NVIDIA has issued a security advisory listing products affected by the Log4Shell vulnerability, which is being actively exploited by hackers around the world. The review found that a number of popular NVIDIA user solutions are not vulnerable:
- GeForce Experience
- GPU drivers for Windows
- GeForceNOW
- SHIELD TV
- L4T Jetson
However, vulnerabilities requiring updates were found in NVIDIA enterprise applications that use the Apache Log4j library:
NetQ versions 2.x, 3.x, and 4.0.x are vulnerable to CVE-2021-33228, CVE-2021-45046, and CVE-2021-45105. It is recommended to upgrade to NetQ 4.1.0 or higher.
vGPU Software License Server versions 2021.07 and 2020.05 are vulnerable to CVE-2021-33228 and CVE-2021-45046. NVIDIA advises using the risk mitigation guide.
Nsight Eclipse Edition prior to version 11.0 is vulnerable to CVE-2021-33228 and CVE-2021-45046. The issue has been fixed in version 11.0.
In addition, the CUDA Toolkit Visual Profiler contains Log4j files, but the application does not use them. In January 2022, NVIDIA will release an update that will remove these files. Until then, users can safely remove them themselves if necessary.
The Log4j library is not included by default in DGX Systems, but some users may have installed it themselves. In this case, it is recommended to update Log4j to the latest version or remove it completely. NVIDIA’s investigation is ongoing, and the company is reviewing other products and services.
For comparison, NVIDIA’s competitor, AMD, has stated that the Log4Shell attack did not affect their devices. However, since thousands of other solutions are vulnerable, it is important for businesses to check and update even internal applications, as Log4Shell is often used by attackers to spread ransomware across corporate networks.
Separately, NVIDIA announced the release of a security update for GeForce Experience that addresses the CVE-2021-23175 vulnerability with a CVSS score of 8.2. The bug is not related to Log4j and affects all versions prior to 3.24.0.126. It could lead to privilege escalation, data manipulation, or denial of service. The update is installed automatically when the program is launched.
GeForce Experience helps update drivers and optimize game settings. However, users can download drivers directly from the NVIDIA website and install them manually. Thus, if the program is not used for gaming functions, it can be uninstalled to reduce potential risks.