CVE-2021-45105 and CVE-2021-44832
First published: 2022-01-02
Attention
The LOCKSS 2.x system up to and including 2.0.51-alpha5, and the custom Solr and OpenWayback containers it includes, are affected by CVE-2021-45105 and CVE-2021-44832.
Description
Following the early December 2021 [1] discovery of well-publicized critical remote code execution vulnerabilities in Apache Log4j 2.x, a ubiquitous Java library for recording information to software logs, additional Log4j 2.x vulnerabilities of moderate severity have been discovered, tracked as CVE-2021-45105 and CVE-2021-44832.
These vulnerabilities affect the LOCKSS system 2.x up to and including 2.0.51-alpha5 (originally released 2021-12-17), and the custom Solr and OpenWayback containers it includes, requiring an upgrade to fix.
Note that the LOCKSS 1.x system is not affected by these vulnerabilities, requiring no action at this time.
Remediation
Attention
The recommended remediation is to upgrade LOCKSS 2.0.51-alpha5 and earlier to LOCKSS 2.0.52-alpha5 or later.
To upgrade from LOCKSS 2.0.51-alpha5 to 2.0.52-alpha5:
Log in to the host system as the
lockss
user and navigate to thelockss-installer
directory.Stop the LOCKSS system with this command:
scripts/stop-lockss
Upgrade the LOCKSS Installer to 2.0.52-alpha5 with this command:
curl -sSfL https://www.lockss.org/downloader | sh -s - --git-tag=version-2.0.52-alpha5
or:
wget -qO- https://www.lockss.org/downloader | sh -s - --git-tag=version-2.0.52-alpha5
Restart the LOCKSS system with this command:
scripts/start-lockss
To upgrade from LOCKSS 2.0-alpha4 (all variants) to LOCKSS 2.0.52-alpha5, see Upgrading From LOCKSS 2.0-alpha4 in the LOCKSS 2.0-alpha5 System Manual.
To upgrade from LOCKSS 2.x version 2.0-alpha3 or earlier (all variants) to LOCKSS 2.0.52-alpha5, you will need to upgrade incrementally; see Upgrading From LOCKSS 2.0-alpha1, Upgrading From LOCKSS 2.0-alpha2, Upgrading From LOCKSS 2.0-alpha3, and Upgrading From LOCKSS 2.0-alpha4.
Important
If you use the LOCKSS 2.x system with an external Solr database or external OpenWayback replay engine, talk to your system administrator about ensuring these external systems, which can also be affected by these vulnerabilities, are up to date.
References
Footnotes