9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.975 High
EPSS
Percentile
100.0%
This notice is a response to the remote code execution vulnerabilities in the Log4j Java library, which is also known as Log4Shell.
The CVE IDs of these vulnerabilities are as follows:
NVIDIA is aware of these vulnerabilities and is evaluating their potential impact and relevance to its products and services. This page will be updated when any additional information becomes available regarding this issue.
The following products have been analyzed by NVIDIA and are not vulnerable or impacted by this issue. NVIDIA is continuing its investigations and will update this list as new information becomes available. NVIDIA’s products or services that are not listed below are undergoing investigation.
The following sections list the NVIDIA products affected, versions affected, and the updated versions available or mitigations that require customer action.
CVE IDs Addressed | Product Name | Affected Versions | Updated Version | Mitigation for Affected Versions |
---|---|---|---|---|
CVE‑2021‑44228 | ||||
CVE‑2021‑45046 | ||||
CVE‑2021‑41505 | CUDA Toolkit Visual Profiler | Visual Profiler in CUDA Toolkit version 11.5 and prior versions | CUDA Toolkit version 11.6.0 |
CUDA Toolkit updates 11.5.2 and 11.4.4 will be available in February 2022.
| Log4j is included in CUDA Toolkit. However it is not being used and there is no risk to users who have the Log4j files. Because they are not being used, an update is being prepared to remove the Log4j files[1] from CUDA Toolkit. If concerned, customers can safely delete the files as a mitigation.
CUDA Toolkit Nsight Eclipse Edition | Nsight Eclipse Edition in CUDA Toolkit prior to version 11.0 | Nsight Eclipse Plugins Edition in CUDA Toolkit version 11.0 or later
Updates for version 10.2 will be available in February 2022.
| Update to an Nsight Eclipse Plugins Edition in CUDA Toolkit version 11.0 or later
Alternatively, note that Log4j is included in CUDA Toolkit 10.2 and earlier. However it is not being used and there is no risk to users who have the Log4j files. Because they are not being used, an update is being prepared to remove the Log4j files[2] from CUDA Toolkit 10.2 updates. If concerned, customers can safely delete the files as a mitigation.
[1] For example: C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.5\libnvvp\plugins\org.apache.ant_1.9.2.v201404171502\lib\ant-apache-log4j.jar
[2] For example: /usr/local/cuda/libnsight/plugins/org.apache.ant_1.9.2.v201404171502/lib/ant-apache-log4j.jar
By default, DGX systems are not exposed to this issue. NVIDIA did not include the Log4j Java library in its DGX OS releases, but this library might have been installed by a user as additional software. To check if a version of the liblog4j2-java
library built from a vulnerable apache-log4j2
source package is installed on your system, run the following command:
$ **apt-cache policy liblog4j2-java**
liblog4j2-java:
Installed: (none)
Candidate: 2.10.0-2ubuntu0.1
Fixes to address this issue are available from Canonical in the updated versions listed in the following table.
If a version of the liblog4j2-java
library built from a vulnerable apache-log4j2
source package is installed, run the following commands to get the updated version:
$ **sudo apt update** $**sudo apt full-upgrade**
CVE IDs Addressed | Product Name | Affected Product or Component Version | Updated Product or Component Version |
---|---|---|---|
CVE‑2021‑44228 | DGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100 | DGX OS 5: | |
liblog4j2-java 2.14.1 and prior versions |
DGX OS 5: | ||
liblog4j2-java 2.16.0-0.20.04.1 |
|||
DGX OS 4: | |||
liblog4j2-java 2.10.0-2 and prior versions |
DGX OS 4: | ||
liblog4j2-java 2.10.0-2ubuntu0.1 |
|||
CVE‑2021‑45046 | DGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100 | DGX OS 5: | |
liblog4j2-java 2.14.1 and prior versions |
DGX OS 5: | ||
liblog4j2-java 2.17.0-0.20.04.1 |
|||
DGX OS 4: | |||
Not impacted | DGX OS 4: | ||
Not impacted | |||
CVE‑2021‑45105 | DGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100 | DGX OS 5: | |
liblog4j2-java 2.14.1 and prior versions |
DGX OS 5: | ||
liblog4j2-java 2.17.0-0.20.04.1 |
|||
DGX OS 4: | |||
liblog4j2-java 2.10.0-2 and prior versions |
DGX OS 4: | ||
Remediation expected | |||
January 2022. |
For more information about this issue, refer to the Log4Shell page on the Ubuntu wiki.
CVE IDs Addressed | Product Name | Affected Version | Updated Version |
---|---|---|---|
CVE‑2021‑44228 | |||
CVE‑2021‑45046 | |||
CVE‑2021‑45105 | NetQ | Versions 2.x, 3.x, and 4.0.x | SaaS instances are patched. |
Upgrade on-premises telemetry servers to the 4.1.0 release by following NetQ Upgrade Guide.
If you are a SaaS customer, you should also upgrade OPTA servers to 4.1.0.
CVE IDs Addressed | Product Name | Affected Product or Component Version | Mitigation |
---|---|---|---|
CVE‑2021‑44228 | |||
CVE‑2021‑45046 | |||
CVE‑2021‑45105 | vGPU software license server | 2021.07 and | |
2020.05 Update 1 | Apply the mitigation described in Log4j Java Vulnerability (CVE-2021-44228 and CVE-2021-45046) for Legacy vGPU Software License Server in the NVIDIA knowledge base. |
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.975 High
EPSS
Percentile
100.0%