Security Notice: NVIDIA Response to Log4j Vulnerabilities - December 2021

This notice is a response to the remote code execution vulnerabilities in the Log4j Java library, which is also known as Log4Shell.

The CVE IDs of these vulnerabilities are as follows:

• CVE-2021-44228
• CVE-2021-45046
• CVE-2021-45105

NVIDIA is aware of these vulnerabilities and is evaluating their potential impact and relevance to its products and services. This page will be updated when any additional information becomes available regarding this issue.

NVIDIA Products not Impacted

The following products have been analyzed by NVIDIA and are not vulnerable or impacted by this issue. NVIDIA is continuing its investigations and will update this list as new information becomes available. NVIDIA’s products or services that are not listed below are undergoing investigation.

• GeForce Experience client software
• GeForceNOW client software
• GPU Display Drivers for Windows and Linux
• L4T Jetson Products
• NVIDIA Broadcast
• NVIDIA Maxine
• SHIELD TV
• All Networking products (except for NetQ, which is one of the remediated NVIDIA products)

Remediated NVIDIA Products

The following sections list the NVIDIA products affected, versions affected, and the updated versions available or mitigations that require customer action.

• CUDA Toolkit Visual Profiler and Nsight Eclipse Edition
• DGX Systems
• NetQ
• vGPU Software License Server

CUDA Toolkit Visual Profiler and Nsight Eclipse Edition

CVE IDs Addressed	Product Name	Affected Versions	Updated Version	Mitigation for Affected Versions
CVE‑2021‑44228
CVE‑2021‑45046
CVE‑2021‑41505	CUDA Toolkit Visual Profiler	Visual Profiler in CUDA Toolkit version 11.5 and prior versions	CUDA Toolkit version 11.6.0

CUDA Toolkit updates 11.5.2 and 11.4.4 will be available in February 2022.

| Log4j is included in CUDA Toolkit. However it is not being used and there is no risk to users who have the Log4j files. Because they are not being used, an update is being prepared to remove the Log4j files[1] from CUDA Toolkit. If concerned, customers can safely delete the files as a mitigation.
CUDA Toolkit Nsight Eclipse Edition | Nsight Eclipse Edition in CUDA Toolkit prior to version 11.0 | Nsight Eclipse Plugins Edition in CUDA Toolkit version 11.0 or later

Updates for version 10.2 will be available in February 2022.

| Update to an Nsight Eclipse Plugins Edition in CUDA Toolkit version 11.0 or later

Alternatively, note that Log4j is included in CUDA Toolkit 10.2 and earlier. However it is not being used and there is no risk to users who have the Log4j files. Because they are not being used, an update is being prepared to remove the Log4j files[2] from CUDA Toolkit 10.2 updates. If concerned, customers can safely delete the files as a mitigation.

[1] For example: C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.5\libnvvp\plugins\org.apache.ant_1.9.2.v201404171502\lib\ant-apache-log4j.jar

[2] For example: /usr/local/cuda/libnsight/plugins/org.apache.ant_1.9.2.v201404171502/lib/ant-apache-log4j.jar

DGX Systems

By default, DGX systems are not exposed to this issue. NVIDIA did not include the Log4j Java library in its DGX OS releases, but this library might have been installed by a user as additional software. To check if a version of the liblog4j2-java library built from a vulnerable apache-log4j2 source package is installed on your system, run the following command:

$ **apt-cache policy liblog4j2-java**
liblog4j2-java:
  Installed: (none)
  Candidate: 2.10.0-2ubuntu0.1

Fixes to address this issue are available from Canonical in the updated versions listed in the following table.

If a version of the liblog4j2-java library built from a vulnerable apache-log4j2 source package is installed, run the following commands to get the updated version:

$ **sudo apt update**    $**sudo apt full-upgrade**

CVE IDs Addressed	Product Name	Affected Product or Component Version	Updated Product or Component Version
CVE‑2021‑44228	DGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100	DGX OS 5:
liblog4j2-java 2.14.1 and prior versions	DGX OS 5:
liblog4j2-java 2.16.0-0.20.04.1
DGX OS 4:
liblog4j2-java 2.10.0-2 and prior versions	DGX OS 4:
liblog4j2-java 2.10.0-2ubuntu0.1
CVE‑2021‑45046	DGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100	DGX OS 5:
liblog4j2-java 2.14.1 and prior versions	DGX OS 5:
liblog4j2-java 2.17.0-0.20.04.1
DGX OS 4:
Not impacted	DGX OS 4:
Not impacted
CVE‑2021‑45105	DGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100	DGX OS 5:
liblog4j2-java 2.14.1 and prior versions	DGX OS 5:
liblog4j2-java 2.17.0-0.20.04.1
DGX OS 4:
liblog4j2-java 2.10.0-2 and prior versions	DGX OS 4:
Remediation expected
January 2022.

For more information about this issue, refer to the Log4Shell page on the Ubuntu wiki.

NetQ

CVE IDs Addressed	Product Name	Affected Version	Updated Version
CVE‑2021‑44228
CVE‑2021‑45046
CVE‑2021‑45105	NetQ	Versions 2.x, 3.x, and 4.0.x	SaaS instances are patched.

Upgrade on-premises telemetry servers to the 4.1.0 release by following NetQ Upgrade Guide.

If you are a SaaS customer, you should also upgrade OPTA servers to 4.1.0.

vGPU Software License Server

CVE IDs Addressed	Product Name	Affected Product or Component Version	Mitigation
CVE‑2021‑44228
CVE‑2021‑45046
CVE‑2021‑45105	vGPU software license server	2021.07 and
2020.05 Update 1	Apply the mitigation described in Log4j Java Vulnerability (CVE-2021-44228 and CVE-2021-45046) for Legacy vGPU Software License Server in the NVIDIA knowledge base.