Learn about NVIDIA applications affected by the Log4j vulnerability, which was revealed by the company itself through a security consultant.
NVIDIA has released a security advisory detailing the products affected by the Log4Shell vulnerability that is currently being exploited in a wide variety of attacks around the world.
Find out which NVIDIA apps are affected by the Log4j vulnerability
Yes, after a thorough investigation, NVIDIA has concluded that the Log4j vulnerabilities do not affect the following products:
- GeForce Experience
- GeForceNOW client software
- GPU Monitor Drivers for Windows
- Jetson L4T Products
- Shield TV
While consumer NVIDIA applications are not affected, some NVIDIA enterprise applications include Apache Log4j and need to be updated:
- Nsight Eclipse Edition versions less than 11.0 are vulnerable to CVE-2021-33228 and CVE-2021-45046 and have been fixed in version 11.0 or later.
- NetQ is vulnerable to CVE-2021-33228, CVE-2021-45046, and CVE-2021-45105 in versions 2.x, 3.x, and 4.0.x. As such, users are advised to upgrade to NetQ 4.1.0 or later.
- The vGPU License Server is affected by CVE-2021-33228 and CVE-2021-45046 in 2021.07 and 2020.05 Update 1. Best practice in these cases is to follow This mitigation guide.
NVIDIA also recommends that the CUDA Toolkit Visual Profiler includes Log4j files, but the application does not use them. An updated version is released in January 2022 to remove these files.
“Log4j is included in the CUDA toolkit. However, it is not used and there are no risks for users with Log4j files,” he explains NVIDIA Security Notice.
“Because they are not being used, an update is being prepared to remove Log4j files from the CUDA toolkit. If so, clients can safely delete the files as a mitigation.”
Finally, DGX systems do not come with the Log4j library by default, but NVIDIA warns that some users may have installed it themselves.
In such cases, users are advised to upgrade to the latest available version of the library or remove it completely.
An NVIDIA investigation is ongoing regarding any products or services that are not listed as affected or unaffected in the above lists.
On the other hand, the other major player in the GPU market, AMD, confirmed that None of your products are affected. By exploiting Log4shell.
Unfortunately, many other products are affected, so all organizations should conduct a full audit of their vulnerable software, especially those that are exposed to the Internet.
However, even vulnerable internal applications need to be updated as threat agents use the Log4Shell vulnerability to spread horizontally across networks to spread ransomware.
Although not related to Log4j, NVIDIA has released a security update for the NVIDIA GeForce Experience, addressing CVE-2021-23175 (CVS v3 score: 8.2).
This vulnerability is a user authorization issue that may lead to privilege escalation, information disclosure, data breach, and denial of service.
All versions prior to version 3.24.0.126 are affected by this very serious bug. Starting the program leads to an automatic update.
GeForce Experience is a companion app that helps users update their GPU drivers, optimize game settings, etc. However, users can always get driver updates directly from the NVIDIA website and install them manually.
This means that if you do not use the app to improve gaming performance, you can safely remove it from your system and have less security issue for now.