NV License Server + log4j

Hi,

cant find anything on this topic, altough it should be here:

The License Server is effected correct? Any mitigations done?

2 Likes

Security Notice: NVIDIA Response to Log4j Vulnerability (CVE-2021-44228) - December 2021 | NVIDIA (custhelp.com)

Additionally:
Log4j Java Vulnerability (CVE-2021-44228) for Legacy vGPU Software License Server (nvidia.com)

You’ll also need to follow their instructions to remove the JNDILookup class in the following files.
C:\NVIDIA\LicenseServer\Tomcat\webapps\licserver.war
C:\NVIDIA\LicenseServer\ui\licserver.war

Any information on where I can find docs for removal of the JNDILookup class from licserver.war files?

Log4j Java Vulnerabilities for Legacy vGPU Software License Server (nvidia.com)

From the article -

Note: Mitigation steps are updated on Dec 23rd, 2021 to address recently reported new CVE-2021-45105, so if you used the previous mitigation steps (deleting JndiLookup class), it does not address CVE-2021-45105.

Hi,

I have already follow https://enterprise-support.nvidia.com/s/article/Log4j-Java-Vulnerability-CVE-2021-44228-for-vGPU-Legacy-License-Server

upgrade the log4j to 2.17.1

But whenI use log4shell tool (Release v1.0.0-log4shell ¬∑ lunasec-io/lunasec ¬∑ GitHub)to check log4jÔľĆthe result shows that the path argument in /opt/flexnetls/nvidia/
still include log4j 2.14

I have already search my license server, there is no log4j-core-2.14.0.jar
Is this path still work?or in which way I can fix this?

thanks for the help.