Log4j2 Java Security Exploit Slams Intel, NVIDIA And Microsoft But Spares AMD
The Log4shell exploit in the widely-used Apache Log4j package has had just about every single sysadmin in the world working nights and weekends to desperately get their internet-facing servers updated. The problem isn't simply patching and updating Log4j itself—that was done before the problem even hit the mainstream. The problem is that Log4j is included as a component in thousands of applications, and to close the hole, those applications all have to be patched, too.
The list of vulnerable programs doesn't stop at the boundary of "programs coded in Java," either. Thanks in part to Java's inherently-platform-agnostic nature, Log4j has been included in everything from client-facing applications like Minecraft to operating system-level packages from Microsoft. Unsurprisingly, Intel and NVIDIA also have their own vulnerable packages to watch out for.
Starting with MS, the company is quick to assure partners that it "has not identified any exploitation of [its] enterprise services" through the Log4shell exploit. However, there's a fair bundle of Microsoft services that have security updates to mitigate the vulnerability. Included in the list is Minecraft, of course, but beyond that are a number of Azure services as well as the company's SQL server software. You can check out the list on Microsoft's advisory page.
For Intel's part, there's another pack of products to check for patches, although unfortunately, Chipzilla seems to have been a little slow on the draw getting updates out for most of its product matrix. Intel's QAT codec software, its system debugger package, the Intel Audio Development Kit, and several other software components are all in "Patch pending" status. Also, significant portions of the Intel oneAPI toolkits are apparently vulnerable, too. Intel says it recommends updating its products to the latest mitigated version, whenever that appears.
Over at NVIDIA, there seems to be a bit less cause for concern. In its advisory, Team Green immediately notes that its client-facing software—including the GeForce Experience app, its GeForce NOW client, the Jetson products, and the SHIELD TV—are all unaffected by the exploit. It does have some vulnerable packages elsewhere, though.
The CUDA Toolkit includes Log4j in both the Visual Profiler and Nsight Eclipse Edition, although apparently it is not used at all in the Visual Profiler and can simply be removed. Similarly, DGX OS doesn't include Log4j by default, but NVIDIA advises to check for it anyway, as it may have been included with third-party software. NVIDIA's NetQ and its VGPU software license server will both be affected and will require upgrading.
But what about team red? The house of Ryzen and Radeon put out a brief advisory about the Log4shell exploit, but amazingly, it simply says AMD hasn't identified any affected products. Hopefully that's because the company wasn't using Log4j, and not because it simply hasn't found any vulnerabilities.
