CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104

First published: 2021-12-13
Last updated: 2022-01-02

Attention

The LOCKSS 2.x system up to and including version 2.0-alpha4b, and the custom Solr and OpenWayback containers it includes, are affected by CVE-2021-44228 ("Log4Shell"), CVE-2021-45046 and CVE-2021-4104.

Description

A critical remote code execution vulnerability has been identified in Apache Log4j 2.x, a ubiquitous Java library for recording information to software logs. Tracked as CVE-2021-44228 and also nicknamed "Log4Shell" or "LogJam", this vulnerability led to the discovery of another critical remote code execution vulnerability severe in Log4j 2.x (CVE-2021-45046) and a related vulnerability in Log4j 1.x (CVE-2021-4104).

These vulnerabilities affect the LOCKSS system 2.x up to and including version 2.0-alpha4b, and the custom Solr and OpenWayback containers it includes, requiring an upgrade to fix. Note that the LOCKSS 1.x system is not affected by these vulnerabilities, requiring no action at this time.

Remediation

Attention

Now that the LOCKSS 2.0-alpha5 system is available and that additional vulnerabilities in Log4j 2.x have been discovered, the recommended remediation is to upgrade LOCKSS 2.x version 2.0-alpha4b or earlier to LOCKSS 2.0-alpha5 immediately.

If you cannot upgrade LOCKSS 2.x version 2.0-alpha4b or earlier to LOCKSS 2.0-alpha5 in a timely manner, we recommend at least shutting it down by logging in as the lockss user, navigating to the lockss-installer directory, and running the command scripts/stop-lockss, until such time as you are able to perform an upgrade.

Important

If you use the LOCKSS 2.x system with an external Solr database or external OpenWayback replay engine, talk to your system administrator about ensuring these external systems, which can also be affected by these vulnerabilities, are up to date.

References