If you have any questions about this security notice, contact NVIDIA Support. Added information about CVE‑2021‑45105 for DGX OS.Īdded a section for unaffected product list and included CVE‑2021‑45105 in this response. Added remediation update information about CVE-2021-45105 for NETQ.Īdded update information for CUDA Toolkit and included CVE‑2021‑45046 in this response.Īdded update information for DGX OS Software and mitigation information for the vGPU software license server. Added information about CVE‑2021‑45105 for vGPU software license serverĪdded GPU display driver for Linux and networking products to the list of products that are not impacted.Īdded GPU Display Driver for Windows to the list of products that are not impacted. Revision History RevisionĪdded information about CUDA Toolkit updatesĪdded NVIDIA Maxine and Broadcast products to the list of products that are not impacted. To learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT), see the current list of NVIDIA security bulletins, or subscribe to security bulletin notifications, go to NVIDIA Product Security. Get the Most Up to Date Product Security Information VGPU Software License Server CVE IDs AddressedĪpply the mitigation described in Log4j Java Vulnerability (CVE-2021-44228 and CVE-2021-45046) for Legacy vGPU Software License Server in the NVIDIA knowledge base. If you are a SaaS customer, you should also upgrade OPTA servers to 4.1.0. Upgrade on-premises telemetry servers to the 4.1.0 release by following NetQ Upgrade Guide. Liblog4j2-java 2.10.0-2 and prior versionsįor more information about this issue, refer to the Log4Shell page on the Ubuntu wiki. $ sudo apt full-upgrade CVE IDs AddressedĭGX-1, DGX-2, DGX A100, DGX Station, DGX Station A100 If a version of the liblog4j2-java library built from a vulnerable apache-log4j2 source package is installed, run the following commands to get the updated version: To check if a version of the liblog4j2-java library built from a vulnerable apache-log4j2 source package is installed on your system, run the following command:įixes to address this issue are available from Canonical in the updated versions listed in the following table. NVIDIA did not include the Log4j Java library in its DGX OS releases, but this library might have been installed by a user as additional software. For example: /usr/local/cuda/libnsight/plugins/_1.9.2.v201404171502/lib/ant-apache-log4j.jar DGX Systemsīy default, DGX systems are not exposed to this issue. For example: C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.5\libnvvp\plugins\_1.9.2.v201404171502\lib\ant-apache-log4j.jar If concerned, customers can safely delete the files as a mitigation. ![]() Because they are not being used, an update is being prepared to remove the Log4j files from CUDA Toolkit 10.2 updates. However it is not being used and there is no risk to users who have the Log4j files. Update to an Nsight Eclipse Plugins Edition in CUDA Toolkit version 11.0 or laterĪlternatively, note that Log4j is included in CUDA Toolkit 10.2 and earlier. Updates for version 10.2 will be available in February 2022. Nsight Eclipse Plugins Edition in CUDA Toolkit version 11.0 or later Nsight Eclipse Edition in CUDA Toolkit prior to version 11.0 Because they are not being used, an update is being prepared to remove the Log4j files from CUDA Toolkit. Visual Profiler in CUDA Toolkit version 11.5 and prior versionsĬUDA Toolkit updates 11.5.2 and 11.4.4 will be available in February 2022. CUDA Toolkit Visual Profiler and Nsight Eclipse EditionĬUDA Toolkit Visual Profiler and Nsight Eclipse Edition CVE IDs Addressed.The following sections list the NVIDIA products affected, versions affected, and the updated versions available or mitigations that require customer action. All Networking products (except for NetQ, which is one of the remediated NVIDIA products).GPU Display Drivers for Windows and Linux.NVIDIA’s products or services that are not listed below are undergoing investigation. NVIDIA is continuing its investigations and will update this list as new information becomes available. The following products have been analyzed by NVIDIA and are not vulnerable or impacted by this issue. ![]() ![]() This page will be updated when any additional information becomes available regarding this issue. NVIDIA is aware of these vulnerabilities and is evaluating their potential impact and relevance to its products and services. The CVE IDs of these vulnerabilities are as follows:
0 Comments
Leave a Reply. |