NVIDIA has issued a security alert outlining devices vulnerable to the Log4Shell vulnerability, used in various attacks throughout the world. After a comprehensive investigation, NVIDIA found that Log4j vulnerabilities don’t affect these products:
- GeForce Experience client software
- GPU Display Drivers for Windows
- GeForceNOW client software
- SHIELD TV
- L4T Jetson Products
Although NVIDIA consumer apps are unaffected, several NVIDIA corporate applications using Apache Log4j must be updated:
- Versions 2.x, 3.x, and 4.0.x of NetQ are vulnerable to CVE-2021-33228, CVE-2021-45046, and CVE-2021-45105. Therefore, users should upgrade to NetQ 4.1.0 or later.
- CVE-2021-33228 and CVE-2021-45046 affect versions 2021.07 and 2020.05 of the vGPU Software License Server. First Update In these situations, it is advised to follow this mitigation guide.
- Versions of Nsight Eclipse Edition before 11.0 are vulnerable to CVE-2021-33228 and CVE-2021-45046, which have been resolved in 11.0 and later.
NVIDIA also informs that the CUDA Toolkit Visual Profiler contains Log4j files, but the application does not use them. In January 2022, a refreshed version will be issued to erase these files.
“Log4j is included in CUDA Toolkit. However, it is not being used, and there is no risk to users who have the Log4j files,” clarifies NVIDIA’s security notice.
“Because they are not being used, an update is being prepared to remove the Log4j files from CUDA Toolkit. If concerned, customers can safely delete the files as a mitigation.”
Finally, by default, DGX Systems does not include the Log4j library, but NVIDIA advises that some users may have installed it. Users should upgrade to the most recent library version or uninstall it entirely in these circumstances. The inquiry by NVIDIA is still underway, and it is looking into any goods or services that were not approved.
In contrast, AMD, the other main competitor in the GPU industry, has stated that the Log4shell attack has not affected any of their devices. Unfortunately, many additional products are susceptible. Therefore, all businesses, particularly those using software exposed to the Internet, should thoroughly assess their vulnerable software. Threat actors exploit the Log4Shell vulnerability to propagate ransomware laterally through networks. Thus, even vulnerable internal apps need to be upgraded.
NVIDIA has published a security update for the NVIDIA GeForce Experience program, which addresses CVE-2021-23175 (CVSS v3 score: 8.2) unrelated to Log4j. This weakness is a user authorization issue that can result in privilege escalation, data manipulation, and denial of service. This high-severity bug affects all versions before 220.127.116.11. An automatic update is triggered when the software is launched.
GeForce Experience is a companion program that assists users in updating their GPU drivers, optimizing gaming settings, and more. However, users may download driver updates directly from the NVIDIA website and manually install them. This implies that if you aren’t using the program for gaming performance benefits, you may safely delete it from your system and relieve yourself of one security concern for the time being.