upgrading, you will want to edit the red5pro/webapps/root/WEB-INF/web.xml and red5pro/webapps/api/WEB-INF/web.xml files, removing the following sections:

	<servlet>
		<servlet-name>gateway</servlet-name>
		<servlet-class>org.red5.server.net.servlet.AMFGatewayServlet</servlet-class>
		<load-on-startup>-1</load-on-startup>
	</servlet>

and

	<servlet-mapping>
		<servlet-name>gateway</servlet-name>
		<url-pattern>/gateway</url-pattern>
	</servlet-mapping>

You will need to restart your server after making the above changes. If you have a custom webapp, you will also want to verify that the above gateway servlets are not present.