CVE-2021-45105 and CVE-2021-44832

First published: 2022-01-02

Attention

The LOCKSS 2.x system up to and including 2.0.51-alpha5, and the custom Solr and OpenWayback containers it includes, are affected by CVE-2021-45105 and CVE-2021-44832.

Description

Following the early December 2021 [1] discovery of well-publicized critical remote code execution vulnerabilities in Apache Log4j 2.x, a ubiquitous Java library for recording information to software logs, additional Log4j 2.x vulnerabilities of moderate severity have been discovered, tracked as CVE-2021-45105 and CVE-2021-44832.

These vulnerabilities affect the LOCKSS system 2.x up to and including 2.0.51-alpha5 (originally released 2021-12-17), and the custom Solr and OpenWayback containers it includes, requiring an upgrade to fix.

Note that the LOCKSS 1.x system is not affected by these vulnerabilities, requiring no action at this time.

Remediation

Attention

The recommended remediation is to upgrade LOCKSS 2.0.51-alpha5 and earlier to LOCKSS 2.0.52-alpha5 or later.

• To upgrade from LOCKSS 2.0.51-alpha5 to 2.0.52-alpha5:

  1. Log in to the host system as the lockss user and navigate to the lockss-installer directory.

  2. Stop the LOCKSS system with this command:

     scripts/stop-lockss
     

  3. Upgrade the LOCKSS Installer to 2.0.52-alpha5 with this command:

     curl -sSfL https://www.lockss.org/downloader | sh -s - --git-tag=version-2.0.52-alpha5
     

     or:

     wget -qO- https://www.lockss.org/downloader | sh -s - --git-tag=version-2.0.52-alpha5
     

  4. Restart the LOCKSS system with this command:

     scripts/start-lockss
     

• To upgrade from LOCKSS 2.0-alpha4 (all variants) to LOCKSS 2.0.52-alpha5, see Upgrading From LOCKSS 2.0-alpha4 in the LOCKSS 2.0-alpha5 System Manual.

• To upgrade from LOCKSS 2.x version 2.0-alpha3 or earlier (all variants) to LOCKSS 2.0.52-alpha5, you will need to upgrade incrementally; see Upgrading From LOCKSS 2.0-alpha1, Upgrading From LOCKSS 2.0-alpha2, Upgrading From LOCKSS 2.0-alpha3, and Upgrading From LOCKSS 2.0-alpha4.

Important

If you use the LOCKSS 2.x system with an external Solr database or external OpenWayback replay engine, talk to your system administrator about ensuring these external systems, which can also be affected by these vulnerabilities, are up to date.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-45105

• https://nvd.nist.gov/vuln/detail/CVE-2021-44832

• https://logging.apache.org/log4j/2.x/security.html

---

Footnotes

[1]

See CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104.