Recently, a Java vulnerability (Log4Shell) was discovered that allows an attacker to remotely execute commands on the exploited machine. The vulnerability affects the logging library in Apache, a widely used open-source server package, and is tracked by the National Institute of Standards and Technology (NIST) as CVE-2021-44228. Any system that can be accessed directly from a browser, mobile device, or application programming interface (API) call is vulnerable.
While AMD has stated that it’s software products are not vulnerable to the exploit, Intel has listed as many as nine Java-based applications that are currently vulnerable.
- Intel Audio Development Kit
- Intel Datacenter Manager
- Intel one API sample browser plugin for Eclipse
- Intel System Debugger
- Intel Secure Device Onboard (mitigation available on GitHub)
- Intel Genomics Kernel Library
- Intel System Studio
- Computer Vision Annotation Tool maintained by Intel
- Intel Sensor Solution Firmware Development Kit
The vulnerability in Apache’s Log4J service allows a hacker to fool the target server into downloading and running arbitrary (malicious) code hosted on a server controlled by the attacker, bypassing numerous levels of software security protections. Importantly, the exploit does not necessitate physical access to the computer. It can be triggered by any server that has access to the internet. This explains why the vulnerability was rated at the highest level possible under the “CVSS 3.0” guidelines: 10. Intel is presently working on releasing updated versions of these applications that address the flaw.
AMD has stated that no of its products appear to be affected by the issue following early analysis. However, AMD stated that it is “continuing its analysis” in light of the potential implications.
The situation at Nvidia is a little more complicated: There is currently no known exploitable vulnerability when using the most recent releases for each application’s services and sub-services. However, server administrators may not always have the most recent updates installed on their machines, and the company has identified four products that are vulnerable to “Log4Shell” if they are out of date:
- CUDA Toolkit Visual Profiler and Nsight Eclipse Edition
- DGX Systems
- vGPU Software License Server
Furthermore, Nvidia distributes Ubuntu-Linux packages with its DGX enterprise computing systems, and users can install Apache’s Log4J capability block on their own. As a result, the systems are immune in their out-of-the-box state. However, in circumstances where the Log4J service was installed, Nvidia is advising customers to update it to the most recent version, which closes the hole.
Microsoft has released updates for two of its products that address this vulnerability: Certain Log4J elements are used in the boot process of the Azure Spring Cloud, making it vulnerable to exploits unless updated. Microsoft’s Azure DevOps application has also been patched to prevent the hack from being used.