December 23, 2021

NVIDIA has released a security advisory addressing multiple products vulnerable to the recently reported Log4Shell Vulnerability.

The affected products are multiple enterprise environment tools and components. No consumer-grade applications are known to be affected at this point.

Affected Products

• CUDA Toolkit Nsight Eclipse Edition – Prior to version ‘11.0’.
• DGX Systems – Only vulnerable if a user has installed Log4j individually.
• NETQ – Versions ‘2.x’, ‘3.x’ and ‘4.0.x’.
• VGPU Software License Server – Versions ‘2021.07’ and ‘2020.05 Update 1’.

Mitigation

To mitigate the risk of system compromise, CYREBRO recommends following the mitigation steps for relevant products as presented below:

• CUDA Toolkit Nsight Eclipse Edition:
  • Update to an Nsight Eclipse Plugins Edition in CUDA Toolkit version ‘11.0’ or later.
• DGX Systems:
  • If Log4j is installed on the system, check the version by running ‘$apt-cache policy liblog4j2-java’.
    The correct version should be:
    • For DGX OS 5: ‘liblog4j2-java 2.17.0-0.20.04.1’
    • For DGX OS 4: ‘liblog4j2-java 2.10.0-2ubuntu0.1’
  • If the Log4j version is not updated, run:
    • ‘$sudo apt update’
    • ‘$sudo apt full-upgrade’.
  • If the Log4j version is up-to-date, or Log4j is not installed – There is no threat.
• NETQ:
  • Upgrade on-premises telemetry servers to the 4.1.0 release by the following guide.
  • SaaS customers should upgrade OPTA servers to 4.1.0.
• VGPU Software License Server:
  • Apply the mitigation described by the following guide.

Source: NVIDIA Security Advisory.