CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104
The LOCKSS 2.x system up to and including version 2.0.42-alpha4, and the custom Solr and OpenWayback containers it includes, are affected by CVE-2021-44228 ("Log4Shell"), CVE-2021-45046 and CVE-2021-4104.
A critical remote code execution vulnerability has been identified in Apache Log4j 2.x, a ubiquitous Java library for recording information to software logs. Tracked as CVE-2021-44228 and also nicknamed "Log4Shell" or "LogJam", this vulnerability led to the discovery of another critical remote code execution vulnerability severe in Log4j 2.x (CVE-2021-45046) and a related vulnerability in Log4j 1.x (CVE-2021-4104).
These vulnerabilities affect the LOCKSS system 2.x up to and including version 2.0-alpha4b, and the custom Solr and OpenWayback containers it includes, requiring an upgrade to fix.
Note that the LOCKSS 1.x system is not affected by these vulnerabilities, requiring no action at this time.
Because additional vulnerabilities in Log4j 2.x have been discovered, the recommended remediation is to upgrade to LOCKSS version 2.0.42-alpha4 and earlier to LOCKSS 2.0.52-alpha5 immediately.
If you cannot upgrade LOCKSS 2.0.42-alpha4 and earlier to LOCKSS 2.0.52-alpha5 in a timely manner, we recommend at least shutting it down by logging in as the
lockss user, navigating to the
lockss-installer directory, and running the command
scripts/stop-lockss, until such time as you are able to perform an upgrade.
To upgrade from LOCKSS 2.0-alpha4 (all variants) to LOCKSS 2.0.52-alpha5, see Upgrading From LOCKSS 2.0-alpha4 in the LOCKSS 2.0-alpha5 System Manual.
To upgrade from LOCKSS 2.0-alpha3 and earlier (all variants), you will need to upgrade incrementally; see Upgrading From LOCKSS 2.0-alpha1, Upgrading From LOCKSS 2.0-alpha2, Upgrading From LOCKSS 2.0-alpha3, and Upgrading From LOCKSS 2.0-alpha4.
If you use the LOCKSS 2.x system with an external Solr database or external OpenWayback replay engine, talk to your system administrator about ensuring these external systems, which can also be affected by these vulnerabilities, are up to date.