Pierluigi Paganini December 24, 2021

NVIDIA released a security advisory to inform customers what products are affected by the recently disclosed Log4Shell vulnerability.

NVIDIA has assessed its products to determine if they are vulnerable to the Log4shell vulnerability in Log4J library.

The company states that the following products are not impacted by the Log4j vulnerabilities:

• GeForce Experience client software
• GeForceNOW client software
• GPU Display Drivers for Windows
• L4T Jetson Products
• SHIELD TV

The security advisory published by the company confirms that the following NVIDIA products are affected by Log4J issues:

• CUDA Toolkit Visual Profiler and Nsight Eclipse Edition
• DGX Systems
• NetQ
• vGPU Software License Server

NVIDIA also informed customers that CUDA Toolkit Visual Profiler includes Log4j files, but the good news is that the application is not using the library.

“Log4j is included in CUDA Toolkit. However it is not being used and there is no risk to users who have the Log4j files. Because they are not being used, an update is being prepared to remove the Log4j files^[1] from CUDA Toolkit. If concerned, customers can safely delete the files as a mitigation.” reads the security advisory.

According to the advisory, by default, DGX systems are not impacted by the flaw because DGX OS releases did not include the Log4j. However, users can install the flawed library as additional software.

Users are recommended to update their installs to the latest available version of the library, another option consists in removing it.

NVIDIA is still investigating the impact of the Log4J flaws in its products and services.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, NVIDIA)

[adrotate banner=”5″]

[adrotate banner=”13″]