AUTODESK TRUST CENTER

Security advisory

Advisories are used to communicate information related to vulnerabilities identified with Autodesk® products and services. This includes any fixes or workarounds that are applicable to the affected product.

Apache Log4j Vulnerabilities: Impact on Autodesk Products

Autodesk ID: ADSK-SA-2021-0012
Product, Service, Component: Autodesk Products & Services
Impact: Code Execution
Severity: Critical
Original Publish: 12/23/2021
Last Revised: 1/26/2022

Severity

CVSS 3.0 Score

Impact

Low

0.1 - 3.9

A vulnerability where scope and impact of exploitation is restricted and the ability to exploit is extremely difficult.

Medium

4.0 - 6.9

A vulnerability where exploitation is mitigated by factors such as difficulty to exploit, default configuration or ease of identification.

High

7.0 - 8.9

A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user’s data or processing resources.

Critical

9.0 - 10

A vulnerability, which if exploited, would allow remote execution of malicious code without user action.

Summary

Autodesk is aware of the Apache Log4j security vulnerabilities. We have protection and defense strategies in place to identify and remediate any impacted Autodesk products, services or systems as the need arises.

Our investigation identified one impacted product that requires customers to apply a patch: Autodesk InfraWorks Traffic Simulation. As of January 26, 2022, a hotfix update is available for this product – see the table below for more details. We strongly recommend customers apply the update. All other Autodesk products and services have either been mitigated or were not vulnerable.

Description

The details of the vulnerabilities are as follows:

1) CVE-2021-44228: The JNDI features may allow an individual who can control log messages or log message parameters to execute arbitrary code loaded from remote LDAP servers via network access.

2) CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations, which might lead to remote code execution.

3) CVE-2021-45105: It was found that the fix to address CVE-2021-45046 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.

4) CVE-2021-44832: The JDBC Appender may allow an individual who can control log messages or log message parameters to execute arbitrary code loaded from remote LDAP servers via network access.

For the table below:

  • “Mitigated” means that the product/service has been patched or the appropriate mitigation steps have been taken to minimize the risk to customers and their data.
  • “Not Vulnerable” means that the product/service does not use the vulnerable Apache log4j libraries.

Autodesk Products and Services Status:

Product


Remediation Status

AutoCAD

NOT VULNERABLE

AutoCAD LT

NOT VULNERABLE

AutoCAD Architecture

NOT VULNERABLE

AutoCAD Electrical

NOT VULNERABLE

AutoCAD Mechanical

NOT VULNERABLE

AutoCAD Map3D

NOT VULNERABLE

AutoCAD MEP

NOT VULNERABLE

AutoCAD Mobile App

Mitigated

AutoCAD Web App

NOT VULNERABLE

AutoCAD Online Services

Mitigated

AutoCAD Plant 3D

NOT VULNERABLE

Autodesk Advance Steel

NOT VULNERABLE

3ds MAX

NOT VULNERABLE

3ds MAX Interactive

NOT VULNERABLE

3ds MAX Design

NOT VULNERABLE

ACC Doc View

NOT VULNERABLE

ACC Insight

NOT VULNERABLE

Alias

NOT VULNERABLE

Autodesk App Store

NOT VULNERABLE

Arnold

NOT VULNERABLE

Assemble

NOT VULNERABLE

Autodesk Account Portal

Mitigated

Autodesk ADP

NOT VULNERABLE

Autodesk App Store

NOT VULNERABLE

Autodesk CFD

NOT VULNERABLE

Autodesk Docs

Mitigated

Autodesk Drive

NOT VULNERABLE

Autodesk Gallery

NOT VULNERABLE

Autodesk Rendering

NOT VULNERABLE

Autodesk Takeoff

NOT VULNERABLE

Autodesk Tandem

NOT VULNERABLE

Autodesk Viewer

NOT VULNERABLE

Autodesk Partner Web Services (PWS)

