Intel, Nvidia, Microsoft Vulnerable to Critical Java Exploit, AMD Unaffected

Hacker doing nefarious stuff with multiple monitors
(Image credit: Shutterstock)

A Java vulnerability (Log4Shell) was recently discovered that is so severe it allows for and attacker to remotely execute commands on the exploited machine. Tracked under CVE-2021-44228 by the National Institute of Standards and Technology (NIST), the vulnerability affects the logging library in Apache, a widely used, open-source server package. The vulnerability compromises any system that is accessible directly from a browser, mobile device, or application programming interface (or API) call.

While AMD has announced that its software products are safe from the exploit, Intel listed as many as nine applications that make use of Java that are currently vulnerable.

  • Intel Audio Development Kit
  • Intel Datacenter Manager
  • Intel oneAPI sample browser plugin for Eclipse
  • Intel System Debugger
  • Intel Secure Device Onboard (mitigation available on GitHub)
  • Intel Genomics Kernel Library
  • Intel System Studio
  • Computer Vision Annotation Tool maintained by Intel
  • Intel Sensor Solution Firmware Development Kit

The exploit in Apache's Log4J service allows for a hacker to trick the target server to download and run arbitrary (malicious) code that can be hosted on a server the attacker controls, circumventing multiple layers of software security solutions. Crucially, the exploit doesn't require physical access to the system. It can be triggered through any server that has some sort of browser access. This expls why the vulnerability has been classified under the highest possible value of the "CVSS 3.0" guidelines: 10. Intel is currently at work providing updated versions of these applications that mitigate the vulnerability.

AMD has announced that after preliminary investigation, none of their products appear to be affected by the vulnerability. Considering the potential impact of it, however, AMD said it is "continuing its analysis." 

Nvidia's situation is slightly more complex: If using the latest releases for the services and subservices of each application, then there is currently no known exploitable vulnerability. However, server managers don't always feature the latest updates on their machines, and for those, the company lists four distinct products vulnerable to "Log4Shell" if outdated:

Further, Nvidia distributes its DGX enterprise computing systems with Ubuntu-Linux packages, and users can install Apache's Log4J functionality block by themselves. The systems are thus immune in their out-of-box configuration. But in cases where the Log4J service was installed, however, Nvidia is prompting users to update the service to the latest version, which locks down the vulnerability.

As for Microsoft, the company has issued updates to two of its products targeting this vulnerability: Its Azure Spring Cloud employs certain Log4J elements in the boot process, rendering it vulnerable to the exploits unless updated. Microsoft's Azure DevOps application too has received mitigations aiming to nullify the exploit. 

Francisco Pires
Freelance News Writer

Francisco Pires is a freelance news writer for Tom's Hardware with a soft side for quantum computing.

  • hotaru.hino
    Spectre and Meltdown days dejá-vu?
    I find this subtitle disingenious because the exploit concerns software vulnerabilities, not hardware flaws.
    Reply
  • USAFRet
    hotaru.hino said:
    I find this subtitle disingenious because the exploit concerns software vulnerabilities, not hardware flaws.
    And even then, AMD is subject to the same Meltdown/Spectre things.
    https://www.extremetech.com/computing/326558-all-amd-cpus-found-harboring-meltdown-like-security-flawhttps://arstechnica.com/gadgets/2021/05/new-spectre-attack-once-again-sends-intel-and-amd-scrambling-for-a-fix/
    Reply
  • dispersive.logic
    As the other commenters have pointed out, this article's title is total clickbait. Log4j is a software library that is used by virtually all Java applications whereas Meltdown, Spectre, etc are hardware vulnerabilities. It's not even apples-to-oranges, it's totally unrelated.
    Reply
  • HyperMatrix
    As others have said....Article title is intentionally misleading clickbait.
    Reply
  • hushnecampus
    Shameful journalism. Title makes it sounds like people with AMD CPUs would be unaffected by log4shell, which is of course nonsense.
    Reply
  • rluker5
    AMD's software is probably just too messed up to test. Can't exploit it if it crashes first.
    Reply
  • Alex/AT
    USAFRet said:
    And even then, AMD is subject to the same Meltdown/Spectre things.
    Spectre variants yes, part of, but well, they are not even x86-specific. Meltdown no, purely Intel thing resulting from lack of privilege checks inside speculative path. L1TF is the same, purely Intel thing.
    There was a lot of "AMD Meltdown" <Mod Edit> from the very start to try to keep Intel marketing up, but it all basically boiled down to some 'minor spectre variant's that work only in lab and under very specific (if not requiring complex setup) conditions.
    Meltdown and L1TF on the other hand were found easily and perfectly exploitable on almost any normal susceptible system, under most OS and hypervisors, under normal 'parallel load' execution conditions where exploit is not the only major process running.
    Reply
  • Endymio
    HyperMatrix said:
    As others have said....Article title is intentionally misleading clickbait.
    Given some of the other factual inaccuracies in recent articles, I'm inclined to believe it's more an error of understanding, rather than an intentional act.
    Reply