CVE-2021-45105 and CVE-2021-44832
First published: 2022-01-02
The LOCKSS 2.x system up to and including 2.0.51-alpha5, and the custom Solr and OpenWayback containers it includes, are affected by CVE-2021-45105 and CVE-2021-44832.
Following the early December 2021 1 discovery of well-publicized critical remote code execution vulnerabilities in Apache Log4j 2.x, a ubiquitous Java library for recording information to software logs, additional Log4j 2.x vulnerabilities of moderate severity have been discovered, tracked as CVE-2021-45105 and CVE-2021-44832.
These vulnerabilities affect the LOCKSS system 2.x up to and including 2.0.51-alpha5 (originally released 2021-12-17), and the custom Solr and OpenWayback containers it includes, requiring an upgrade to fix.
Note that the LOCKSS 1.x system is not affected by these vulnerabilities, requiring no action at this time.
The recommended remediation is to upgrade LOCKSS 2.0.51-alpha5 and earlier to LOCKSS 2.0.52-alpha5 or later.
To upgrade from LOCKSS 2.0.51-alpha5 to 2.0.52-alpha5:
Log in to the host system as the
lockssuser and navigate to the
Stop the LOCKSS system with this command:
Upgrade the LOCKSS Installer to 2.0.52-alpha5 with this command:
curl -sSfL https://www.lockss.org/downloader | sh -s - --git-tag=version-2.0.52-alpha5
wget -qO- https://www.lockss.org/downloader | sh -s - --git-tag=version-2.0.52-alpha5
Restart the LOCKSS system with this command:
To upgrade from LOCKSS 2.0-alpha4 (all variants) to LOCKSS 2.0.52-alpha5, see Upgrading From LOCKSS 2.0-alpha4 in the LOCKSS 2.0-alpha5 System Manual.
To upgrade from LOCKSS 2.x version 2.0-alpha3 or earlier (all variants) to LOCKSS 2.0.52-alpha5, you will need to upgrade incrementally; see Upgrading From LOCKSS 2.0-alpha1, Upgrading From LOCKSS 2.0-alpha2, Upgrading From LOCKSS 2.0-alpha3, and Upgrading From LOCKSS 2.0-alpha4.
If you use the LOCKSS 2.x system with an external Solr database or external OpenWayback replay engine, talk to your system administrator about ensuring these external systems, which can also be affected by these vulnerabilities, are up to date.