CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104#

First published: 2021-12-13
Last updated: 2022-01-02

Attention

The LOCKSS 2.x system up to and including version 2.0.42-alpha4, and the custom Solr and OpenWayback containers it includes, are affected by CVE-2021-44228 ("Log4Shell"), CVE-2021-45046 and CVE-2021-4104.

Description

A critical remote code execution vulnerability has been identified in Apache Log4j 2.x, a ubiquitous Java library for recording information to software logs. Tracked as CVE-2021-44228 and also nicknamed "Log4Shell" or "LogJam", this vulnerability led to the discovery of another critical remote code execution vulnerability severe in Log4j 2.x (CVE-2021-45046) and a related vulnerability in Log4j 1.x (CVE-2021-4104).

These vulnerabilities affect the LOCKSS system 2.x up to and including version 2.0-alpha4b, and the custom Solr and OpenWayback containers it includes, requiring an upgrade to fix.

Note that the LOCKSS 1.x system is not affected by these vulnerabilities, requiring no action at this time.

Remediation

Attention

Because additional vulnerabilities in Log4j 2.x have been discovered, the recommended remediation is to upgrade to LOCKSS version 2.0.42-alpha4 and earlier to LOCKSS 2.0.52-alpha5 immediately.

If you cannot upgrade LOCKSS 2.0.42-alpha4 and earlier to LOCKSS 2.0.52-alpha5 in a timely manner, we recommend at least shutting it down by logging in as the lockss user, navigating to the lockss-installer directory, and running the command scripts/stop-lockss, until such time as you are able to perform an upgrade.

Important

If you use the LOCKSS 2.x system with an external Solr database or external OpenWayback replay engine, talk to your system administrator about ensuring these external systems, which can also be affected by these vulnerabilities, are up to date.

References