Remote file reading vulnerability in FFmpeg 2.x
FFmpeg 2.x is a multimedia encoding and decoding framework. Recently, FFmpeg 2.x has been reported to have high-severity vulnerabilities, CVE-2016-1897 and CVE-2016-1898.
These vulnerabilities allow attackers to remotely steal local files on the server by uploading a crafted HLS slice index file.
- FFmpeg 2.8.x < 2.8.5
- FFmpeg 2.7.x < 2.7.5
- FFmpeg 2.6.x < 2.6.7
- FFmpeg 2.5.x < 2.5.10
How to fix or mitigate
Use Alibaba Cloud Security web application firewall to intercept attack code of the vulnerability.
Upgrade FFmpeg to the latest version.
- Upgrade FFmpeg 2.8.x series to FFmpeg 2.8.5 or a later version.
- Upgrade FFmpeg 2.7.x series to FFmpeg 2.7.5 or a later version.
- Upgrade FFmpeg 2.6.x series to FFmpeg 2.6.7 or a later version.
- Upgrade FFmpeg 2.5.x series to FFmpeg 2.5.10 or a later version.