A Java vulnerability (Log4Shell) was recently discovered that is so severe it allows for and attacker to remotely execute commands on the exploited machine. Tracked under CVE-2021-44228 by the National Institute of Standards and Technology (NIST), the vulnerability affects the logging library in Apache, a widely used, open-source server package. The vulnerability compromises any system that is accessible directly from a browser, mobile device, or application programming interface (or API) call.
While AMD has announced that its software products are safe from the exploit, Intel listed as many as nine applications that make use of Java that are currently vulnerable.
- Intel Audio Development Kit
- Intel Datacenter Manager
- Intel oneAPI sample browser plugin for Eclipse
- Intel System Debugger
- Intel Secure Device Onboard (mitigation available on GitHub)
- Intel Genomics Kernel Library
- Intel System Studio
- Computer Vision Annotation Tool maintained by Intel
- Intel Sensor Solution Firmware Development Kit
The exploit in Apache's Log4J service allows for a hacker to trick the target server to download and run arbitrary (malicious) code that can be hosted on a server the attacker controls, circumventing multiple layers of software security solutions. Crucially, the exploit doesn't require physical access to the system. It can be triggered through any server that has some sort of browser access. This expls why the vulnerability has been classified under the highest possible value of the "CVSS 3.0" guidelines: 10. Intel is currently at work providing updated versions of these applications that mitigate the vulnerability.
AMD has announced that after preliminary investigation, none of their products appear to be affected by the vulnerability. Considering the potential impact of it, however, AMD said it is "continuing its analysis."
Nvidia's situation is slightly more complex: If using the latest releases for the services and subservices of each application, then there is currently no known exploitable vulnerability. However, server managers don't always feature the latest updates on their machines, and for those, the company lists four distinct products vulnerable to "Log4Shell" if outdated:
Further, Nvidia distributes its DGX enterprise computing systems with Ubuntu-Linux packages, and users can install Apache's Log4J functionality block by themselves. The systems are thus immune in their out-of-box configuration. But in cases where the Log4J service was installed, however, Nvidia is prompting users to update the service to the latest version, which locks down the vulnerability.
As for Microsoft, the company has issued updates (opens in new tab) to two of its products targeting this vulnerability: Its Azure Spring Cloud employs certain Log4J elements in the boot process, rendering it vulnerable to the exploits unless updated. Microsoft's Azure DevOps application too has received mitigations aiming to nullify the exploit.