Security Notice: NVIDIA Response to Log4j Vulnerabilities - December 2021

Updated 01/04/2022 03:21 PM

This notice is a response to the remote code execution vulnerabilities in the Log4j Java library, which is also known as Log4Shell.


The CVE IDs of these vulnerabilities are as follows:

 

NVIDIA is aware of these vulnerabilities and is evaluating their potential impact and relevance to its products and services. This page will be updated when any additional information becomes available regarding this issue. Please actively monitor this page for information about affected products and available mitigations or updates.

NVIDIA Products not Impacted

The following products have been analyzed by NVIDIA and are not vulnerable or impacted by this issue. NVIDIA is continuing its investigations and will update this list as new information becomes available. NVIDIA’s products or services that are not listed below are undergoing investigation.

  • GeForce Experience client software
  • GeForceNOW client software
  • GPU Display Drivers for Windows and Linux
  • L4T Jetson Products
  • NVIDIA Broadcast
  • NVIDIA Maxine
  • SHIELD TV
  • All Networking products (except for NetQ, which is one of the remediated NVIDIA products)

Remediated NVIDIA Products

The following sections list the NVIDIA products affected, versions affected, and the updated versions available or mitigations that require customer action.

CUDA Toolkit Visual Profiler and Nsight Eclipse Edition

CVE IDs Addressed Product Name Affected Versions Updated Version Notes and Mitigation
CVE‑2021‑44228
CVE‑2021‑45046
CUDA Toolkit Visual Profiler Visual Profiler in CUDA Toolkit version 11.5 and prior versions Updated CUDA Toolkit version available mid-January 2022 Log4j is included in CUDA Toolkit. However it is not being used and there is no risk to users who have the Log4j files. Because they are not being used, an update is being prepared to remove the Log4j files[1] from CUDA Toolkit. If concerned, customers can safely delete the files as a mitigation.
CUDA Toolkit Nsight Eclipse Edition Nsight Eclipse Edition in CUDA Toolkit prior to version 11.0 Nsight Eclipse Plugins Edition in CUDA Toolkit version 11.0 or later Update to an Nsight Eclipse Plugins Edition  in CUDA Toolkit version 11.0 or later
[1] For example: C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.5\libnvvp\plugins\org.apache.ant_1.9.2.v201404171502\lib\ant-apache-log4j.jar

DGX Systems

By default, DGX systems are not exposed to this issue. NVIDIA did not include the Log4j Java library in its DGX OS releases, but this library might have been installed by a user as additional software. To check if a version of the liblog4j2-java library built from a vulnerable apache-log4j2 source package is installed on your system, run the following command:

$ apt-cache policy liblog4j2-java
liblog4j2-java:
  Installed: (none)
  Candidate: 2.10.0-2ubuntu0.1

Fixes to address this issue are available from Canonical in the updated versions listed in the following table.

If a version of the liblog4j2-java library built from a vulnerable apache-log4j2 source package is installed, run the following commands to get the updated version:

$ sudo apt update
$ sudo apt full-upgrade
CVE IDs Addressed Product Name Affected Product or Component Version Updated Product or Component Version
CVE‑2021‑44228 DGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100 DGX OS 5: 
liblog4j2-java 2.14.1 and prior versions
DGX OS 5:
liblog4j2-java 2.16.0-0.20.04.1
DGX OS 4:
liblog4j2-java 2.10.0-2 and prior versions
DGX OS 4:
liblog4j2-java 2.10.0-2ubuntu0.1
CVE‑2021‑45046 DGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100 DGX OS 5: 
liblog4j2-java 2.14.1 and prior versions
DGX OS 5:
liblog4j2-java 2.17.0-0.20.04.1
DGX OS 4:
Not impacted
DGX OS 4:
Not impacted
CVE‑2021‑45105 DGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100 DGX OS 5: 
liblog4j2-java 2.14.1 and prior versions
DGX OS 5:
liblog4j2-java 2.17.0-0.20.04.1
DGX OS 4:
liblog4j2-java 2.10.0-2 and prior versions
DGX OS 4:
Remediation expected
January 2022.

For more information about this issue, refer to the Log4Shell page on the Ubuntu wiki.

NetQ

CVE IDs Addressed Product Name Affected Version Updated Version
CVE‑2021‑44228
CVE‑2021‑45046
CVE‑2021‑45105
NetQ Versions 2.x, 3.x, and 4.0.x SaaS instances are patched.

Upgrade on-premises telemetry servers to the 4.1.0 release by following NetQ Upgrade Guide

If you are a SaaS customer, you should also upgrade OPTA servers to 4.1.0.

vGPU Software License Server

CVE IDs Addressed Product Name Affected Product or Component Version Mitigation
CVE‑2021‑44228
CVE‑2021‑45046
CVE‑2021‑45105
vGPU software license server 2021.07 and
2020.05 Update 1
Apply the mitigation described in Log4j Java Vulnerability (CVE-2021-44228 and CVE-2021-45046) for Legacy vGPU Software License Server in the NVIDIA knowledge base.

Get the Most Up to Date Product Security Information

To learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT), see the current list of NVIDIA security bulletins, or subscribe to security bulletin notifications, go to NVIDIA Product Security.

Revision History

Revision Date Description
8.0 January 4, 2022 Added NVIDIA Maxine and Broadcast products to the list of products that are not impacted. Added information about CVE‑2021‑45105 for vGPU software license server
7.0 December 22, 2021 Added GPU display driver for Linux and networking products to the list of products that are not impacted.
6.0 December 21, 2021 Added GPU Display Driver for Windows to the list of products that are not impacted. Added information about CVE‑2021‑45105 for DGX OS.
5.0 December 20, 2021 Added a section for unaffected product list and included CVE‑2021‑45105 in this response. Added remediation update information about CVE-2021-45105 for NETQ. 
4.0 December 17, 2021 Added update information for CUDA Toolkit and included CVE‑2021‑45046 in this response.
3.0 December 16, 2021 Added update information for NetQ.
2.0 December 15, 2021 Added update information for DGX OS Software and mitigation information for the vGPU software license server.
1.0 December 13, 2021 Initial release.

Support

If you have any questions about this security notice, contact NVIDIA Support.

Disclaimer

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

Is this answer helpful?

Live Chat

Chat online with one of our support agents

CHAT NOW

ASK US A QUESTION

Contact Support for assistance

Ask a Question