NOT VULNERABLE

AVA

Mitigated

BIM 360 Account Administration

NOT VULNERABLE

BIM 360 Build

Mitigated

BIM 360 Cost Management

NOT VULNERABLE

BIM 360 Collaborate

NOT VULNERABLE

BIM 360 Collaborate Pro

NOT VULNERABLE

BIM 360 Design Collaboration

NOT VULNERABLE

BIM 360 Docs

Mitigated

BIM 360 Mobile

Mitigated

BIM 360 Model Coordination

NOT VULNERABLE

BIM 360 Field

NOT VULNERABLE

BIM 360 Glue

NOT VULNERABLE

BIM 360 Insight

NOT VULNERABLE

BIM 360 IQ

NOT VULNERABLE

BIM 360 Ops

NOT VULNERABLE

BIM 360 Plan

Mitigated

BIM 360 Project Management

NOT VULNERABLE

BIM 360 Reports

Mitigated

BIM 360 Team Mobile

Mitigated

Build

NOT VULNERABLE

BuildingConnected

NOT VULNERABLE

BuildingConnected Pro

NOT VULNERABLE

CER v2 Services

NOT VULNERABLE

CAMplete

NOT VULNERABLE

Civil 3D

NOT VULNERABLE

Civil 3D Online Services

NOT VULNERABLE

Cloud Rendering

NOT VULNERABLE

Collaboration for AutoCAD Plant 3D

NOT VULNERABLE

Configurator 360

NOT VULNERABLE

Constructware

NOT VULNERABLE

Autodesk Design Review

NOT VULNERABLE

Autodesk Desktop App

NOT VULNERABLE

Autodesk Desktop Connector

NOT VULNERABLE

Dynamo Machine Learning

NOT VULNERABLE

Dynamo Package Manager

NOT VULNERABLE

Dynamo Studio

NOT VULNERABLE

DWG Trueview

NOT VULNERABLE

Eagle

NOT VULNERABLE

Fabrication

NOT VULNERABLE

Factory Design Utilities

NOT VULNERABLE

FBX

NOT VULNERABLE

FeatureCAM

NOT VULNERABLE

Flame

NOT VULNERABLE

Forge - Data Management API

NOT VULNERABLE

Forge – Design Automation API

Mitigated

Forge - Reality Capture API 

NOT VULNERABLE

Forge - Mode Derivative API 

Mitigated

Forge- Reality Capture API

NOT VULNERABLE

Forge - Token Flex API 

Mitigated

Formit

NOT VULNERABLE

Fusion 360

Mitigated

Fusion 360 Desktop

NOT VULNERABLE

Fusion 360 Manage

Mitigated

Fusion 360 Mobile

Mitigated

Fusion Online

NOT VULNERABLE

Fusion Simulation

NOT VULNERABLE

Generative Design

Mitigated

Grading Optimization for Civil 3D

NOT VULNERABLE

HDS

NOT VULNERABLE

Healthhub

NOT VULNERABLE

Helius Composite

NOT VULNERABLE

Helius PFA

NOT VULNERABLE

HSMWorks

NOT VULNERABLE

Infrastructure Parts Editor

NOT VULNERABLE

InfraWorks

NOT VULNERABLE

InfraWorks Traffic Simulation desktop

2022.1 Hotfix 3,
2022.0 Hotfix 4,
2021.2 Hotfix 5,
2020.2 Hotfix 5,
2019.3 Hotfix 6

Update Source: Autodesk Desktop App, or Accounts Portal

InfraWorks Translation Service

Mitigated

Insight

NOT VULNERABLE

Instructables

Mitigated

Innovyze Licensing Manager

NOT VULNERABLE

InfoWater Pro

NOT VULNERABLE

InfoWorks ICM

NOT VULNERABLE

InfoWorks WS Pro

NOT VULNERABLE

InfoDrainage

NOT VULNERABLE

MicroDrainage

NOT VULNERABLE

InfoAsset Manager

NOT VULNERABLE

InfoAsset Mobile

NOT VULNERABLE

InfoAsset Online

NOT VULNERABLE

Inventor

NOT VULNERABLE

Inventor CAM

NOT VULNERABLE

Inventor ETO

NOT VULNERABLE

Inventor Nastran

NOT VULNERABLE

Inventor Nesting

NOT VULNERABLE

Materials 360

NOT VULNERABLE

Maya

NOT VULNERABLE

Maya LT

NOT VULNERABLE

Autodesk Meshmixer

NOT VULNERABLE

Moldflow

NOT VULNERABLE

MotionBuilder

NOT VULNERABLE

Mudbox

NOT VULNERABLE

Navisworks

NOT VULNERABLE

Navisworks Simulate

NOT VULNERABLE

Network Licensing Manager (NLM)

NOT VULNERABLE

Network Licensing Reporting Manager (NLRM)

NOT VULNERABLE

Network Licensing Reporting Service (NLRS)

NOT VULNERABLE

Netfabb

NOT VULNERABLE

Plangrid

NOT VULNERABLE

Plant Collaboration Services (based on BIM 360 Team)

NOT VULNERABLE

Point Layout

NOT VULNERABLE

PowerInspect

NOT VULNERABLE

Powermill

NOT VULNERABLE

Powershape

NOT VULNERABLE

Project Explorer for Civil 3D

NOT VULNERABLE

Pype

Mitigated

ReCap Pro

NOT VULNERABLE

ReCap Services

NOT VULNERABLE

Revit

NOT VULNERABLE

Revit LT

NOT VULNERABLE

Revit Cloud Model Upgrade

NOT VULNERABLE

Revit Cloud Worksharing / Cloud Models

NOT VULNERABLE

Robot Structural Analysis

NOT VULNERABLE

Shotgrid

NOT VULNERABLE

Smoke

NOT VULNERABLE

Spacemaker

NOT VULNERABLE

Structural Bridge Design

NOT VULNERABLE

Tinkercad

NOT VULNERABLE

Tradetapp

NOT VULNERABLE

Trucomposites

NOT VULNERABLE

Upchain

Mitigated

Vault

NOT VULNERABLE

Vehicle Tracking

NOT VULNERABLE

VRED

NOT VULNERABLE

Within Medical

NOT VUNERABLE

*Note: Product list table contents subject to change.

Recommendations

Autodesk highly recommends that customers of the affected products obtain and apply the latest Hotfixes for Infraworks Traffic Simulation via Autodesk Desktop App or the Accounts Portal. Customers who are using impacted product versions should then reinstall the software to apply the latest Hotfixes.

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

Protecting our customers’ data is our top priority. Learn more about our security and data privacy practices on the Autodesk Trust Center.

Revision History

Revision

Date

Description

1.0

12/23/2021

Initial Release of the security advisory

1.1

1/21/2022

Update Description, and Affected Product Table

1.2

1/26/2022

Update Description, and Affected Product Table for Infraworks Traffic Simulation

Disclaimer

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.

© 2022, Autodesk, Inc.

 

 

Welcome ${RESELLERNAME} Customers

Please opt-in to receive reseller support

I agree that Autodesk may share my name and email address with ${RESELLERNAME} so that ${RESELLERNAME} may provide installation support and send me marketing communications.  I understand that the Reseller will be the party responsible for how this data will be used and managed.

Email is required Entered email is invalid.

${RESELLERNAME}